Job Title: Incident Response Technical Lead

Job Purpose

Cyber security is a top priority for AkzoNobel as for any global organization operating in the cyberspace. Our objective is to protect our information and digital assets (IT and OT) by reducing our cyber risk exposure to pursue our business objectives.

As part of the new cyber security strategy, supported by the ExCo, we have recently redefined our security governance in line with the evolution of the threat landscape and modern best practices. In this regard the new Information Security function, under responsibility of the CISO and part of the IT, is responsible for Information and cyber security for the entire organization covering Cyber Risk Management & Compliance, Security Architecture, Security Operations and Cyber Security Awareness and Training.

We are looking for a seasoned and proactive Incident Response Technical Lead to join our Cybersecurity Operations team. This role will be responsible for overseeing all technical aspects of security incident and alert management across the organization. You will serve as the central operational point of reference for incident detection, investigation, containment, and resolution activities and bring deep technical expertise and strong leadership capabilities to ensure the continuous identification, assessment, and remediation of vulnerabilities. You will work with modern tools and technologies, maintain visibility into the organization's risk exposure, and deliver meaningful metrics to support security decisions.

Key Activities

Provide technical and operational leadership for incident and alert management processes, ensuring day-to-day activities are executed effectively, without operational gaps.

Deliver a real-time operational view and strategic (macro) oversight of the organization’s security posture, enabling data-driven decision-making through well-defined KPIs and KRIs.

Act as the lead investigator for major or complex incidents, collaborating with internal and external stakeholders as needed.

Ensure regular activities such as alert triage, incident response, threat hunting, and reporting are performed consistently and on schedule.

Prepare and present clear, concise, and data-backed reports on incident response metrics, trends, and security event outcomes to management and leadership.

Foster a supportive, collaborative, and high-performing environment, mentoring team members and ensuring clarity of roles, timely guidance, and knowledge sharing.

Lead maturity assessments of the SOC IR capabilities using recognized industry frameworks (e.g., MITRE ATT&CK, CMMI), and define tangible improvement paths.

Serve as a key contributor to the evolution of automation and orchestration in incident management using Microsoft Sentinel and Logic Apps.

Continuously evaluate and improve detection and response workflows across multiple security technologies and domains.

These key responsibilities are peered with key technologies (and linked skills) that are used in the company environment:

• Microsoft Defender Suite (Endpoint, Identity, Office, Cloud Apps)
• Zscaler Technologies, including ZIA and ZPA
• Microsoft Sentinel and Azure Logic Apps (automation and orchestration)
• Nozomi (OT/IoT network visibility and threat detection)

Familiarity with API integrations, automation scripting (PowerShell, KQL), and incident enrichment techniques is highly desirable.

Experience

• 5+ years of hands-on experience in incident response, SOC operations, or threat detection roles within large and complex environments.
• Demonstrated experience leading incident response efforts in real-world scenarios, including root cause analysis, containment, and lessons learned processes.
• Strong understanding of enterprise security architecture, endpoint and network detection tools, and alerting pipelines.
• Solid experience with Microsoft security technologies, especially Microsoft Defender XDR and Sentinel.
• Practical knowledge of SOC automation practices using tools such as Logic Apps, playbooks, or SOAR platforms.
• Excellent communication and reporting skills, capable of presenting technical content to both technical and executive audiences.
• Demonstrated ability to work collaboratively, make sound decisions under pressure, and coordinate across teams during high-impact security events.
• Strong knowledge of incident handling frameworks, playbook development, and SOC maturity models.
• Certifications in incident response, such as GCIH, GCFA, GCIA, or similar.
• General blue team certifications such as SC-200, AZ-500
• Experience in operationalizing threat intelligence and aligning detection strategies to frameworks such as MITRE ATT&CK.
• Prior experience assessing and improving SOC performance against frameworks like NIST, MITRE D3FEND, or CMMI.