Join Us
At Vodafone, we’re not just shaping the future of connectivity for our customers – we’re shaping the future for everyone who joins our team. When you work with us, you’re part of a global mission to connect people, solve complex challenges, and create a sustainable and more inclusive world. If you want to grow your career whilst finding the perfect balance between work and life, Vodafone offers the opportunities to help you belong and make a real impact.
What you’ll do
The purpose of this role is to lead a team providing cutting edge detection of security events, to allow the Cyber Security Operations Center to detect and respond to cybersecurity incidents. The SIEM Content Development Team Lead will have full autonomy and operational accountability for leading the team and managing performance against defined Service Level Agreements and Key Performance Indicators. Using a wide array of security technology and telemetry, this team builds detections and playbooks which guide security analysts, using a threat led approach. This role requires strong technical, analytical, problem solving skills as well as the ability to communicate effectively with leadership, peers and across other team boundaries.
This role also champions detection-as-code practices, automation, and collaboration across threat intelligence, incident response, and engineering teams to ensure scalable and resilient detection capabilities.
Key accountabilities and decision ownership:
1. Lead the team in driving continuous improvement across multiple technologies.
2. Lead and contribute to content development - optimal tuning and operation of the threat and vulnerability management technologies.
3. Continually refining the rules and logic within the Vodafone SIEM.
4. Work with CSOC Principal Manager to improve security operations.
5. Security Analysis – take part in and may drive security event analysis activities to address current Cyber threats.
6. Threat Response – may require engagement and possibly driving the analysis from blue team perspective to identify possible threat group activity.
7. Security Reporting and Advisories – take part in and may drive the delivery of cyber security reports and advisories to all key stakeholders.
8. Champion detection-as-code practices, including version control, peer review, and CI/CD pipelines for rule deployment.
9. Foster a culture of continuous learning and innovation within the team, including mentoring, knowledge sharing, and cross-functional collaboration.
10. Partner with platform and engineering teams to ensure detection logic is scalable, resilient, and aligned with infrastructure changes.
11. Residual Risk Assessment – take part in and may drive the delivery of ‘operational and technical’ lessons learnt post incident analysis and reporting.
12. Collaborating with data owners and customers on understanding data sources and use cases and successfully translating requirements to actionable content.
Who you are
13. Minimum of 2-5 years’ experience in SIEM content (rule logic and code) development role.
14. Experience in a Security Operations Centre (SOC) or similar environment, with modern threat landscapes and attack techniques.
15. Proven experience in leading technical teams or line management, with the ability to mentor, develop, and manage performance across a diverse group of security professionals.
16. Experience collaborating with cross-functional teams including threat intelligence, incident response, and platform engineering.
17. In depth and extensive hands-on experience in security event analysis, create and refine SIEM/EDR rules and deliver efficiency within the SIEM and all other technologies used within the team.
18. Experience in threat modelling methodologies (eg STRIDE, PASTA or attack trees).
19. Ability to translate threat scenarios and intelligence into actionable detection logic and measurable outcomes.
20. Deep knowledge of IPv4/IPv6, TCP networking protocols.
21. Deep knowledge of Windows/Linux operating systems.
22. Exceptional working knowledge of security technologies such as SIEM (Google SecOps, ArcSight, Sentinel, QRadar, LogRhythm, Splunk), EDR (Microsoft Defender, FireEye, Tanium), IDS/IPS, firewalls, proxies, web application firewalls, anti-virus, etc.
23. Comprehensive understanding of Window Security Event logs and Syslog.
24. Excellent familiarity with endpoint/perimeter security attack vectors and detection (blue/purple teaming).
25. Excellent familiarity with standard security frameworks such as MITRE, cyber kill chain and APT campaign strategies.
26. Outstanding knowledge of cloud platforms such as Azure, O365, Google cloud, AWS, Oracle.
27. Excellent working knowledge of regular expression development.
28. Scripting and programming experience is highly desirable.
29. Kusto or SQL knowledge, including rule/query optimisation.
30. Yara-L knowledge, including rule/query optimisation.
31. Familiarity with detection-as-code tooling and practices (, Git, CI/CD pipelines for rule testing and deployment).
32. Experience in security event analytics, for example Elastic, Azure Sentinel or Splunk.
33. Experience in building or maturing security culture initiatives, including awareness programs, gamified training, or executive engagement.