Cyber Operations & Incident Response Manager - #2089888

Global SME financial seeks a Cyber Operations and Incident Response Manager to lead and line-manage London-based cyber security team (x3/x4), assure the local delivery of globally-prioritised work, and act as Incident Commander and first point of escalation for cyber security in London. The role additionally leads the Endpoint, Platform and Incident Response capability, owning the global prioritisation of that backlog against enterprise cyber risk.

Previous Experience Required:

1. Led or coordinated cyber security incident response as an Incident Commander or equivalent, working with MDR providers and cross-functional stakeholders (IT, Legal, Compliance).
2. A strong, hands-on technical background in operational cyber security spanning endpoint & EDR, identity & Active Directory, Microsoft 365 & Azure, network/ZTNA, and SIEM/log management — able to act as a senior technical authority within the team.
3. Demonstrable experience leading cyber security incident response (incident command), from detection through containment and remediation.
4. Working knowledge of MITRE ATT&CK and at least one recognised control framework (ISO 27001, CIS or NIST).
5. Risk-based prioritisation of remediation using threat intelligence.
6. Operated endpoint security and endpoint detection and response (EDR) tooling (e.g. CrowdStrike or equivalent) in a production environment.
7. Prioritised and managed a risk-based security backlog, applying frameworks such as MITRE ATT&CK and threat-based prioritisation.
8. Assured the delivery of security initiatives across distributed teams or sites, tracking vulnerability remediation and patching through to completion.
9. Act as Incident Commander for security incidents during London hours, coordinating first responders, IT, Legal, Compliance, specialist providers and EDF Group as required.
10. Serve as the first point of escalation for IT and the business in London on cyber security matters.
11. Work with the 24/7 Managed Detection and Response (MDR) provider to triage and escalate detections.
12. Coordinate local participation in incident response exercises and maintain readiness.
13. Track and chase vulnerability remediation and patching on London-managed systems, escalating blockers.
14. Own the global prioritisation of the Endpoint, Platform and Incident Response backlog, ordered against the enterprise cyber risk register and exploitation-based intelligence (e.g. MITRE ATT&CK).
15. Curate the backlog from inputs across Houston and London, including the endpoint detection and response (CrowdStrike) execution lead.
16. Maintain alignment of this domain to the enterprise risks for endpoint compromise, detection and containment, and cyber resilience.
17. Operate within the Global Head’s monthly prioritisation cadence; prioritisation across other domains remains with the Global Head.
18. Provide the local stakeholder interface for cyber security in London.
19. Planned and delivered complex, cross-functional security or technology initiatives end-to-end, coordinating multiple workstreams, stakeholders and dependencies to time and quality.

This is a hybrid role working 2 days a week in the London office and 3 days remotely.