CSOC Incident Response Lead

The Cybersecurity Security Operations Center (CSOC) Incident Response (IR) Lead is a cybersecurity professional responsible for overseeing and coordinating the response to all security incidents within the organization acting as the primary decision-maker during a breach by leading the incident response team assessing the situation implementing response plans and communicating updates to stakeholders throughout the incident lifecycle with the primary goal of minimizing risk and restoring operations quickly and safely. This role requires a strategic thinker with strong leadership and technical skills capable of making quick and informed decisions in high-pressure situations. Ability to support the IR lifecycle using our Security Information and Event Monitoring (SIEM) and Security Orchestration and Automated Response (SOAR) technologies.

This role reports directly to the CSOC manager.

Serve as the primary point of contact and decision-maker during cybersecurity incidents.

Assist in utilization of full CSOC toolset in support of IR (i.e. SIEM / SOAR sandbox email security End Point Detection and Response etc.)

Lead and coordinate incident response efforts within the Triage & Response team including mobilizing resources assessing the situation and implementing response plans.

Collaborate with internal and external stakeholders to gather information assess impact and prioritize response actions.

Provide clear and timely communication to stakeholders including executive leadership throughout the incident lifecycle.

Implement and refine the analysis and forensics process.

Implement and refine incident response procedures protocols and playbooks to enhance effectiveness and efficiency.

Conduct monthly post-incident reviews to help identify lessons learned areas for improvement and enforce consistent action item remediation with analysts engineers and relevant stakeholders.

Stay abreast of emerging cyber threats vulnerabilities and best practices in incident response through collaboration with Vulnerability management and Cyber Threat Intelligence teams.

Hold monthly workshops with stakeholders from Information Technology and Operational Technology to discuss on-going and future initiatives related to Incident Response.

Collaborate with security engineers to enhance detection and playbook automation.

Lead tabletop exercises with CSOC team members and internal stakeholders to facilitate training identify gaps and support continuous improvement.

Assist with managing the IR database to ensure adherence to audit and compliance requirements.

Support CSOC manager with vendor management of the IR retainer(s).

Oversee formal / informal IR training. Identify training opportunities with unused IR retainer credits.

Formal Education & Certification

Bachelors degree in computer science Information Technology or related field (or equivalent experience).

Relevant certifications such as the GIAC Incident Handler (GCIH) are preferred.

Knowledge & Experience

8 years IT/Cybersecurity experience. Proven experience leading and coordinating IR efforts in a fast-paced environment.

Strong technical knowledge of network security malware analysis intrusion detection and related technologies.

Excellent communication and interpersonal skills with the ability to interact effectively with stakeholders at all levels and explain technical information to non-technical stakeholders.

Ability to remain calm and focused under pressure with a commitment to delivering results.

Understanding of various operating systems (z/OS Window UNIX Linux AIX etc.).

Preferred Experience

Previous experience with IR and handling

Deep understanding of cybersecurity concepts including incident response methodologies and threat intelligence

Familiarity with relevant cybersecurity frameworks and regulations (e.g. NIST GDPR)

SIEM/SOAR solutions such as Splunk and Sumo Logic.

CSOC or working with a Managed Security Service Provider.

Threat Intelligence Platform (TIP) and importance of integrating into the SIEM in support of IR and Indicators of Compromise.

Exposure to Incident Response in the Operational Technology domain.

Personal Attributes

Strong analytical conceptual and problem-solving abilities.

Strong written and oral communication skills.

Strong presentation and interpersonal skills.

Ability to conduct research into database issues standards and products.

Ability to present ideas in user-friendly language.

Able to prioritize and execute tasks in a high-pressure environment.

Ability to work in a team-oriented collaborative environment.

Strong commitment to inclusion and diversity.

Curiosity and willingness to learn about systems tools and networking.

Ability to step in and lead others in the absence of direction.