Senior Cyber Security Engineer, Birmingham

About the job

Job summary

The Department for Business and Trade (DBT) has a clear mission - to grow the economy. Our role is to help businesses invest, grow and export to create jobs and opportunities right across the country. We do this in three ways.

Firstly, we help to build a strong, competitive business environment, where consumers are protected and companies rewarded for treating their employees properly.

Secondly, we open international markets and ensure resilient supply chains. This can be through Free Trade Agreements, trade facilitation and multilateral agreements.

Finally, we work in partnership with businesses every day, providing advance, finance and deal-making support to those looking to start up, invest, export and grow.

The Digital, Data and Technology (DDaT) directorate develops and operates tools and services to support us in this mission. The team have been nominated four times in a row for'Best Public Sector Employer'at the Women in Tech awards and won the award in 2025!

Job description

This role sits within DBT's SOC (Security Operations Centre), reporting to the Lead Cyber Security Engineer. The SOC is responsible for identification and mitigation of threats, both internal and external to the security of the department. This role supports these actions by creating new capabilities, supporting existing capabilities and providing expertise to colleagues when required. You will also be focussing on implementing data pipelines to deliver logging into the SIEM solution and building automated enrichment capabilities. This role will involve the development of security tools, providing cyber security advice to the development community in DBT to ensure best practice is being followed.

As a Senior Cyber Security Engineer, you will take a leading role in shaping and evolving our Microsoft Sentinel capability, moving beyond traditional SIEM usage into a scalable, engineering-led security data platform. You will be responsible for designing and onboarding complex log sources across a multi-platform environment, including AWS (Cloudtrail / Cloudwatch), Datadog, Logstash and 3rd party integrations.

A key part of the role is working closely with internal engineering teams and external partners to ensure high-quality, structured logging is produced at source. You will help and define and implement logging standards, including structured JSON logging and best practices for application frameworks such as Django, ensuring data is meaningful, consistent and aligned to detection and monitoring use cases.

You will also drive the standardisation and normalisation of logs using frameworks such as ASIM, enabling scalable, reusable detection logic and improving overall visibility across the estate. This role goes beyond onboarding logs as you will be expected to challenge existing approaches, improve data quality, and ensure that security monitoring is both effective and efficient.

A major focus of this position is to support the team in the evolution of our data architecture within sentinel. You will provide input into the design for a data lake strategy incorporating hot, cold and archive storage tiers, enabling long-term retention, historical analysis, and log replay capabilities while actively optimising ingestion and storage costs.

Over the coming 12-18 months, DBT's SOC will be looking to make big strides in its maturity journey through the transition to a SecDevOps way of working in Azure and MS Sentinel and through the implementation of an enterprise log management solution, all of which the Senior Engineer will be involved with.

Main responsibilities

You will be:

• Supporting the Lead Cyber Security Engineer in the implementation of the monitoring and improvement roadmap
• Working with SOC Engineering and IDR leads to agree priorities and technical steps to deliver those improvements
• Testing and implementing changes within multiple cloud environments
• Producing documentation to accurately represent the system that has been implemented and its current state for other engineers to use and rely on
• Updating and maintaining existing tools and infrastructure
• Proactively review and identify opportunities and technical mechanisms to enrich security logs ingested into the SIEM to improve SOC efficiencies
• Maintaining the pipelines and infrastructure that is facilitating the ingestion of logs and processing logs
• Assisting with active investigations and providing expert knowledge to assist analysts
• Creating playbooks and documentation for the maintenance of playbooks

Person specification

It is essential that you have:

• Demonstratable experience configuring Security related tools and implementing security policies
• Proven ability to onboard, integrate and work with logs from cloud platforms (AWS Cloudtrail, AWS Cloudwatch, Azure EventHub) and tools such as Datadog, Logstash or similar, ensuring data is usable for monitoring and detection
• Demonstratable experience building queries, detections, and working with log data within Sentinel, including proficient use of KQL
• Hands on experience of working with developers or 3rd parties to implement structured logging (JSON) and improve log quality within applications (Django or similar frameworks)
• Demonstratable experience of using command line and scripting languages e.g., Python, PowerShell etc to manage resources

It is desirable that you have:

• Hands on experience of normalising log data (ASIM) to enable consistent, scalable, and reusable detection use cases across multiple data sources
• Experience to data lake design, tiered storage (hot/cold/archive), or strategies for log retention, replay and cost optimisation with a SIEM or cloud environment

Behaviours

We'll assess you against these behaviours during the selection process:

• Seeing the Big Picture
• Making Effective Decisions
• Communicating and Influencing

Technical skills

We'll assess you against these technical skills during the selection process:

• Cyber Security Operations
• Threat Understanding
• Vulnerability Management
• Secure System Configuration
• Use of Security Tools and Technologies
• Information risk assessment and risk management

Benefits

• Learning and development tailored to your role
• An environment with flexible working options
• A culture encouraging inclusion and diversity
• A Civil Service pension with an employer contribution of 28.97%

Things you need to know

Artificial intelligence

Artificial intelligence can be a useful tool to support your application, however, all examples and statements provided must be truthful, factually accurate and taken directly from your own experience. Where plagiarism has been identified (presenting the ideas and experiences of others, or generated by artificial intelligence, as your own) applications may be withdrawn and internal candidates may be subject to disciplinary action. Please see our candidate guidance (opens in a new window) for more information on appropriate and inappropriate use.

Selection process details

This vacancy is using Success Profiles (opens in a new window), and will assess your Behaviours, Experience and Technical skills.

How to apply

As part of the application process you will be asked to upload a two-page CV and complete a 750-word personal statement outlining how you meet the essential skills and experience listed above. You can use bullet points and subheadings if you prefer.

Sift will be from week commencing 22nd June

Interviews will be from week commencing 29th June

Please note these dates are indicative and may be subject to change.

If there is a high volume of applications, we will sift looking at your CV only. You may then be progressed to full sift or straight to interview.

How we interview

At the interview stage for this role, you will be asked to demonstrate relevant Technical Skills and Behaviours from the Success Profiles framework, which are listed above. These are role specific and in line with the Government Security Profession Career Framework.

How we offer

Offers will be made in merit order based on location preferences. If you pass the bar at interview but are not the highest scoring you will be held on a 12-month reserve list in case a role becomes available. If you are judged a near miss at interview, you may be offered a post at the grade below the one you applied for.

This role requires SC clearance. DBT's requirement for SC clearance is to have been present in the UK for at least 3 of the last 5 years. Failure to meet this requirement will result in your application being rejected and your offer will be withdrawn.

Checks will also be made against:

• departmental or company records (personnel files, staff reports, sick leave reports and security records)
• UK criminal records covering both spent and unspent criminal records
• your credit and financial history with a credit reference agency
• security services record
• location details

More about us

This role can only be worked from within the UK, not overseas. If you are based in London, you will receive London weighting. DBT employees work in a …