Head of Cyber Security

Job Title: Head of Cyber Defense & Incident Response

Location: Stratford, London

Working Pattern: Hybrid - 2 days in office per week

Employment Type: Permanent

Salary: £100k per annum

Role Overview:

• The Head of Cyber Defense and Incident Response owns the organization’s cyber defense capability across a hybrid environment (mix of on‑prem and cloud platforms), ensuring effective monitoring, detection, response and recovery.
• The role is accountable for managing the Managed Security Service Provider (MSSP), setting clear outcomes and SLAs, overseeing service quality, and ensuring incident handling meets required standards.
• A key focus is optimizing security tooling (e.g., SIEM, SOAR, EDR/XDR, NDR, email security, vulnerability scanning) and driving strong vulnerability and threat management, using threat intelligence to prioritize defensive improvements.
• Reports directly to the CISO and leads cyber defense operations (including the MSSP) and cybersecurity incident response across the organization. This fits within the context of the broader organizational Crisis Management plan owned outside Technology.

Education & Experience

• Bachelor’s degree (or equivalent) in Cyber Security, Computer Science, Digital Forensics, or a related field or demonstrable equivalent experience.
• Significant experience (typically 8-10+ years) in cyber defense, SOC and incident response, including leading investigations, coordinating response across teams, and operating security monitoring/detection capabilities in hybrid (on‑prem and cloud) environments.

Key Responsibilities

• Own the incident response lifecycle (prepare, detect, analyze, contain, eradicate, recover), ensuring playbooks, tooling, and decision-making processes are in place and exercised.
• Lead and coordinate response to security incidents, acting as incident commander where required, including stakeholder communications, forensic triage, and recovery coordination.
• Manage the MSSP relationship end‑to‑end: service definition, SLAs/KPIs, escalation paths, continuous improvement plans, quality assurance, and commercial governance.
• Optimize security monitoring and response tooling working across technology teams (e.g., SIEM, SOAR, EDR/XDR, NDR, email security) including use‑case coverage, alert quality, automation, logging strategy, and operational runbooks.
• Own the vulnerability management programme (on‑prem and cloud), including scanning coverage, prioritization, remediation SLAs, exception handling, verification, and executive reporting.
• Drive threat management by operationalizing threat intelligence (internal and external) into defensive priorities: detection use cases, hardening actions, control uplift and proactive hunting themes.
• Lead continuous improvement of the defense stack: rationalize tools, tune detections, improve signal quality, reduce noise, and expand automation to accelerate triage and response.
• Establish and run a threat hunting programme using hypothesis‑driven approaches, telemetry coverage mapping, and lessons learned from incidents and red-team activity.
• Run regular tabletop exercises and simulations (including ransomware and cloud compromise scenarios), ensuring roles, escalation paths, and technical procedures are validated and improved.
• Coordinate closely with IT, engineering, infrastructure, and business teams during incidents and high‑severity investigations, ensuring timely containment and recovery with minimal business impact.
• Own incident response governance: severity model, on‑call and escalation processes, evidence handling, case management, and alignment to legal/regulatory obligations.
• Define and report cyber defense metrics (e.g., MTTD/MTTR, alert volumes and precision, incident trends, vuln remediation performance, control coverage), presenting insights and recommendations to senior leadership.
• Lead post-incident reviews and root cause analysis, ensuring lessons learned translate into measurable improvements (detections, hardening, identity controls, backups, segmentation, and training).
• Manage relationships with external partners relevant to cyber defense (e.g., MSSP, threat intel providers, forensic specialists), ensuring services are integrated, measurable and effective.
• Partner with IT, Engineering, and Architecture teams to improve telemetry and control coverage across on‑prem and cloud platforms (logging, identity signals, network visibility), enabling effective detection and response.
• Support business continuity and crisis management processes during cyber events, contributing to executive updates and coordinated communications with Legal/Privacy and other stakeholders.
• Lead and develop the cyber defense function (internal team and MSSP), setting clear priorities, coaching analysts, and ensuring operational resilience and coverage.
• Maintain and improve incident response documentation and readiness (playbooks, runbooks, contact trees), and ensure training is delivered for technical responders and business stakeholders.
• Drive cyber incident awareness and preparedness (tabletops, targeted communications, and role-based training) so teams understand their responsibilities during incidents.
• Communicate cyber risk and active incidents clearly to technical and non‑technical audiences, including concise executive briefings and after‑action summaries.

Required Qualifications

• Strong experience leading cyber defense/SOC and incident response, including major incident coordination, investigation, containment and recovery.
• Hands-on understanding of detection and response tooling and concepts (SIEM, SOAR, EDR/XDR, NDR, email security, log pipelines), including tuning, use-case engineering and operational workflows.
• Proven experience managing an MSSP or outsourced SOC capability, including SLAs/KPIs, service governance, escalations, and continuous improvement.
• Strong experience running vulnerability management and threat management programmes, including prioritization based on exploitability, exposure, and business impact.
• Knowledge of incident response processes, digital forensics fundamentals, evidence handling, and working with legal/privacy and external forensic partners.
• Experience defending hybrid environments (on‑prem and cloud), including identity signals, network telemetry, endpoint visibility, and cloud-native security monitoring.
• Ability to operate under pressure and lead cross-functional teams through high-severity incidents, communicating clearly and making timely risk-based decisions.
• Fluent in English – excellent written and verbal communication skills, including producing clear architecture guidance, standards, and security design documentation.
• Certifications such as GCIH, GCIA, GNFA, CISSP, CISM, or equivalent experience in incident response and security operations.
• Experience with threat hunting, purple teaming, and using MITRE ATT&CK to structure detections, gaps analysis, and defensive improvements.
• Experience with security operations in cloud platforms and common tools (e.g., Microsoft Defender, Sentinel, Splunk, CrowdStrike, Palo Alto, AWS/Azure security services) and integrating telemetry across environments.
• Calm under pressure, able to lead effectively during incidents and make timely decisions with incomplete information.
• Highly collaborative, able to coordinate across IT, engineering, legal/privacy, and business leaders during investigations and recovery.
• Operationally rigorous with strong attention to detail, documentation and evidence quality (case notes, timelines, lessons learned).
• Continuous improvement mindset, drives measurable outcomes through tooling optimization, process refinement, and coaching teams to improve security hygiene.