Technical Lead/ Manager

Security Incident Response Manager

Salesforce - the leader in enterprise cloud computing and one of the top 10 places to work according to Fortune magazine -is seeking a CSIRT Regional Site Lead with a passion for Information Security and a strong understanding of security monitoring and incident response.

Salesforce has one of the best Information Security teams in the world and growing this piece of the business is a top priority! Our Information Security teams work hand in hand with the business to ensure the highest security around all of our applications. The Computer Security Incident Response Team (CSIRT) is responsible for 24x7x365 security monitoring and rapid incident response across all Salesforce environments. We are the ‘tip of the spear’ and the last line of defense protecting company and customer data from our adversaries. 

As a key member of our growing CSIRT, the CSIRT IR Lead is on the ‘front lines’ of the Salesforce production environment, leading a group of incident responders that protect our critical infrastructure and our customers’ data from the latest information security threats. 

The CSIRT IR Lead is responsible for managing all incident responders in the local CSIRT region and co-leading CSIRT operations during local coverage hours, including:

  • Recruiting and managing a team of high-performing security incident handlers, including performance management, career development, and mentoring.
  • Ensuring that all operational issues that occur during local hours are assigned and handled by an in-region incident handler within established SLAs and with a high degree of quality.
  • Leading significant CSIRT projects, focused on enhancements to detection and incident response capabilities and other improvements to core CSIRT workflow/process/documentation. 
  • Working effectively as part of a geographically distributed team.
  • Act as an individual contributor on high profile and sensitive investigations
  • 5+ years of prior specialized security operations experience consisting of either:
  • Operational experience monitoring devices such as network and host-based intrusion detection systems, web application firewalls, database security monitoring systems, firewalls/routers/switches, proxy servers, antivirus systems, file integrity monitoring tools, and operating system logs. 
  • Operational experience responding to security incidents in a production environment, such as investigating and remediating possible endpoint malware infections and mitigating e-mail borne threats such as spam and phishing.
  • 3+ years of management/leadership experience.
  • Strong technical understanding of the information security threat landscape (attack vectors and tools, best practices for securing systems and networks, etc.).
  • The ability to build strong relationships with peers both internal and external to your functional group, and with peers/professional organizations outside your company.
  • The ability to recruit, train and retain highly qualified individual contributors.
  • Strong verbal and written communication skills; ability to communicate effectively and clearly to both technical and non-technical audiences.
  • Familiarity with core concepts of security incident response, e.g., the typical phases of response, vulnerabilities vs threats vs actors, Indicators of Compromise (IoCs), etc.
  • Strong technical understanding of network fundamentals and common Internet protocols, specifically DNS, HTTP, HTTPS / TLS, and SMTP
  • Strong technical understanding of network fundamentals and common Internet protocols.
  • Strong technical understanding of Mac OSX, Microsoft Windows, and Linux/Unix system administration and security controls.
  • Strong technical understanding of incident response and security operations within public cloud environments (e.g. AWS, Azure, or GCP)

Desired Skills:

  • System forensics/investigation skills, including analyzing system artifacts (file system, memory, running processes, network connections) for indicators of infection/compromise.
  • Prior experience in a 24x7x365 operations environment.
  • Experience coordinating incident response, troubleshooting, or other complex issues across a global organization.
  • Ability to write custom intrusion detection system rules.
  • Scripting skills (i.e. Python/Perl, shell scripting)
  • Relevant information security certifications, such as CISSP, SANS GCIA, SANS GCIH, SANS GPEN, SANS GFCA, Offensive Security OSCP.