Cybersecurity Operations Lead (Senior Manager)

KDN Cyber within KDN Advisory

KDN Cyber is the global cyber security delivery capability within KDN Advisory. It is responsible for delivering cyber outcomes across governance, strategy, engineering, and operations through a single, integrated global delivery model.

KDN Cyber operates across multiple global delivery centres using common standards, service models, tooling, and career architectures. This ensures that cyber capabilities delivered in one location are consistent, scalable, and interoperable with those delivered elsewhere.

KDN Cyber Organisation and Operating Model

How we are structured

KDN Cyber operates through a deliberate separation between delivery and sales and enablement.

Sales and enablement are dedicated functions responsible for market engagement, solution shaping, and opportunity development. Delivery leadership collaborates closely with these teams, particularly on complex or transformative engagements, but remains intentionally separate. This structure allows delivery teams to focus on execution excellence, scalability, talent development, and consistent client outcomes.

Our delivery pillars

Delivery within KDN Cyber is organised into four core, peer organisational pillars:

• Technology GRC
• Security Strategy & Architecture
• Security Engineering
• Security Operations

These pillars are enduring capability domains, not stages in a linear lifecycle. Each has dedicated leadership, career paths, and deep technical expertise, and they work together as an integrated system to deliver outcomes ranging from advisory and transformation through to build and run services.

The responsibilities of each pillar can be described as:

• Technology GRC governs technology and cyber risk, accountability, and assurance
• Security Strategy & Architecture designs cyber strategy, target states, and architectures
• Security Engineering builds and implements cyber capabilities
• Security Operations runs and operates those capabilities over time

Modular, flexible delivery for clients

KDN Cyber is designed to complement and extend a client's existing cyber operating model.

Every organisation already performs some element of governance, design, engineering, and operations. These capabilities may sit within internal teams, technology platforms, or external providers, and vary widely in maturity and scale. KDN Cyber is intentionally designed to plug into this reality.

Each pillar is made up of clearly defined, modular capabilities that represent our standard for what good looks like. These capabilities can be combined, scaled, or delivered independently, allowing us to:

• fill specific capability gaps,
• co‑deliver alongside client teams, or
• take full accountability for defined outcomes.

Each capability can be delivered as:

• a Managed Service,
• a Managed Platform Service, or
• a Staff Augmentation Service,

providing the flexibility to size, scale, and evolve delivery in line with client needs and ways of working.

A globally integrated delivery system

Transformative cyber outcomes typically require multiple pillars working together, often across multiple delivery centres. KDN Cyber delivers through a globally integrated delivery network, using shared standards, tooling, and service models to ensure consistency while enabling scale.

Governance shapes expectations, strategy defines direction, engineering implements capability, and operations sustain and improve outcomes over time. These responsibilities interact continuously, forming a closed‑loop system rather than a sequence of hand‑offs.

This operating model enables KDN Cyber to deliver not only implementation, but sustainable, long‑term cyber outcomes in partnership with clients.

Position Overview

The KDN Manila Security Operations Lead is the domain leader accountable for the Security Operations pillar within the Manila Cyber Delivery Centre. The role exists to run high-quality, resilient security operations services, including SOC and MDR, aligned to global KDN Cyber run standards.

This role combines operational leadership, service management rigour, and people leadership within a 24x7 environment. You will ensure services meet defined outcomes, operate to clear SLAs and governance cadence, and continuously improve detection, response, and operational effectiveness.

The ideal candidate is energised by building strong operational teams, running services with discipline, and improving outcomes through evidence, tuning, automation, and continuous learning.

Role Scope and Accountability

Reporting

• Reports to the Manila Cyber Delivery Centre Lead.
• Functional reporting line to the Global Security Operations Lead.
• Partners with Sales and Enablement to ensure operational commitments and SLAs are deliverable and sustainable.

Accountabilities

• Operational delivery quality, resilience, and service performance for Security Operations delivered from Manila.
• Adoption and enforcement of runbooks, escalation paths, SLAs, and evidence cadences aligned to global standards.
• Continuous improvement in detections, automation, telemetry quality, and analyst effectiveness.
• Operational readiness and secure delivery practices appropriate for 24x7 services.
• Leadership depth and talent sustainability for shift-based and leadership layers.

Domain Scope

• Monitoring, Investigation and Response: monitoring and triage; analysis and investigation; breach response; incident coordination; forensic analysis, etc.
• Observability Operations: SIEM and SOAR management; use case and playbook development; log source onboarding, etc.
• Security Platform Operations: platform management; continuous improvement, etc.
• Threat and Vulnerability Management: threat hunting; cyber threat intelligence; attack surface monitoring; vulnerability management; deception technology, etc.
• Incident Resolution: crisis response; compromise assessment; eradication and recovery; CSIRT, etc.

Key Responsibilities

• Lead SOC and MDR delivery from Manila, ensuring service outcomes, SLAs, and operational governance are met.
• Act as the senior escalation point for incidents, operational risks, and service degradation; drive rapid, disciplined resolution.
• Drive operational maturity: detection tuning, false-positive reduction, playbook evolution, automation, and evidence-based improvement.
• Ensure operational boundaries and shared responsibility expectations are clear and enforced with clients.
• Build and lead management layers for a 24x7 operation: shift leadership, service management, quality oversight, and succession.
• Partner with Engineering and Strategy and Architecture to ensure platform changes, onboarding, and improvements remain coherent and controlled.

What Success Looks Like

• Services run reliably and predictably: clear cadence, disciplined escalation, and consistent delivery outcomes.
• Detection and response improves over time through tuning, automation, and telemetry quality discipline.
• Operational teams are stable, coached, and resilient: strong shift leadership and clear accountability.
• Clients and member firms trust the Manila operation to run critical security outcomes without surprises.

Skills and Experience

Security Operations Leadership: Experience leading SOC or MDR operations with accountability for outcomes, not just activity. Expected level: Expert: runs services at scale; sets operational standards; leads under pressure.

Service Management and SLA Discipline: Ability to operate to defined outcomes, SLAs, and governance cadence, with transparent reporting and issue management. Expected level: Advanced: builds predictable operations; prevents drift and unmanaged commitments.

Incident Management and Escalation: Strong capability in incident coordination, escalation management, and crisis decision-making. Expected level: Expert: calm under pressure; makes clear calls; drives resolution.

Detection Engineering and Continuous Improvement: Understanding of how to improve signal quality: tuning, coverage, false-positive reduction, and evidence-based improvement. Expected level: Advanced: drives measurable improvement; partners with engineering and architecture.

SIEM, SOAR, and Operational Tooling: Working mastery of operational platforms and the governance required to operate them safely and effectively. Expected level: Advanced: assures platform operations; drives automation and reliability.

Threat Intelligence and Hunting: Ability to incorporate threat context and proactive hunting into operational improvement. Expected level: Advanced: improves relevance of detections and prioritisation.

Operational Governance and Risk: Ability to define and enforce operational boundaries, shared responsibility, and control evidence. Expected level: Advanced: prevents scope creep; protects trust and contractual clarity.

People Leadership in 24x7 Environments: Experience building shift-based organisations with strong coaching, performance management, and retention. Expected level: Advanced: builds resilience and leadership depth.

Stakeholder Leadership: Ability to coordinate across member firms, clients, and global leaders with transparency and clarity. Expected level: Advanced: trusted communicator; escalates early; protects credibility.

Minimum Qualifications

• Bachelor's degree in Information Security, IT, or related discipline, or equivalent professional experience.
• Typically 10 to 14 years of relevant experience in security operations, SOC, or MDR leadership roles.
• Certifications preferred: CISSP, GCIA, GCIH, or equivalent.