We are looking for a Security Operations Leader (SOC) to join our team at our offices in Terrassa (Barcelona). The role aims to oversee the design, operation, and continuous improvement of security monitoring, detection, triage, and incident response (IR) across either an internal SOC or a Managed Security Service Provider (MSSP) / MDR model—or a hybrid of both. The SOC Leader ensures threats are detected early, investigations are timely and effective, and incidents are contained and remediated with minimal business impact. The role aligns SOC operations with enterprise risk, regulatory requirements, and the security strategy defined by the CISO.
Key Responsibilities
Strategy & Governance
Develop and own the SOC operating model (internal, external, or hybrid), aligned to the enterprise cyber risk appetite and CISO strategy.
Define and maintain SOC policies, playbooks, runbooks, and standard operating procedures (SOPs).
Establish detection and response strategy across the kill chain/attack lifecycle, mapping to frameworks (e.g., MITRE ATT&CK, NIST CSF, ISO 27001).
Maintain a risk-based, threat-informed defense program, including threat modeling and purple teaming cycles.
Operations & Incident Response
Lead end-to-end incident response: detection triage investigation containment eradication recovery lessons learned.
Oversee alert quality, triage workflows, case management, and shift handoffs for 24x7 coverage.
Ensure high-fidelity detections and reduce noise via SIEM/SOAR tuning, use case management, and threat intel enrichment.
Chair post-incident reviews and drive corrective actions with owners across IT/Cloud/AppSec/Identity/OT.
Coordinate executive communications during major incidents and provide timely updates to the CISO and relevant stakeholders.
Internal SOC Management (if in-sourced)
Build and lead a high-performing SOC team (Tier 1–3 Analysts, IR handlers, Threat Hunters, SIEM/SOAR Engineers).
Own workforce planning, scheduling, training, mentoring, and career development.
Drive engineering backlog and continuous improvement (detection engineering, automation, log onboarding).
Ensure secure, reliable, and cost-effective SOC tooling and data pipelines (e.g., SIEM, EDR/XDR, NDR, IAM signals, Cloud telemetry).
External SOC / MSSP Management (if out-sourced)
Own vendor selection, onboarding, contract/SLA/OLA definitions, and quarterly business reviews (QBRs).
Manage day-to-day provider performance, service quality, escalation paths, and continuous service improvement plans (CSIPs).
Validate provider’s detections, playbooks, threat intel sources, and incident handling quality.
Ensure data residency, privacy, and audit requirements are met; coordinate evidence collection and chain-of-custody.
Collaboration & Stakeholder Management
Partner with IT Operations, Cloud, DevOps, Network, Endpoint, Identity, and OT/IIoT teams for rapid response and remediation.
Collaborate with Threat Intelligence, Red/Purple Teams, and Vulnerability Management to align detections with evolving threats and attack paths.
Enable business units with playbooks, tabletop exercises, and awareness on escalation criteria and incident roles.
Risk, Compliance & Audit
Ensure SOC controls support compliance requirements (e.g., ISO 27001, NIST 800-53, GDPR, NIS2 as applicable).
Maintain audit-ready evidence for monitoring, alerting, IR processes, and SLAs/OLAs.
Lead SOC self-assessments, maturity roadmaps (e.g., based on MITRE SOC Evaluations/NIST CSF maturity), and external audits.
Metrics, Reporting & Communication
Define and report SOC KPIs/KRIs to the CISO and governance forums; drive data-driven improvements.
Provide executive-ready dashboards and incident summaries, including business impact and time-to-recover.
Produce threat trend analyses and quarterly posture reports with investment recommendations.
Key Responsibilities by Model
Internal SOC (In-sourced)
Recruit, retain, and upskill analysts and engineers; build tiering and career paths.
Own backlog for detections, automations, and enrichment pipelines; manage change and release for SOC content.
Operate shift schedules (24x7, follow-the-sun, or on-call) and ensure resilient coverage.
External SOC (Outsourced/MSSP/MDR)
Define interfaces (RACI/RAAS), escalation matrices, and evidence requirements.
Validate detections with realistic attack simulations and joint exercises.
Monitor and enforce SLAs/OLAs; ensure contractual alignment with risk posture and compliance needs.
Leadership Competencies
Decision-making under pressure: Calm, structured incident leadership.
Strategic thinking: Aligns SOC investments with business risk and measurable outcomes.
People leadership: Develops talent, builds an inclusive high-performance culture.
Influence & communication: Trusted advisor to the CISO and executive stakeholders.
Continuous improvement: Data-driven mindset; automates relentlessly.
Reporting & Escalation
Reports directly to the CISO; serves as primary incident commander for significant security events.
Provides weekly operational summaries, monthly KPI dashboards, and quarterly executive reviews.
Immediate escalation for potential material/business-impacting incidents per policy.
