Lead Security Operations Centre (SOC) Analyst

About us  The Department for Business and Trade (DBT) has a clear mission - to grow the economy. Our role is to help businesses invest, grow and export to create jobs and opportunities right across the country. We do this in three ways.   Firstly, we help to build a strong, competitive business environment, where consumers are protected and companies rewarded for treating their employees properly.   Secondly, we open international markets and ensure resilient supply chains. This can be through Free Trade Agreements, trade facilitation and multilateral agreements. Finally, we work in partnership with businesses every day, providing advance, finance and deal-making support to those looking to start up, invest, export and grow.  The Digital, Data and Technology (DDaT) directorate develops and operates tools and services to support us in this mission. The team have been nominated three times in a row for ‘Best Public Sector Employer’ at the Women in Tech awards!   About the role    This position is part of the DBT Security Operations Centre (SOC) and reports directly to the SOC Manager. The SOC is responsible for detecting and responding to both internal and external threats to the security of DBT’s services and the data that supports them. This role plays a vital part in protecting the Department and supporting its mission to drive economic growth.    The Lead SOC Analyst will lead the CIDR (Cyber Incident Detection and Response) team acting as a point of escalation for analysts and escalating incidents to the SOC manager and beyond as necessary. A key part of the incident response process will be the collection and implementation of lessons learned as part of a continuous improvement cycle.    Working closely with other SOC functions, primarily Cyber Engineering, the role will ensure that appropriate logging and monitoring is in place across DBTs end user and digital estates. The creation and maintenance of new and existing analytic rules based on this logging, and feedback from incidents, is vital to maintaining DBTs detect and respond capability.    About you   You will be an experienced SOC analyst with an excellent understanding of the threats facing an organisation in a cloud environment. Familiar with SIEM (Security Incident and Event Management) tools and a detailed understanding of logging requirements in digital services, you will be able to both create and review analytic rules to improve detection capability. You will also possess strong communication and line management skills and be able to lead the CIDR team effectively to respond to an ever-changing threat landscape Main responsibilities  You will: 

• Line manage the CIDR team, monitoring, triaging, and investigating security alerts on protective monitoring platforms to identify security incidents 

• Review existing and new data sources being ingested into the protective monitoring platform and propose and implement use cases for detection and analysis 

• Communicate the significance of the results of investigations and risk mitigation outcomes, guiding the organisation in the improvement and maintenance of a robust response to new threats and attack vectors 

• Provide management information regarding various aspects of the function of the incident detection and response capability 

• Ensure analyst work is up to standard by implementing and maintaining peer reviews of investigations 

• Lead and develop DBT’s incident detection and response capability, including maintaining and updating existing policies 

• Manage post-incident reviews, including root cause analysis, to feedback information and so improve monitoring 

• Provide an escalation point for analysts, making decisions regarding resolution of incidents, including escalation, where appropriate to the SOC manager or above 

  Skills and experience   It is essential that you have:   

• Experience of SIEM tools, including being proficient in query languages, to create automation, detection rules and dashboards (Lead Criteria) 

• Experience managing a team of analysts  

• Experience of cyber security incident management, particularly in a cloud-based environment 

• Experience of working in a cross-functional cloud-based environment 

• Effective verbal and written communication skills 

• An appropriate cyber security qualification, preferably related to incident response or security operations 

  How to apply  As part of the application process you will be asked to upload a two-page CV and complete a 750 word personal statement outlining how you meet the essential skills and experience listed above. You can use bullet points and subheadings if you prefer.   Sift will be from week commencing 23rd June 2025 Interviews will be from week commencing 30th June 2025 Please note these dates are indicative and may be subject to change.  If there is a high volume of applications, we will sift looking at the Lead criteria only - Experience of SIEM tools, including being proficient in query languages, to create automation, detection rules and dashboards.  You may then be progressed to full sift or straight to interview.    How we interview  At the interview stage for this role, you will be asked to demonstrate relevant Technical Skills and Behaviours from the Success Profiles framework. These are role specific and in line with the Government Security Profession Career Framework.   Technical Skills 

• Intrusion detection and analysis 

• Threat understanding 

• Cyber security operations 

• Threat intelligence and threat assessment 

• Secure Operations Management 

  Behaviours  

• Changing and Improving 

• Managing a Quality Service 

  How we offer  Offers will be made in merit order based on location preferences. If you pass the bar at interview but are not the highest scoring you will be held on a 12-month reserve list in case a role becomes available. If you are judged a near miss at interview, you may be offered a post at the grade below the one you applied for.  This role requires SC clearance. DBT’s requirement for SC clearance is to have been present in the UK for at least 3 of the last 5 years. Failure to meet this requirement will result in your application being rejected and your offer will be withdrawn. Checks will also be made against: 

• departmental or company records (personnel files, staff reports, sick leave reports and security records) 

• UK criminal records covering both spent and unspent criminal records 

• your credit and financial history with a credit reference agency 

• security services record 

• location details 

  Benefits   If you join us, you will get:   

• learning and development tailored to your role 

• a flexible, hybrid working environment with options like condensed hours  

• a culture encouraging inclusion and diversity 

• a Civil Service pension with an average employer contribution of 28.97%    

• annual leave starting at 25 days rising to 30 days with service 

• three paid volunteering days a year 

• an employee benefits programme including cycle to work 

  More about us  This role can only be worked from within the UK, not overseas. If you are based in London, you will receive London weighting. DBT employees work in a hybrid pattern, spending 2-3 days a week (pro rata) in the office on average.  Travel to your primary office location will not be paid for by DBT, but costs for travel to an office which is not your main location will be covered. You can find out more about our office locations, how we calculate salaries, our diversity statement and reasonable adjustments, the Recruitment Principles, the Civil Service code and our complaints procedure on our website. Find out more about life at DBT, our benefits and meet the team by watching our video or reading our blog!