Cybersecurity Incident Response Lead

Fineco Bank is a leading European bank with 20 years of history and a fully digital, branchless approach. We offer a wide range of products including trading, investment and payment services, a proprietary trading/investment platform, and banking solutions for domestic and international demand.

Position

We are looking for a Cybersecurity Incident Response Lead to join the ICT & Cybersecurity department. This role heads the end‑to‑end IR program, leads incident response coordination, and provides clear status to management. The lead works closely with SOC, technical teams, and governance functions, orchestrating contributions from teams not directly reporting to Cybersecurity.

The role is not SOC shift management nor purely forensic or compliance. The focus is coordinating incident response, maturing the IR program, orchestrating involved technical teams, and turning cyber events into operational decisions, manager communication, and audit‑ready evidence.

Principali Attività

• Guide operational coordination of security incident response: triage, containment priority, reconstruct initial vector, kill chain, propagation, blast radius, and coordination of eradication and recovery with owner teams.
• Maintain an operational timeline and structured decision log during incidents, tracking hypotheses, containment decisions, owners, available evidence, and residual risks.
• Build, maintain, and test the IR program: playbook, runbook, escalation procedures, roles and responsibilities, incident classification criteria, and continuous improvement mechanisms.
• Contribute to the evolution of detection and response capabilities, defining requirements with the SOC based on real incidents, tabletop exercises, threat intelligence, and improving SIEM/SOAR/EDR/XDR workflows.
• Integrate threat intelligence into the IR cycle: translate indicators of compromise, TTPs and threat scenarios into concrete detection, hunting, containment, and hardening actions.
• Conduct structured post‑incident reviews: root‑cause analysis, impact measurement, lessons learned, remediation roadmap, and follow‑up with technical teams and management.
• Plan and lead periodic exercises: tabletop, crisis simulations, collaborative sessions with SOC, red team, blue team to test program maturity, quality of escalations, and operational readiness.
• Support governance functions with incident classification for regulatory purposes, evidence collection, timeline reconstruction, and presentation of technical elements for escalation or formal notifications.
• Produce technical reports and executive summaries during and after incidents, ensuring clear, timely, and consistent communication to management, governance, and operational teams.

Requirements

• At least 7 years of experience in incident response, security operations, or cyber crisis management with demonstrable operational coordination in complex enterprise environments.
• Proficiency with key IR frameworks: ISO/IEC 27035, SANS IR Process, NIST SP 800‑61 or equivalents; use MITRE ATT&CK for TTP analysis, gap detection, and control improvement.
• Hands‑on experience with SIEM, EDR/XDR enterprise, forensic analysis tools, and incident handling workflows.
• Strong knowledge of networks, protocols, system/application logs, and traffic analysis techniques to reconstruct attack vectors, lateral movement, privilege escalation, and persistence.
• Scripting and automation skills, preferably Python, to support triage, enrichment, evidence collection, repetitive task automation, and workflow customization.
• Understanding of attack surfaces in hybrid on‑prem/cloud environments, native AWS/Azure logs, cloud identity, container workloads, propagation scenarios, and containment techniques.
• Ability to make containment decisions with incomplete information, under time pressure, and with potential impact on service, business, and operational continuity.
• Capability to communicate the same incident across audiences: technical between SOC and infrastructure/app teams; concise, risk‑based, decision‑oriented to management and governance.
• Ability to orchestrate teams not hierarchically reporting to Cybersecurity, leveraging process, technical authority, clarity of priorities, and communication quality.
• Excellent command of English.

Gradite

• Certifications: GCIH, GCFE, GCIA (GIAC) or similar.
• Deep knowledge of Windows/Linux enterprise, Active Directory (useful for lateral movement and privilege escalation investigations).
• Experience in banking or regulated financial services.
• Exposure to threat intelligence platforms (MISP, OpenCTI) and proactive threat hunting techniques.
• Experience managing major incidents, cyber crisis exercises, or war room operations in regulated contexts.
• Familiarity with classification, escalation, and regulatory reporting processes for ICT/cyber incidents in finance.

Other Information

• High visibility role on mission‑critical infrastructure: proprietary platform, core banking, and brokerage used by 1.8 million customers in real time.
• Hybrid technical environment of real complexity on‑prem/cloud where incidents have direct business impact.
• Exposure to structured regulatory processes (DORA).
• Direct responsibility on a substantial perimeter within ICT & Cyber, strategic weight for the bank.
• High‑profile technical team, problem‑solving culture.

Sede di lavoro

Milano (alternating on‑site presence and smart working).

Il Gruppo Fineco is proud to be an Equal Opportunity Employer and is committed to creating a safe and inclusive workplace based on mutual respect and diversity, offering equal job opportunities. Fineco “The Place To Be”.