SIEM Content Development Team Leader

Job Description

Join Us

At Vodafone, we’re not just shaping the future of connectivity for our customers – we’re shaping the future for everyone who joins our team. When you work with us, you’re part of a global mission to connect people, solve complex challenges, and create a sustainable and more inclusive world. If you want to grow your career whilst finding the perfect balance between work and life, Vodafone offers the opportunities to help you belong and make a real impact.

What you’ll do

The purpose of this role is to lead a team providing cutting edge detection of security events, to allow the Cyber Security Operations Center to detect and respond to cybersecurity incidents. The SIEM Content Development Team Lead will have full autonomy and operational accountability for leading the team and managing performance against defined Service Level Agreements and Key Performance Indicators. Using a wide array of security technology and telemetry, this team builds detections and playbooks which guide security analysts, using a threat led approach. This role requires strong technical, analytical, problem solving skills as well as the ability to communicate effectively with leadership, peers and across other team boundaries.
This role also champions detection-as-code practices, automation, and collaboration across threat intelligence, incident response, and engineering teams to ensure scalable and resilient detection capabilities.

Key accountabilities and decision ownership:

• Lead the team in driving continuous improvement across multiple technologies.
• Lead and contribute to content development - optimal tuning and operation of the threat and vulnerability management technologies.
• Continually refining the rules and logic within the Vodafone SIEM.
• Work with CSOC Principal Manager to improve security operations.
• Security Analysis – take part in and may drive security event analysis activities to address current Cyber threats.
• Threat Response – may require engagement and possibly driving the analysis from blue team perspective to identify possible threat group activity.
• Security Reporting and Advisories – take part in and may drive the delivery of cyber security reports and advisories to all key stakeholders.
• Champion detection-as-code practices, including version control, peer review, and CI/CD pipelines for rule deployment.
• Foster a culture of continuous learning and innovation within the team, including mentoring, knowledge sharing, and cross-functional collaboration.
• Partner with platform and engineering teams to ensure detection logic is scalable, resilient, and aligned with infrastructure changes.
• Residual Risk Assessment – take part in and may drive the delivery of ‘operational and technical’ lessons learnt post incident analysis and reporting.
• Collaborating with data owners and customers on understanding data sources and use cases and successfully translating requirements to actionable content.

Who you are

• Minimum of 2-5 years’ experience in SIEM content (rule logic and code) development role.
• Experience in a Security Operations Centre (SOC) or similar environment, with modern threat landscapes and attack techniques.
• Proven experience in leading technical teams or line management, with the ability to mentor, develop, and manage performance across a diverse group of security professionals.
• Experience collaborating with cross-functional teams including threat intelligence, incident response, and platform engineering.
• In depth and extensive hands-on experience in security event analysis, create and refine SIEM/EDR rules and deliver efficiency within the SIEM and all other technologies used within the team.
• Experience in threat modelling methodologies (eg STRIDE, PASTA or attack trees).
• Ability to translate threat scenarios and intelligence into actionable detection logic and measurable outcomes.
• Deep knowledge of IPv4/IPv6, TCP networking protocols.
• Deep knowledge of Windows/Linux operating systems.
• Exceptional working knowledge of security technologies such as SIEM (Google SecOps, ArcSight, Sentinel, QRadar, LogRhythm, Splunk), EDR (Microsoft Defender, FireEye, Tanium), IDS/IPS, firewalls, proxies, web application firewalls, anti-virus, etc.
• Comprehensive understanding of Window Security Event logs and Syslog.
• Excellent familiarity with endpoint/perimeter security attack vectors and detection (blue/purple teaming).
• Excellent familiarity with standard security frameworks such as MITRE, cyber kill chain and APT campaign strategies.
• Outstanding knowledge of cloud platforms such as Azure, O365, Google cloud, AWS, Oracle.
• Excellent working knowledge of regular expression development.
• Scripting and programming experience is highly desirable.
• Kusto or SQL knowledge, including rule/query optimisation.
• Yara-L knowledge, including rule/query optimisation.
• Familiarity with detection-as-code tooling and practices (e.g., Git, CI/CD pipelines for rule testing and deployment).
• Experience in security event analytics, for example Elastic, Azure Sentinel or Splunk.
• Experience in building or maturing security culture initiatives, including awareness programs, gamified training, or executive engagement.

Not a perfect fit?

Worried that you don’t meet all the desired criteria exactly? At Vodafone we are passionate about empowering people and creating a workplace where everyone can thrive, whatever their personal or professional background. If you’re excited about this role but your experience doesn’t align exactly with every part of the job description, we encourage you to still apply as you may be the right candidate for this role or another opportunity.

What's in it for you

• Yearly bonus: 10%
• Annual leave: 28 days + bank holidays + the opportunity to buy/sell/carry over 5 days/year
• Charity days: 5 days/year
• Maternity leave: 52 weeks: the first 13 weeks are fully paid, followed by 26 weeks of half pay
• Private pension: You can contribute up to 5% of your basic pay with 2:1 matching from Vodafone up to 10%.
• Access to: private medical, private dental, free health assessments, share save scheme
• Additional discounts: Vodafone retail, gym, cinema, cycle to work, season ticket loan

Who we are

We are a leading international Telco, serving millions of customers. At Vodafone, we believe that connectivity is a force for good. If we use it for the things that really matter, it can improve people's lives and the world around us. Through our technology we empower people, connecting everyone regardless of who they are or where they live and we protect the planet, whilst helping our customers do the same.

Belonging at Vodafone isn't a concept; it's lived, breathed, and cultivated through everything we do. You'll be part of a global and diverse community, with many different minds, abilities, backgrounds and cultures. ;We're committed to increase diversity, ensure equal representation, and make Vodafone a place everyone feels safe, valued and included.

If you require any reasonable adjustments or have an accessibility request as part of your recruitment journey, for example, extended time or breaks in between online assessments, please refer to https://careers.vodafone.com/application-adjustments/ for guidance.

Together we can.