Head of Cyber Security

Head of Cyber Security

Location: Open — Belgrade - Hybrid

Department: Product & Technology — Cyber Security

Reports to: Chief Product and Technology Officer

Role purpose:

The Head of Cyber Security carries overall responsibility for security at BoyleSports. They define the security strategy, set policy, risk appetite and required control outcomes, and own the organisation’s ability to detect, respond to and recover from cyber attack. They are a hands-on practitioner-leader: not a governance figure who delegates the technical work, but a senior defender who runs the SOC, commands major incidents personally, and works shoulder-to-shoulder with the team they hire.

They are the design authority for what good security looks like across BoyleSports. Architecture, engineering and operations teams in the CCoE build to the standards this role sets, under a dotted-line technical governance relationship.

What this role is — and is not

This role is:

• A working Head of Cyber Defence. They run the SOC function, lead detection engineering decisions, command P1 incidents and direct the Palo Alto MSSP. Their week includes time in the SIEM, on the bridge and in the threat-hunt queue, not only in meeting rooms.

• The authority on the "what" of security — policy, risk, control outcomes, threat response — across cloud, retail, corporate and product surfaces.

• A peer-level partner to the leaders of Architecture, Engineering and Infrastructure in the CCoE. They set the standards; the CCoE delivers against them.

• The named senior security contact for regulators, auditors and the Board.

This role is not:

• A platform engineering role. Building and operating cloud security tooling, IaC scanning, workload protection and platform hardening sit with the CCoE Security Engineering and Security Operations squads.

• A pure governance role. Candidates whose recent experience is exclusively framework, audit and policy work will not be a fit. The role demands current, hands-on technical depth in defensive operations.

Key responsibilities

Strategy, policy and governance:

• Set and maintain the BoyleSports cyber security strategy, risk appetite, security policy and required control outcomes.

• Hold dotted-line technical authority over Security Architecture and Security Engineering within the CCoE — approving patterns, mandating controls, and accepting or rejecting design choices on security grounds.

• Own the security control framework and the relationship with regulators on cyber matters across the Republic of Ireland, Northern Ireland and Great Britain, including obligations under the Gambling Regulation Act 2024, UK Gambling Commission requirements, NIS2 transposition (once in force in Ireland) and equivalent UK cyber-resilience legislation.

• Report cyber posture, material risks and incident outcomes to the CPTO, Executive Committee and Board.

Threat detection and response — hands-on:

• Run the in-house SOC / Cyber Defence team. Own the detection backlog, the hunt programme, and the quality of work coming out of the Palo Alto managed SOC.

• Act as Incident Commander on the bridge during P1 events. Run the room. Make the calls on containment, escalation, regulator notification and customer communication.

• Own detection engineering direction: what BoyleSports detects, how, with what fidelity, and how detections are tested. Review and contribute to detection-as-code where appropriate.

• Drive a purple-team and continuous-validation programme. Use offensive results to harden defences, not to generate reports.

• Lead post-incident reviews. Ensure lessons reach Architecture and Engineering through the operating model’s feedback loop.

MSSP and partner management:

• Own the commercial and operational relationship with the Palo Alto managed SOC. Set the use cases, the playbooks, the SLAs, and the quality bar. Hold them to it.

• Lead the relationship with offensive security vendors, threat intelligence providers and specialist incident response retainers.

Programme oversight:

• Oversee vulnerability management, attack surface management, and the security elements of identity, retail estate and product surfaces — including the customer account-opening flow live under s.169 of the Gambling Regulation Act.

• Set the security requirements that flow into the AWS / EKS migration programme, the microservices build, the retail technology refresh and third-party integrations (Playtech, Stats Perform, SEON, Optimove and others).

• Drive a security-aware culture through targeted training, phishing simulation, and direct engagement with engineering teams — not generic e-learning campaigns.

Experience and qualifications

Required:

• Significant career time as a hands-on defender — SOC lead, detection engineering lead, incident response lead, or equivalent. Recent (within the last two years) personal experience commanding live incidents.

• Demonstrable depth in modern detection and response tooling. Practical, current expertise with SIEM/XDR platforms — Palo Alto Cortex XDR and XSIAM ideal — and with SOAR, EDR tuning, log pipeline design and detection-as-code workflows.

• Strong working knowledge of AWS security — IAM, GuardDuty, Security Hub, CloudTrail, EKS-specific threats and detections. Comfortable in the console and at the CLI.

• Practical understanding of attacker tradecraft mapped to MITRE ATT&CK, including cloud, identity and web-application techniques. Able to lead a hunt, not just commission one.

• Direct experience managing an outsourced SOC, including holding the provider accountable for detection quality and analyst performance.

• Track record of building and leading small, high-quality defensive teams in a regulated environment.

• Excellent communication. Able to brief a Board on Monday morning and walk a junior analyst through a SIEM query on Monday afternoon, with equal credibility.

Strongly preferred:

• Regulated-industry experience — online gambling, financial services, payments or similar — with first-hand exposure to GDPR, NIS2, and gambling-specific cyber obligations.

• Experience operating across a hybrid estate: cloud-native build alongside a legacy core (Oracle, on-premises datacentre) and a distributed retail estate.

• Familiarity with the Microsoft endpoint and identity stack (Intune, Entra ID, Defender) alongside the Palo Alto network and endpoint stack.

Certifications and education

• Practitioner certifications are valued over governance ones. GCIA, GCIH, GCFA, GNFA, OSCP, CRTO, OSEP or equivalent hands-on credentials. CISSP or CISM acceptable as a complement, not a substitute. A current vendor certification in the Palo Alto detection stack is a plus.

• A relevant degree is welcome but not required. Demonstrated practitioner ability outweighs formal qualifications.