Security Operations Managers x2

Security Operations Managers
Remote with occasional travel to Crawley
£850 per day - Outside IR35
6-9 month duration
Summary
A UK Critical National Infrastructure (CNI) energy operator is appointing two contract Security Operations Managers who will work in lock-step: a Run Lead to steer and mature the live CSIRT Response Function, and a Build Lead to create new, minimum-viable capabilities and hand them into service. Both posts sit under the Cyber Security Response Manager and are driven by the NCSC Cyber Assessment Framework (CAF) and NIST SP 800-61 r3 guidance for incident response. The culture is "good-enough-today, better-tomorrow": short, bullet-point artefacts, daily measurable progress, and rapid decision-making.
________________________________________
Background & Purpose
Digital transformation and heightened threat activity place the UK energy sector under sustained pressure to detect and respond quickly. While the existing SOC provides baseline monitoring, it needs stronger governance, clearly defined processes, and fresh capabilities delivered at pace. Close partnership with the Managed Security Services Provider (MSSP) is essential to uplift the service and assure resilience.
________________________________________
Shared Responsibilities

• Operate to recognised frameworks - align policies, processes and runbooks to the NCSC CAF objectives for CNI resilience and the incident-handling lifecycle in NIST SP 800-61 r3, keeping documentation concise and auditable.
  
• Embed pragmatic process - create bullet-point playbooks, runbooks and knowledge-base pages that teams can follow under pressure.
  
• Build out a predefined KPI set - track a lean group of SOC metrics (e.g., false-positive rate, improvement tickets closed, SLA breaches) and review them daily with analysts and weekly with the Cyber Security Response Manager.
  
• Lead people & partners - recruit and mentor seven senior analysts, motivate existing staff, and hold the MSSP to clear responsibilities.
  
• Promote continuous learning - capture lessons learned after every incident and incorporate them into updated runbooks and training sessions.
  ________________________________________
  Run Lead - Key Outcomes
  
• Day-to-day command of CSIRT / Response operations - own the shift rota, alert triage, escalation and service-improvement backlog.
  
• Governance starter-pack - stand-up daily stand-ups, a Kanban board and a lightweight RACI so everyone knows who does what.
  
• Targeted blue-team exercises - schedule and run periodic blue-team (or red-vs-blue) simulations to prove that services and processes work as intended record findings and fold improvements into revised runbooks.
  
• Service-readiness assurance - rehearse incident scenarios, validate hand-offs with the MSSP, and confirm evidence is logged for audit.
  
• Analyst development & morale - onboard seven senior analysts, set daily objectives, and champion a supportive, high-energy culture.
  ________________________________________
  Build Lead - Key Outcomes
  
• Backlog of minimum-viable capabilities - identify, prioritise and deliver quick-win defined capabilities (processes, procedures, runbooks and supporting metrics) that can be demonstrated within days and transitioned to Run.
  
• Structured hand-off - for every new capability, supply concise documentation, decision logs and acceptance criteria so Run can adopt it immediately.
  
• Process integration - embed new workflows into existing tooling and MSSP playbooks without disrupting live operations.
  
• Evidence of value - report weekly on capabilities delivered, KPIs affected and lessons learned, using the predefined KPI set.
  ________________________________________
  Candidate Profile
  
• Proven rapid delivery - has led at least five SOC builds or rapid rebuilds from zero to operational within six-to-twelve months, ideally in regulated or high-availability sectors.
  
• Framework fluent - comfortable applying NCSC CAF principles and NIST SP 800-61 r3 incident-handling guidance pragmatically, avoiding bureaucracy.
  
• Hands-on leadership - coaches senior analysts, removes blockers in real time, and can work directly in SIEM, SOAR, EDR and cloud telemetry tools.
  
• Action-oriented communicator - prefers calls and stand-ups over long email threads decisive yet collaborative.
  
• Continuous-improvement mindset - captures every lesson and turns it into updated runbooks, training or process tweaks.
  
  TPBN1_UKTJ