PpFineco Bank is a leading European bank with 20 years of history and a fully digital, branchless approach. We offer a wide range of products including trading, investment and payment services, a proprietary trading/investment platform, and banking solutions for domestic and international demand. /p h3Position /h3 pWe are looking for a Cybersecurity Incident Response Lead to join the ICT Cybersecurity department. This role heads the end‑to‑end IR program, leads incident response coordination, and provides clear status to management. The lead works closely with SOC, technical teams, and governance functions, orchestrating contributions from teams not directly reporting to Cybersecurity. /p pThe role is not SOC shift management nor purely forensic or compliance. The focus is coordinating incident response, maturing the IR program, orchestrating involved technical teams, and turning cyber events into operational decisions, manager communication, and audit‑ready evidence. /p h3Principali Attività /h3 ul liGuide operational coordination of security incident response: triage, containment priority, reconstruct initial vector, kill chain, propagation, blast radius, and coordination of eradication and recovery with owner teams. /li liMaintain an operational timeline and structured decision log during incidents, tracking hypotheses, containment decisions, owners, available evidence, and residual risks. /li liBuild, maintain, and test the IR program: playbook, runbook, escalation procedures, roles and responsibilities, incident classification criteria, and continuous improvement mechanisms. /li liContribute to the evolution of detection and response capabilities, defining requirements with the SOC based on real incidents, tabletop exercises, threat intelligence, and improving SIEM/SOAR/EDR/XDR workflows. /li liIntegrate threat intelligence into the IR cycle: translate indicators of compromise, TTPs and threat scenarios into concrete detection, hunting, containment, and hardening actions. /li liConduct structured post‑incident reviews: root‑cause analysis, impact measurement, lessons learned, remediation roadmap, and follow‑up with technical teams and management. /li liPlan and lead periodic exercises: tabletop, crisis simulations, collaborative sessions with SOC, red team, blue team to test program maturity, quality of escalations, and operational readiness. /li liSupport governance functions with incident classification for regulatory purposes, evidence collection, timeline reconstruction, and presentation of technical elements for escalation or formal notifications. /li liProduce technical reports and executive summaries during and after incidents, ensuring clear, timely, and consistent communication to management, governance, and operational teams. /li /ul h3Requirements /h3 ul liAt least 7 years of experience in incident response, security operations, or cyber crisis management with demonstrable operational coordination in complex enterprise environments. /li liProficiency with key IR frameworks: ISO/IEC 27035, SANS IR Process, NIST SP 800‑61 or equivalents; use MITRE ATTCK for TTP analysis, gap detection, and control improvement. /li liHands‑on experience with SIEM, EDR/XDR enterprise, forensic analysis tools, and incident handling workflows. /li liStrong knowledge of networks, protocols, system/application logs, and traffic analysis techniques to reconstruct attack vectors, lateral movement, privilege escalation, and persistence. /li liScripting and automation skills, preferably Python, to support triage, enrichment, evidence collection, repetitive task automation, and workflow customization. /li liUnderstanding of attack surfaces in hybrid on‑prem/cloud environments, native AWS/Azure logs, cloud identity, container workloads, propagation scenarios, and containment techniques. /li liAbility to make containment decisions with incomplete information, under time pressure, and with potential impact on service, business, and operational continuity. /li liCapability to communicate the same incident across audiences: technical between SOC and infrastructure/app teams; concise, risk‑based, decision‑oriented to management and governance. /li liAbility to orchestrate teams not hierarchically reporting to Cybersecurity, leveraging process, technical authority, clarity of priorities, and communication quality. /li liExcellent command of English. /li /ul h3Gradite /h3 ul liCertifications: GCIH, GCFE, GCIA (GIAC) or similar. /li liDeep knowledge of Windows/Linux enterprise, Active Directory (useful for lateral movement and privilege escalation investigations). /li liExperience in banking or regulated financial services. /li liExposure to threat intelligence platforms (MISP, OpenCTI) and proactive threat hunting techniques. /li liExperience managing major incidents, cyber crisis exercises, or war room operations in regulated contexts. /li liFamiliarity with classification, escalation, and regulatory reporting processes for ICT/cyber incidents in finance. /li /ul h3Other Information /h3 ul liHigh visibility role on mission‑critical infrastructure: proprietary platform, core banking, and brokerage used by 1.8 million customers in real time. /li liHybrid technical environment of real complexity on‑prem/cloud where incidents have direct business impact. /li liExposure to structured regulatory processes (DORA). /li liDirect responsibility on a substantial perimeter within ICT Cyber, strategic weight for the bank. /li liHigh‑profile technical team, problem‑solving culture. /li /ul h3Sede di lavoro /h3 pMilano (alternating on‑site presence and smart working). /p pIl Gruppo Fineco is proud to be an Equal Opportunity Employer and is committed to creating a safe and inclusive workplace based on mutual respect and diversity, offering equal job opportunities. Fineco “The Place To Be”. /p /p #J-18808-Ljbffr