Context

The SPW wishes to strengthen its operational security team. An external 24/7 SOC is in place and requires reinforcement of the in-house team in order to provide appropriate follow-up to SOC escalations, incidents, and requests collected by other means. Additionally, the operational security team ensures the daily maturity improvement of security tools.

The mission aims to integrate a hybrid profile of SecOps analyst/network engineer to strengthen security operations.

This person, in addition to their recurring activities, will be available on a 24/7 on-call basis (rotation among 3 people).

SPW is currently in the process of complying with the NIS2 regulation (essential level).

SPW has a complex environment that provides services to Walloon citizens. It consists of a hybrid infrastructure (multi-site and cloud), an extended network (several dozen locations), numerous applications with varied technologies, and a large number of users. The security of its information system is therefore essential.

Objectives

• Ensure daily management of security tools and security incidents.
• Maintain and optimize security tools (excluding operations).
• Collaborate with the SOC and other SPW teams to strengthen overall security.
• Participate in projects related to operational security.
• Intervene on-call or in standby mode according to criticality.

Activities

• Management of security incidents (analysis, escalation, resolution) including documentation of incidents;
• Coordination of different teams for incident resolution or to improve the security level;
• Analysis of network flows and correlation with alerts;
• Contribution to network architecture security, relevance of configurations, management of exceptions (impact and risk analysis);
• Participation in tuning protection rules;
• Implementation of exception management (impact and risk analysis);
• Cross-functional support on security tools;
• Post-mortem incident analysis: technical retrospective, recommendations, and follow-up of action plans with the ITSM team;
• Handling alerts (SIEM, XDR, etc.) from the SOC and/or security tools;
• Security monitoring and threat intelligence: monitoring CVEs, IOCs, MITRE ATT&CK tactics;
• Participation in the development or continuous improvement of SecOps processes, procedures, and guides;
• Support for IT projects related to operational security: security review, providing technico-functional advice, active participation in the project team;
• Use of ITSM tools (Jira Service Management, etc.);
• Any other activity related to operational security depending on the needs and priorities of the service.

Intervention Terms

The mission is carried out within the SPW Digital security division under the supervision of the operational security manager.

The profile provides regular full-time services, 40h/week.

In addition to regular duties, the person ensures a rotation to guarantee a 24/7 on-call availability with a commitment to availability. Certain alerts must be addressed within a maximum of 30 minutes.

The SOC and SPW may call the person on duty to take charge of the analysis of a priority 1 or 2 incident, take response actions, and coordinate teams until the incident is resolved. Integration into existing processes (incident management, change management, SOC, etc.)

Expected Deliverables

• Activity and incident reports, progress reports on post-incident recommendations
• NIS2: initial notification, preliminary report, and final report
• Change log of rules (who, what, why)
• Optimized configurations of security tools
• Technical documentation, processes, and procedures
• Recommendations and improvement advice
• Security KPI tracking

Expected Behavioral Skills

1. Clear communication
2. Change management rigor
3. Emergency management
4. Incident prioritization
5. Versatility
6. Technical curiosity
7. Autonomy
8. Team collaboration
9. Responsiveness to unforeseen events

Evaluation Method

The evaluation will consist of an interview during which questions and/or role-playing exercises relating to the mission description will be used.

The interview will take place between ….. and …..