Head of Cyber Defence & Incident Response

About The Position

Requirements

• Strong experience leading cyber defence/SOC and incident response, including major incident coordination, investigation, containment and recovery.
• Hands-on understanding of detection and response tooling and concepts (SIEM, SOAR, EDR/XDR, NDR, email security, log pipelines), including tuning, use-case engineering and operational workflows.
• Proven experience managing an MSSP or outsourced SOC capability, including SLAs/KPIs, service governance, escalations, and continuous improvement.
• Strong experience running vulnerability management and threat management programmes, including prioritisation based on exploitability, exposure, and business impact.
• Knowledge of incident response processes, digital forensics fundamentals, evidence handling, and working with legal/privacy and external forensic partners.
• Experience defending hybrid environments (on‑prem and cloud), including identity signals, network telemetry, endpoint visibility, and cloud-native security monitoring.
• Ability to operate under pressure and lead cross-functional teams through high-severity incidents, communicating clearly and making timely risk-based decisions.
• Fluent in English – excellent written and verbal communication skills, including producing clear architecture guidance, standards, and security design documentation.

Nice To Haves

• Certifications such as GCIH, GCIA, GNFA, CISSP, CISM, or equivalent experience in incident response and security operations.
• Experience with threat hunting, purple teaming, and using MITRE ATT&CK to structure detections, gaps analysis, and defensive improvements.
• Experience with security operations in cloud platforms and common tools (e.g., Microsoft Defender, Sentinel, Splunk, CrowdStrike, Palo Alto, AWS/Azure security services) and integrating telemetry across environments.
• Calm under pressure, able to lead effectively during incidents and make timely decisions with incomplete information.
• Highly collaborative, able to coordinate across IT, engineering, legal/privacy, and business leaders during investigations and recovery.
• Operationally rigorous with strong attention to detail, documentation and evidence quality (case notes, timelines, lessons learned).
• Continuous improvement mindset—drives measurable outcomes through tooling optimisation, process refinement, and coaching teams to improve security hygiene.

Responsibilities

• Own the incident response lifecycle (prepare, detect, analyse, contain, eradicate, recover), ensuring playbooks, tooling, and decision-making processes are in place and exercised.
• Lead and coordinate response to security incidents, acting as incident commander where required, including stakeholder communications, forensic triage, and recovery coordination.
• Manage the MSSP relationship end‑to‑end: service definition, SLAs/KPIs, escalation paths, continuous improvement plans, quality assurance, and commercial governance.
• Optimise security monitoring and response tooling working across technology teams (e.g., SIEM, SOAR, EDR/XDR, NDR, email security) including use‑case coverage, alert quality, automation, logging strategy, and operational runbooks.
• Own the vulnerability management programme (on‑prem and cloud), including scanning coverage, prioritisation, remediation SLAs, exception handling, verification, and executive reporting.
• Drive threat management by operationalising threat intelligence (internal and external) into defensive priorities: detection use cases, hardening actions, control uplift and proactive hunting themes.
• Lead continuous improvement of the defence stack: rationalise tools, tune detections, improve signal quality, reduce noise, and expand automation to accelerate triage and response.
• Establish and run a threat hunting programme using hypothesis‑driven approaches, telemetry coverage mapping, and lessons learned from incidents and red-team activity.
• Run regular tabletop exercises and simulations (including ransomware and cloud compromise scenarios), ensuring roles, escalation paths, and technical procedures are validated and improved.
• Own incident response governance: severity model, on‑call and escalation processes, evidence handling, case management, and alignment to legal/regulatory obligations.
• Define and report cyber defence metrics (e.g., MTTD/MTTR, alert volumes and precision, incident trends, vuln remediation performance, control coverage), presenting insights and recommendations to senior leadership.
• Lead post-incident reviews and root cause analysis, ensuring lessons learned translate into measurable improvements (detections, hardening, identity controls, backups, segmentation, and training).
• Support business continuity and crisis management processes during cyber events, contributing to executive updates and coordinated communications with Legal/Privacy and other stakeholders.
• Maintain and improve incident response documentation and readiness (playbooks, runbooks, contact trees), and ensure training is delivered for technical responders and business stakehol
• Communicate cyber risk and active incidents clearly to technical and non‑technical audiences, including concise executive briefings and after‑action summaries.

Benefits

• Flexible Work: Embrace a hybrid work model blending office and remote setup for a balanced lifestyle.
• Endless Learning: Access global opportunities for growth through our 24/7 online learning platform.
• Inclusive Community: Join our Empowered Communities and engage in our Philanthropy program.
• Comprehensive Rewards: Enjoy competitive Total Rewards covering wellness, work/life balance, and more, including a generous referral scheme.
• Caring for Wellbeing: Access our complimentary employee assistance program for mental health support.