Security Operations Leader (SOC)

We are looking for a Security Operations Leader (SOC) to join our team at our offices in Terrassa (Barcelona). The role aims to oversee the design, operation, and continuous improvement of security monitoring, detection, triage, and incident response (IR) across either an internal SOC or a Managed Security Service Provider (MSSP) / MDR model—or a hybrid of both. The SOC Leader ensures threats are detected early, investigations are timely and effective, and incidents are contained and remediated with minimal business impact. The role aligns SOC operations with enterprise risk, regulatory requirements, and the security strategy defined by the CISO.

Key Responsibilities

Strategy & Governance

Develop and own the SOC operating model (internal, external, or hybrid), aligned to the enterprise cyber risk appetite and CISO strategy.

Define and maintain SOC policies, playbooks, runbooks, and standard operating procedures (SOPs).

Establish detection and response strategy across the kill chain/attack lifecycle, mapping to frameworks (e.g., MITRE ATT&CK, NIST CSF, ISO 27001).

Maintain a risk-based, threat-informed defense program, including threat modeling and purple teaming cycles.

Operations & Incident Response

Lead end-to-end incident response: detection triage investigation containment eradication recovery lessons learned.

Oversee alert quality, triage workflows, case management, and shift handoffs for 24x7 coverage.

Ensure high-fidelity detections and reduce noise via SIEM/SOAR tuning, use case management, and threat intel enrichment.

Chair post-incident reviews and drive corrective actions with owners across IT/Cloud/AppSec/Identity/OT.

Coordinate executive communications during major incidents and provide timely updates to the CISO and relevant stakeholders.

Internal SOC Management (if in-sourced)

Build and lead a high-performing SOC team (Tier 1–3 Analysts, IR handlers, Threat Hunters, SIEM/SOAR Engineers).

Own workforce planning, scheduling, training, mentoring, and career development.

Drive engineering backlog and continuous improvement (detection engineering, automation, log onboarding).

Ensure secure, reliable, and cost-effective SOC tooling and data pipelines (e.g., SIEM, EDR/XDR, NDR, IAM signals, Cloud telemetry).

External SOC / MSSP Management (if out-sourced)

Own vendor selection, onboarding, contract/SLA/OLA definitions, and quarterly business reviews (QBRs).

Manage day-to-day provider performance, service quality, escalation paths, and continuous service improvement plans (CSIPs).

Validate provider’s detections, playbooks, threat intel sources, and incident handling quality.

Ensure data residency, privacy, and audit requirements are met; coordinate evidence collection and chain-of-custody.

Collaboration & Stakeholder Management

Partner with IT Operations, Cloud, DevOps, Network, Endpoint, Identity, and OT/IIoT teams for rapid response and remediation.

Collaborate with Threat Intelligence, Red/Purple Teams, and Vulnerability Management to align detections with evolving threats and attack paths.

Enable business units with playbooks, tabletop exercises, and awareness on escalation criteria and incident roles.

Risk, Compliance & Audit

Ensure SOC controls support compliance requirements (e.g., ISO 27001, NIST 800-53, GDPR, NIS2 as applicable).

Maintain audit-ready evidence for monitoring, alerting, IR processes, and SLAs/OLAs.

Lead SOC self-assessments, maturity roadmaps (e.g., based on MITRE SOC Evaluations/NIST CSF maturity), and external audits.

Metrics, Reporting & Communication

Define and report SOC KPIs/KRIs to the CISO and governance forums; drive data-driven improvements.

Provide executive-ready dashboards and incident summaries, including business impact and time-to-recover.

Produce threat trend analyses and quarterly posture reports with investment recommendations.

Key Responsibilities by Model

Internal SOC (In-sourced)

Recruit, retain, and upskill analysts and engineers; build tiering and career paths.

Own backlog for detections, automations, and enrichment pipelines; manage change and release for SOC content.

Operate shift schedules (24x7, follow-the-sun, or on-call) and ensure resilient coverage.

External SOC (Outsourced/MSSP/MDR)

Define interfaces (RACI/RAAS), escalation matrices, and evidence requirements.

Validate detections with realistic attack simulations and joint exercises.

Monitor and enforce SLAs/OLAs; ensure contractual alignment with risk posture and compliance needs.

Leadership Competencies

Decision-making under pressure: Calm, structured incident leadership.

Strategic thinking: Aligns SOC investments with business risk and measurable outcomes.

People leadership: Develops talent, builds an inclusive high-performance culture.

Influence & communication: Trusted advisor to the CISO and executive stakeholders.

Continuous improvement: Data-driven mindset; automates relentlessly.

Reporting & Escalation

Reports directly to the CISO; serves as primary incident commander for significant security events.

Provides weekly operational summaries, monthly KPI dashboards, and quarterly executive reviews.

Immediate escalation for potential material/business-impacting incidents per policy.

Required qualification:

8–12+ years in cybersecurity with 4+ years leading SOC operations or Incident Response teams (internal or MSSP).

Hands-on expertise with SIEM (e.g., Microsoft Sentinel), EDR/XDR (e.g., Defender for Endpoint), SOAR, NDR, and cloud telemetry (Azure/M365, AWS, GCP).

Strong knowledge of modern attacker TTPs (MITRE ATT&CK), detections engineering, use-case lifecycle, and automation with SOAR.

Proven track record managing critical incidents and executive communications.

Experience with vendor management, contract/SLA governance, and service reviews (for external SOC models).

Familiarity with regulatory and audit frameworks (NIST, ISO 27001, etc.).

Excellent leadership, coaching, and cross-functional collaboration skills.

Strong written and verbal communication—capable of translating technical detail into business risk and impact.

Preferred qualification:

Certifications: CISSP, CISM, GIAC (GCIA, GCED, GCIH, GCFA/GCFR, GMON), Microsoft SC-200/SC-100, Azure/AWS security certs.

Experience with threat hunting, offensive security, or purple teaming.

Background in large-scale log onboarding, data normalization, content engineering, and cost-optimized telemetry strategies.

Experience in OT/ICS security (if relevant to the business).

Exposure to data privacy and eDiscovery needs during investigations.

High level of English, both written and spoken.

Be fluent in Spanish and German is a plus.

Additional Information

• Availability to travel (approximately 10–20%) when required (HQ in Germany).

• Valid driving license and own vehicle.

Por Syntegon y sus subsidiarias, la diversidad es una preocupación clave. Exclusivamente promovemos un ambiente donde todos los empleados, independientemente de su género, edad, origen, religión, orientación sexual, identidad de género o necesidades especiales, sean tratados de manera equitativa. Si esta oferta de trabajo utiliza únicamente la forma masculina, es por razones de legibilidad y se refiere a individuos de todos los géneros.