Cyber Operations & IR Manager in London

When you join EDF Trading, you’ll become part of a diverse international team of experts who challenge conventional ideas, test new approaches, and think outside the box. Energy markets evolve rapidly, so our team needs to remain agile, flexible, and ready to spot opportunities across all the markets we trade in power, gas, LNG, LPG, oil, and environmental products. EDF Group and our customers all over the world trust that their assets are managed by us in the most effective and efficient manner and are protected through expert risk management.

Trading for over 20 years, it’s experience that makes us leaders in the field. Energy is what we do. Become part of the team and you will be offered a great range of benefits, which include (location dependent) hybrid working, a personal pension plan, private medical and dental insurance, bi-annual health assessments, corporate gym memberships, an electric car lease programme, childcare vouchers, a cycle-to-work scheme, season ticket loans, volunteering opportunities, and much more.

Gender balance and inclusion are very high on the agenda at EDF Trading, so you will become part of an ever-diversifying family of around 750 colleagues based in London, Paris, Singapore, and Houston. Regular social and networking events, both physical and virtual, will ensure that you always feel connected to your colleagues and the business.

Job Description:

Department: Information Technology (IT)

Position purpose: To lead and line-manage EDF Trading’s London-based cyber security team, assure the local delivery of globally-prioritised work, and act as Incident Commander and first point of escalation for cyber security in London. The role additionally leads the Endpoint, Platform and Incident Response capability, owning the global prioritisation of that backlog against enterprise cyber risk.

Main responsibilities:

• People Leadership & Line Management (25%)
  • Line-manage the London-based cyber security team, setting objectives and managing performance.
  • Provide day-to-day supervision, coaching and development, building local capability and resilience.
  • Allocate London team members’ time to globally-prioritised work, balancing workload across capability areas.
  • Act as the local point of contact for recruitment, onboarding and HR matters in London.
• Incident Command & Escalation (20%)
  • Act as Incident Commander for security incidents during London hours, coordinating first responders, IT, Legal, Compliance, specialist providers and EDF Group as required.
  • Serve as the first point of escalation for IT and the business in London on cyber security matters.
  • Work with the 24/7 Managed Detection and Response (MDR) provider to triage and escalate detections.
  • Coordinate local participation in incident response exercises and maintain readiness.
• Local Delivery Assurance (20%)
  • Assure local execution of globally-prioritised work to agreed quality, pace and outcomes.
  • Drive London-side delivery of in-flight initiatives through to completion.
  • Track and chase vulnerability remediation and patching on London-managed systems, escalating blockers.
  • Maintain local operational health and a documented view of London roles and responsibilities.
• Endpoint, Platform & Incident Response – Capability Lead (20%)
  • Own the global prioritisation of the Endpoint, Platform and Incident Response backlog, ordered against the enterprise cyber risk register and exploitation-based intelligence (e.g. MITRE ATT&CK).
  • Curate the backlog from inputs across Houston and London, including the endpoint detection and response (CrowdStrike) execution lead.
  • Maintain alignment of this domain to the enterprise risks for endpoint compromise, detection and containment, and cyber resilience.
  • Operate within the Global Head’s monthly prioritisation cadence; prioritisation across other domains remains with the Global Head.
• Governance & Stakeholder Engagement (15%)
  • Represent cyber security in local change approvals and the Change Advisory Board (CAB).
  • Provide the local stakeholder interface for cyber security in London.
  • Triage and advise on Citizen IT requests, escalating data-exposure and unsanctioned-tool risks to the relevant capability owner.
  • Support the definition and monthly reporting of cyber security KPIs for the London team.

Experience required:

The successful candidate can demonstrate that they have:

• Planned and delivered complex, cross-functional security or technology initiatives end-to-end, coordinating multiple workstreams, stakeholders and dependencies to time and quality (using structured methods such as Agile/Kanban).
• Line-managed a security or technical team of at least three staff, including objective-setting and performance management.
• Led or coordinated cyber security incident response as an Incident Commander or equivalent, working with MDR providers and cross-functional stakeholders (IT, Legal, Compliance).
• Operated endpoint security and endpoint detection and response (EDR) tooling (e.g. CrowdStrike or equivalent) in a production environment.
• Prioritised and managed a risk-based security backlog, applying frameworks such as MITRE ATT&CK and threat-based prioritisation.
• Assured the delivery of security initiatives across distributed teams or sites, tracking vulnerability remediation and patching through to completion.
• Represented security in change control / Change Advisory Board (CAB) and governance forums.
• Built effective working relationships with IT, HR, Legal, Compliance and third-party service providers.
• Applied security controls aligned to recognised frameworks (MITRE ATT&CK, ISO 27001, CIS or NIST).

Technical requirements:

Essential:

• A strong, hands-on technical background in operational cyber security spanning endpoint & EDR, identity & Active Directory, Microsoft 365 & Azure, network/ZTNA, and SIEM/log management — able to act as a senior technical authority within the team.
• Demonstrable experience leading cyber security incident response (incident command), from detection through containment and remediation.
• Working knowledge of MITRE ATT&CK and at least one recognised control framework (ISO 27001, CIS or NIST).
• Risk-based prioritisation of remediation using threat intelligence.

Desirable: some or all of the following (we don't expect any one candidate to have them all):

• Azure (infrastructure and/or security-focused experience)
• CrowdStrike (Falcon)
• Zscaler (ZIA/ZPA)
• Active Directory security and hardening
• Strong troubleshooting and problem-solving ability
• Security automation (scripting, SOAR or similar)
• Practical use of AI tools to boost personal and team productivity
• ServiceNow
• Incident playbook development and running table-top exercises
• A recognised security certification (e.g. CISSP, CISM or GCIH)

Person specification:

• A capable people leader — able to set direction, delegate, develop and inspire a team, and hold others to account.
• Calm, decisive judgement under pressure, particularly when leading live security incidents.
• Effective at coordinating people and stakeholders across multiple sites and time zones.
• Strong prioritisation and delivery focus — able to make risk-based trade-offs across competing demands and drive complex, multi-workstream initiatives through to completion.
• A confident communicator who can explain complex security topics to non-technical and senior business audiences, and influence change at all levels.
• Comfortable operating in a fast-paced trading-floor environment, balancing competing demands.
• Outcome-focused and accountable, with strong attention to the accuracy of information.

Hours of work: Core hours of 8.30am – 5.30pm; however, flexibility is required to meet essential business deadlines.