M365 Incident Response Lead (SVP) | London, UK

Citi's Cloud Incident Response (Cloud IR) team seeks a Senior Vice President of Microsoft 365 (M365) and Azure Incident Response to lead and oversee the organization's incident response operations within the M365 environment. You will work closely with stakeholders to ensure effective security incident response with an aim to safeguard the integrity of Citi's Microsoft 365 services. Your role is critical in ensuring a proactive and coordinated approach in responding to cloud security incidents and managing security risks within the M365 suite. You will align incident response priorities with business goals, lead the evolution of cloud security practices, and guide the organization through critical security challenges within the M365 ecosystem.

Responsibilities:

• Own and lead Citi's response to security incidents in our M365 and Azure platforms
• Build and sustain a high-performing security operations team skilled in managing M365 incidents
• Collaborate with relevant engineering teams to gain an in-depth and accurate understanding of Citi's M365 landscape
• Proactively identify gaps in M365/Azure Incident Response capabilities (processes, procedures and playbooks) and take ownership to deliver and mature these continually
• Ensure readiness for various incident response scenarios based on historical data but also proactively identifying new threat vectors to consider
• Identify and pursue areas where AI & Automation can help mature current Incident Response workflows in M365
• Nurture the partner relationship with Microsoft to influence product capabilities and direction
• Oversee the day-to-day duties of any technical contractors and provide regular feedback and direction
• Liaise with senior leadership to represent the team on various leadership briefings showcasing team excellence

• Strong technical expertise in M365 Security tools and technologies (e.g. Defender XDR, Entra ID etc.)
• Relevant leadership skills with the ability to inspire, mentor and manage high-performing incident response practitioners
• Exceptional communication and presentation skills to simplify and convey complex technical matters to senior security stakeholders and leadership
• Strong understanding of security incident response processes, excellent technical documentation skills and proven analytical skills
• 8+ years of relevant experience on most of the following:
  • Knowledge of the tools and processes to provide operational security support to the Microsoft 365 (M365) ecosystem
  • Advanced proficiency with Microsoft 365 services and their security configurations
  • Hands-on experience with M365 including configuration, analysis and pivoting through large data sets and security best practices
  • Experience with Identity and Access Management and M365 services - OneDrive, Teams, SharePoint, Exchange Online, etc.
  • Proficient with Azure/M365 tenant capabilities and roles that support incident response/forensic analysis
  • Experience with various log aggregation/data analytics tools, such as Splunk, Sentinel, etc.
• Industry-accredited certifications will be required. Candidates with M365 security certifications (ex: M365 Security Operations Analyst/Associate, M365 Certified Security Administrator Associate, etc.) and other cloud security certifications (for example: AWS, GCP, Azure, etc.) will be preferred. Candidates without certification must be willing to pursue them during employment.
• Good to have relevant security operations experience in AWS, GCP, Kubernetes and RedHat OpenShift platforms

This job description provides a high-level review of the types of work performed. Other job-related duties may be assigned as required.