Univers provides the world's most comprehensive decarbonization system.
The Head of Cyber Security Operations leads the organisation's end-to-end cyber defence capability across enterprise and production environments. The role owns the strategy, operation, and continuous improvement of a 24/7/365 Security Operations Center (SOC), spanning threat detection and response, threat and vulnerability management, digital forensics, security engineering, and the supporting technology stack (SIEM, SOAR, XDR, WAF, SASE, PAM, TIP, and network firewalls).
Reporting to the Senior Director, Cyber Security, the role combines hands-on technical leadership with executive-level governance, risk management, and stakeholder engagement.
Head of Cyber Security Operations
Responsibilities:
Strategic Leadership and Vision:
- Cyber Defence Strategy: Develop and execute an enterprise-wide security strategy and roadmap aligned to business goals and risk appetite, securing executive sponsorship and full-stack security coverage.
- Policy & Standards: Establish, enforce, and regularly review security policies, standards, procedures, and guidelines (including Acceptable Use Policies) to mitigate risk and meet regulatory requirements; conduct quarterly reviews and support ISMS and BCP execution.
- Risk Management: Identify, assess, and register cybersecurity risks; review and approve risk exception requests, balancing security with operational needs; report risk posture, threats, and remediation plans to the CISO and Cybersecurity Risk Manager.
- Security Engineering Governance: Define and enforce governance frameworks ensuring all security designs, implementations, and deployments adhere to best practices, CIS baselines, and organisational standards.
- Budget & Financial Planning: Own the SOC budget, allocating resources effectively and identifying opportunities to optimise spend while maintaining or improving security outcomes.
(SOC) Oversight 24/7/365 Security Operations Center:
- 24/7/365 Operations: Lead daily SOC operations across enterprise and O&M production environments, ensuring continuous monitoring, detection, and response while meeting SLAs and maintaining high case-handling quality.
- Quality Assurance: Oversee four-eyes case reviews, shift handovers per SOP, and real-time approvals for whitelisting, blacklisting, and exceptions; provide feedback to prevent mishandled cases.
- Detection Engineering: Drive the development and tuning of detection rules, correlation logic, and automated response, continuously evolving the SOC to counter emerging threats.
- Metrics & Reporting: Maintain SOC metrics, dashboards, and daily/weekly reporting that measure operational effectiveness and communicate security posture to leadership.
- Channel Management: Govern intake and escalation across mailboxes, SOAR cases, ticketing (e.g., ServiceNow), and collaboration platforms (Teams, WeCom).
Incident Response, Forensics & Crisis Management
- Incident Lifecycle: Lead the full incident response lifecycle — preparation, detection, analysis, containment, eradication, recovery, and lessons learned — in close coordination with the SOC Lead, ensuring minimal business impact.
- Crisis & On-Call Leadership: Lead major incident and crisis response at any hour, coordinating across departments and external partners as required.
- Digital Forensics: Lead forensic investigations to determine cause, scope, and impact of breaches; ensure proper acquisition, chain of custody, and up-to-date forensic tooling, methodologies, and SOPs aligned with legal and regulatory standards.
- Playbooks & SOPs: Ensure comprehensive, regularly reviewed playbooks and SOPs exist for every incident type, aligned with regulatory and business needs.
- Post-Incident Improvement: Review post-incident reports, assign remediation gaps to the responsible teams with mitigation plans and milestones, and track corrective actions to closure.
Threat and Vulnerability Management:
- Vulnerability Management: Oversee identification, reporting, and remediation of vulnerabilities across enterprise and production; maintain an agreed workflow with IT and O&M for timely patching or formal risk acceptance with the Risk Manager.
- Threat Hunting: Lead proactive threat hunting to uncover advanced threats that evade automated detection, neutralising them before impact and reporting findings.
- Threat Intelligence: Integrate internal and external threat intelligence (via the TIP) to anticipate emerging threats, enrich detection, and inform response and hunting; ensure exploits and vulnerabilities gathered through CTI are monitored with appropriate detections in place.
Security Technology & Architecture
- Owns the technology roadmap and govern the selection, deployment, optimisation, and policy of the security stack, ensuring tools function for daily BAU, integrate cleanly, and feed logs into the SIEM for timely detection:
- SIEM: Comprehensive log ingestion and integration, correlation rule development and tuning, alert escalation management, compliance reporting, and analyst dashboards.
- SOAR: Automated playbook development and tool integration to streamline triage, investigation, and remediation, reducing response times.
- XDR: Endpoint visibility and control across enterprise and production, asset onboarding and governance, and response actions such as isolation, quarantine, and triaging.
- WAF: Policy governance against threats such as SQL injection and XSS, balancing security with application performance, with full log ingestion to the SIEM.
- SASE: Zero-trust enforcement, network segmentation, and global policy standards across a secure-access architecture, with continuous and security monitoring.
- Firewall: Rule management and review, network segmentation, intrusion prevention, and log monitoring at the network perimeter.
- Azure: Ensure all Azure products are secured and policies are optimized incorporating defense-in-depth strategy
- TIP: Multi-source threat data integration and correlation with internal security data, translating intelligence into actionable insight.
- AI Security and Monitoring: Ensure the company is protected from all AI related threats and products leveraging on AI have proper guardrails in place for prevention and monitoring.
- Continuous Optimization: Evaluate new technologies (POCs and proposals), implement CIS baselines, and keep tool policies current with evolving needs and best practice.
Compliance and Policy Development:
- Regulatory Compliance: Ensure the organisation meets all relevant cybersecurity regulations and industry standards, maintaining detailed records of activities and incidents.
- Audit Support: Coordinate and support internal and external audits, ensuring timely and successful completion.
Security Awareness and Training:
- Develop and manage the organization's security awareness programs and phishing exercises. Provide security training to employees, third parties, suppliers, partners, and customers.
Team Leadership and Development:
- Build & Retain: Hire, motivate, and develop a world-class global team — including L2 analysts, incident responders, and interns — with succession planning, mentoring, and performance management.
- Intern Programme: Run the recurring intern hiring cycle, onboarding, training, capstone projects, academic supervisor sync-ups, weekly status reporting, and assessments.
- Continuous Learning: Deliver ongoing training, workshops, and knowledge-sharing to keep staff current with the latest threats, tools, and techniques and aligned to new SOPs.
- Scheduling & Prioritisation: Manage shift schedules and ensure proper prioritisation of tasks and cases across the team.
Stakeholder Engagement and Communication:
- Executive & Board Reporting: Act as the primary SOC liaison, translating technical detail into business language and providing regular updates to senior leadership and the board.
- Client Representation: Represent the SOC in customer meetings and presentations, communicating the effectiveness of security strategy and posture.
- Cross-Functional Collaboration: Partner with Platform Engineering, Edge, Product Management, IT, O&M, Legal, HR, and the DPO to embed security across the organisation and lead change through influence in a matrixed environment.
- Escalation Handling: Serve as the escalation point for cybersecurity incidents and end-user/management issues, ensuring timely resolution and transparent communication.
Table Top Exercises and Readiness:
- SOC Tabletop Exercises: Run SOC-specific TTX to ensure analysts can respond to every incident type with quality and efficiency.
- Company-Wide TTX: Lead organisation-wide exercises involving top management, DPO, Legal, HR, IT, and O&M to validate response plans and identify improvements.
- Lessons Learned: Assign identified gaps to the correct owners with mitigation plans, milestones, and continual follow-up.
Qualifications & Experience:
- 12+ years of progressive security leadership and management experience in multi-
disciplinary environments
- Proven experience in cybersecurity operations management, preferably in a similar leadership role.
- Advanced knowledge and hands-on experience on DFIR and be able perform Incident triage, containment and forensics.
- Hands-on experience building and managing an information security program including
security operations. This includes: Threat Hunting, Threat Intelligence, and Red Teaming
- Hands-on technical experience demonstrating a willingness to get into the weeds and do
the dirty work. Experience with cloud security, vulnerability management, and compliance frameworks
- Strong knowledge of advanced digital forensics and incident response capability to address
threats on both enterprise and products
- Advanced degree or relevant certifications (e.g., CISSP, CISM, GCIH, GCFA) preferred