Home / Jobs / Senior Security Assistant
Senior (5-8 years)

Senior Security Assistant

This isn't just about ticking boxes anymore; it's about spotting patterns, digging into alerts, and making sure our security processes actually work. You'll be the one who moves beyond following a runbook to actually helping write and improve them. Think of yourself as the first line of advanced defence, the person who catches the tricky stuff before it becomes a full-blown incident.

Job ID
JD-TECH-SRSEAS-003
Department
Technical Roles
NOS Level
Information Security Operations
OFQUAL Level
Level 6-7
Experience
Senior (5-8 years)

Role Purpose & Context

Role Summary

The Senior Security Assistant is here to really get stuck into our security alerts and incidents. You'll move past just escalating things and start figuring out what's actually going on, helping to contain issues and improve how we do things. This role directly impacts our ability to spot and stop threats, keeping our systems and data safe from the bad guys. Day-to-day, you'll be at the sharp end of our security operations, analysing suspicious activity and helping to refine our incident response plans. You're the bridge between the raw alerts and the tactical decisions our Security Lead makes. When you do this well, we catch things faster, reduce our exposure, and learn from every incident. If it's not done properly, we miss critical threats, systems get compromised, and our reputation takes a hit. The tricky part is sifting through a mountain of noise to find the one signal that matters, often with incomplete information. The reward, though, is knowing you've genuinely protected the company and helped build a more robust defence.

Reporting Structure

Key Stakeholders

Internal:

External:

Organisational Impact

Scope: Your work ensures that our immediate security posture is strong, reducing the attack surface and improving our response times to actual threats. You directly contribute to the resilience of our technical infrastructure and the protection of sensitive company data, which, frankly, is pretty crucial for keeping the lights on and avoiding massive fines.

Performance Metrics

Quantitative Metrics

  1. Metric: Mean Time to Investigate (MTTI) Critical Alerts
  2. Desc: How quickly you start a deep dive into high-priority security alerts after they're identified.
  3. Target: < 30 minutes
  4. Freq: Weekly review of incident logs
  5. Example: An EDR alert fires for a potential ransomware attack at 09:00. You've started your investigation, pulled logs, and updated the incident ticket by 09:25, beating the target.
  6. Metric: False Positive Reduction from Rule Tuning
  7. Desc: The percentage decrease in benign alerts after you've refined SIEM or EDR detection rules.
  8. Target: Reduce by 15% per quarter for assigned rules
  9. Freq: Quarterly review of alert volumes and incident closures
  10. Example: You take ownership of the 'suspicious login from new geo' rule. After your tuning, the daily false positives drop from 50 to 40, a 20% reduction, meaning the team has less noise to sift through.
  11. Metric: Vulnerability Remediation Tracking Efficiency
  12. Desc: The percentage of critical and high vulnerability tickets you're tracking that are closed within their agreed SLAs.
  13. Target: 90% of critical/high vulnerabilities closed on time
  14. Freq: Monthly report from vulnerability management platform
  15. Example: Out of 10 critical vulnerabilities assigned to various teams, 9 are patched or mitigated by their due dates, thanks to your diligent follow-ups and clear communication.
  16. Metric: Phishing Triage & Analysis Accuracy
  17. Desc: How accurately you classify user-reported phishing emails (e.g., legitimate, spam, actual threat) and identify Indicators of Compromise (IOCs).
  18. Target: 99% accuracy in classification and IOC extraction
  19. Freq: Weekly spot-check by Security Lead
  20. Example: You analyse 100 phishing emails; 99 are correctly categorised, and all relevant malicious URLs or file hashes are extracted and added to our block lists.

Qualitative Metrics

  1. Metric: Documentation Quality & Improvement
  2. Desc: Your contribution to creating and improving our security runbooks, playbooks, and knowledge base articles. This isn't just updating; it's making them genuinely better and easier to follow.
  3. Evidence: Regular contributions to the Confluence security space; positive feedback from junior team members using your documentation; clear, concise, and accurate new runbooks for common incidents; proactive identification of documentation gaps.
  4. Metric: Proactive Threat Hunting & Anomaly Detection
  5. Desc: Your initiative in looking for suspicious activity that hasn't triggered an alert yet, or digging deeper into low-priority alerts that others might dismiss.
  6. Evidence: You present findings from a self-initiated SIEM query that uncovered a previously unknown suspicious internal connection; you identify a new phishing campaign variant before it's widely reported; you suggest new detection rules based on observed attacker TTPs (Tactics, Techniques, and Procedures).
  7. Metric: Collaboration & Knowledge Sharing
  8. Desc: How effectively you work with other teams (IT, Network, Development) and share your security knowledge within the team, especially with junior colleagues.
  9. Evidence: Other teams actively seek your input on security-related changes; you lead internal knowledge-sharing sessions or workshops; junior analysts frequently come to you for advice and praise your mentorship; you contribute actively to team discussions and post-incident reviews.
  10. Metric: Process Improvement & Automation Suggestions
  11. Desc: Your ability to spot inefficiencies in our security operations and propose practical solutions, potentially involving automation or new tools.
  12. Evidence: You propose a script to automate a repetitive log analysis task, saving 2 hours a week; you suggest a change to our access review process that makes it more robust and less manual; your ideas are often discussed and sometimes implemented by the team or lead.

Primary Traits

Supporting Traits

Primary Motivators

  1. Motivator: Solving Complex Puzzles
  2. Daily: You'll spend hours digging through logs and correlating events to piece together what happened during a suspicious activity alert. It's like being a detective, but for digital crimes.
  3. Motivator: Making a Tangible Impact
  4. Daily: Your work directly contributes to stopping real threats. When you successfully identify and help contain a phishing campaign, you're protecting our colleagues and the company's data.
  5. Motivator: Continuous Learning and Improvement
  6. Daily: The threat landscape changes daily. You'll be constantly learning about new attack techniques and defence strategies, and then applying that knowledge to improve our own security posture.

Potential Demotivators

Honestly, this role isn't for everyone. You'll spend a fair bit of time chasing other teams to patch vulnerabilities you've highlighted, and sometimes it feels like pulling teeth. You'll also deal with a lot of 'noise' – false positive alerts that you have to investigate, only to find nothing. The 'urgent' request that disrupted your Tuesday might get deprioritised by Friday because something else blew up. If you need every piece of your work to go smoothly and see immediate, perfect resolution, you might struggle here. The reality is messier than the textbooks suggest, and sometimes, you're a necessary blocker, not a hero.

Common Frustrations

  1. Chasing other teams for weeks to get critical vulnerabilities patched, only for them to miss the deadline.
  2. Investigating hundreds of low-priority alerts only to find they're all false positives, leading to genuine 'alert fatigue'.
  3. Users still clicking on obvious phishing links, despite all the training, meaning you have to clean up the mess.
  4. Being seen as a 'blocker' by development teams who just want to ship code fast, without fully understanding the security implications.
  5. The sheer volume of documentation updates and knowledge base maintenance – it's crucial but rarely exciting.

What Role Doesn't Offer

  1. A quiet, predictable 9-to-5 job with no surprises.
  2. Constant praise and recognition for every task – much of your work is preventative and goes unnoticed until it's needed.
  3. An environment where every problem has a clear, easy solution and all data is perfectly clean.
  4. A role where you're always building new, shiny things; often, it's about maintaining, improving, and defending existing systems.

ADHD Positives

  1. The fast-paced, investigative nature of incident response can be highly engaging for those with ADHD, offering varied tasks and high-stakes problem-solving that can tap into hyperfocus.
  2. The constant influx of new alerts and challenges means less routine, which can be a positive. Each incident is a new puzzle to solve.
  3. The need for quick, decisive action during containment phases can suit individuals who thrive under pressure and can think on their feet.

ADHD Challenges and Accommodations

  1. The volume of alerts and the need for meticulous documentation can be challenging. We can offer tools for structured note-taking and templates to guide documentation.
  2. Maintaining focus during long periods of sifting through logs for subtle anomalies might require scheduled breaks or pairing with a colleague.
  3. Prioritisation can be tricky when multiple 'urgent' things come in. We use clear ticketing systems and daily stand-ups to help manage priorities and provide support.

Dyslexia Positives

  1. Strong spatial reasoning and pattern recognition, common strengths in dyslexia, are incredibly valuable for spotting anomalies in logs or network traffic patterns.
  2. The ability to think holistically about systems and connections can help in understanding complex attack chains, even if individual details are harder to process.
  3. Often excellent verbal communicators, which is crucial for explaining complex security issues to various teams.

Dyslexia Challenges and Accommodations

  1. Extensive reading of technical documentation, logs, and incident reports can be demanding. We encourage the use of screen readers, text-to-speech software, and provide documentation in accessible formats.
  2. Writing clear, concise incident reports is essential. We can offer templates, grammar-checking tools, and peer review support to ensure accuracy without adding undue stress.
  3. Attention to detail in spelling (e.g., in domain names) is critical. Tools like browser extensions for spell-checking and dedicated review time are standard practice.

Autism Positives

  1. A strong preference for logical, rule-based systems and processes is a huge asset in security operations, where adherence to runbooks and protocols is key.
  2. Exceptional attention to detail and pattern recognition, particularly for spotting anomalies or inconsistencies in data, is highly valued in threat detection and analysis.
  3. The ability to focus deeply on specific tasks and technical investigations, without being easily distracted, can lead to thorough and accurate incident analysis.

Autism Challenges and Accommodations

  1. Social interactions, especially during high-stress incident calls, can be overwhelming. We aim for clear agendas, defined roles in meetings, and allow for non-verbal communication where possible (e.g., chat for questions).
  2. Changes to routine or unexpected 'urgent' tasks can be disruptive. We try to provide as much heads-up as possible and clear communication about shifting priorities.
  3. Sensory input in an office environment (noise, light) can be challenging. We offer noise-cancelling headphones, flexible seating options, and quiet zones for focused work.

Sensory Considerations

Our office environment is typically open-plan, which means there can be background chatter and occasional phone calls. However, we also have dedicated quiet zones and meeting rooms for focused work or calls. We're generally a pretty collaborative bunch, but we also respect individual needs for concentration. Visually, it's a standard office setup with bright lighting; if you need specific adjustments, we're happy to discuss them. Socially, expect regular team meetings and collaboration, but also plenty of independent work.

Flexibility Notes

We offer hybrid working, usually 2-3 days in the office, with flexibility depending on team needs and project phases. We're open to discussing individual working patterns and adjustments to ensure you can do your best work.

Key Responsibilities

Experience Levels Responsibilities

  1. Level: Senior Security Assistant (L3)
  2. Responsibilities: Independently investigate and triage security alerts from our SIEM (Microsoft Sentinel) and EDR (CrowdStrike Falcon) platforms, determining if they're genuine threats or false positives.
  3. Lead the analysis of user-reported phishing emails in the 'phish bucket,' identifying malicious indicators (IOCs) and coordinating with the Security Lead on appropriate response actions.
  4. Own specific sections of our vulnerability management programme, which means you'll configure and schedule scans (Tenable.io), analyse reports, and then chase down asset owners to make sure they patch things up.
  5. Design and implement improvements to existing security runbooks and playbooks, making them clearer, more efficient, and better suited to current threats. You'll actually help write the rules, not just follow them.
  6. Mentor 1-2 junior Security Assistants, providing guidance on incident triage, log analysis techniques, and best practices for using our security tools. You'll be the go-to person for their tricky questions.
  7. Perform regular user access reviews for critical systems (Azure AD, Okta), making sure everyone still has the 'least privilege' they need and nothing more. You'll spot anomalies and recommend changes.
  8. Contribute to post-incident reviews, helping the team understand what went wrong, what went right, and what we can do better next time. This means digging into the 'lessons learned' phase of PICERL.
  9. Supervision: You'll have bi-weekly check-ins with the Security Operations Lead, but for day-to-day tasks and routine incident investigations, you're pretty much running your own show. For anything truly novel or high-impact, you'll consult with the Lead before taking action.
  10. Decision: You've got full technical decision authority within the scope of an incident investigation (e.g., what logs to pull, which tools to use for analysis). You can recommend changes to security policies or tool configurations, but those will need approval from the Security Operations Lead. You can't approve budget spend over £5K without sign-off.
  11. Success: You'll know you're doing well when critical alerts are investigated thoroughly and quickly, your proposed process improvements are adopted by the team, and junior colleagues consistently come to you for advice. Basically, you're making things better and helping others grow.

Decision-Making Authority

Save 10-15 Hours Weekly: Supercharge Your Security Analysis with AI

Let's be real, security operations can be a bit of a grind. Sifting through logs, triaging alerts, drafting reports – it all takes time. But here's the thing: AI isn't going to replace you; it's going to make you much, much better at your job. We're already seeing our team save significant time by leaning on AI tools.

ID:

Tool: Phishing Triage Autopilot

Benefit: Imagine 70-80% of those user-reported phishing emails being instantly identified as safe spam or known threats. AI handles the initial grunt work, flagging only the truly novel and suspicious emails for your expert review. This means you spend less time on noise and more on actual threats.

ID:

Tool: Alert Correlation Engine

Benefit: Our SIEM, with AI smarts, can now group dozens of seemingly unrelated low-level logs and alerts into a single, high-confidence incident. It even gives you a summary of the suspected attack chain. This cuts through the noise, letting you jump straight to the actual problem without manually connecting the dots.

ID:

Tool: Threat Intel Briefing Prep

Benefit: Instead of spending an hour every morning sifting through countless threat intelligence feeds, an AI assistant can scan and summarise the latest reports, vulnerability disclosures, and security news into a concise, personalised daily briefing. You get the critical info in minutes, ready to act.

ID: ✍️

Tool: Incident Report First Draft

Benefit: After you've closed an incident, an AI tool can pull data from tickets, chat logs, and alert timelines to generate a structured first draft of your incident report. It populates key sections, leaving you to add the critical context, analysis, and 'lessons learned.' It's a huge time saver on documentation.

Roughly 10-15 hours weekly for Senior Security Assistants Weekly time savings potential
We're investing around £50-£150/month per user on AI tools and access. You'll be up and running and seeing value within 2-3 weeks. Typical tool investment
Explore AI Productivity for Senior Security Assistant →

12-15 specific tools & techniques with implementation guides

Competency Requirements

Foundation Skills (Transferable)

Beyond the technical wizardry, you need a solid foundation of 'human' skills. These are the bedrock that allows you to translate complex security issues into understandable language, work effectively with others, and stay sharp when things get tough. Frankly, these are often harder to teach than the tech skills.

Functional Skills (Role-Specific Technical)

This is where the rubber meets the road. You'll need a solid grasp of core security concepts and the tools we use every day. We're looking for someone who can move beyond basic operation and start to really dig into the 'how' and 'why' of our security posture.

Technical Competencies

Digital Tools

Industry Knowledge

Regulatory Compliance Regulations

Essential Prerequisites

Career Pathway Context

Think of these as the building blocks you should already have in place. You've been doing the basics for a while, and now you're ready to step up and take on more complex challenges. You're not just following instructions; you're starting to understand the 'why' and contributing to the 'how'.

Qualifications & Credentials

Emerging Foundation Skills

Advancing Technical Skills

Future Skills Closing Note

The goal here isn't to become a coding guru overnight, but to understand how these technologies can make our security operations more effective and efficient. Your value will increasingly come from your ability to design, implement, and orchestrate these advanced capabilities, not just operate them.

Education Requirements

Experience Requirements

You'll need roughly 5-8 years of hands-on experience in a dedicated security operations or incident response role. This isn't your first rodeo; you've been in the trenches, investigated real incidents, and you're comfortable with the pace and pressure. We're looking for demonstrable experience in analysing alerts, managing vulnerabilities, and contributing to incident response efforts, not just observing them.

Preferred Certifications

Recommended Activities

Career Progression Pathways

Entry Paths to This Role

Career Progression From This Role

Long Term Vision Potential Roles

Sector Mobility

The skills you'll gain in this role are highly transferable across almost any industry. Every company needs strong security operations, so you'll find opportunities in finance, tech, healthcare, government – pretty much anywhere. Your specialisation will dictate the exact fit, but the core competencies are universal.

How Zavmo Delivers This Role's Development

DISCOVER Phase: Skills Gap Analysis

Zavmo maps your current competencies against all requirements in this job description through conversational assessment. We evaluate your foundation skills (communication, strategic thinking), functional skills (CRM expertise, negotiation), and readiness for career progression.

Output: Personalised skills gap heat map showing strengths and priorities, estimated time to competency, neurodiversity accommodations.

DISCUSS Phase: Personalised Learning Pathway

Based on your DISCOVER results, Zavmo creates a personalised learning plan prioritised by impact: foundation skills first, then functional skills. We adapt to your learning style, pace, and neurodiversity needs (ADHD, dyslexia, autism).

Output: Week-by-week schedule, each module linked to specific job responsibilities, checkpoints and milestones.

DELIVER Phase: Conversational Learning

Learn through conversation, not boring modules. Zavmo uses 10 conversation types (Socratic dialogue, role-play, coaching, case studies) to build competence. Practice difficult QBR presentations, negotiate tough renewals, and handle churn conversations in a safe AI environment before facing real clients.

Example: "For 'Stakeholder Mapping', Zavmo will guide you through analysing a complex enterprise account, identifying key decision-makers, and building an engagement strategy."

DEMONSTRATE Phase: Competency Assessment

Zavmo automatically builds your evidence portfolio as you learn. Every conversation, practice scenario, and application example is captured and mapped to NOS performance criteria. When ready, your portfolio supports OFQUAL qualification claims and demonstrates competence to employers.

Output: Competency matrix, evidence portfolio (downloadable), qualification readiness, career progression score.

Discover Your Skills Gap Explore Learning Paths