Skip Navigation

CSIRT Incident Lead

Job ID: 559 Location: Stockley Park Category: Technology Salary: Dependent on experience Hours: Closing date: June 28th 2019, 11:55 PM.

Job Description:

Job purpose The primary purpose of the Computer Security Incident Response Team - Incident Lead is to ensure M&S have a 24/7 detect and respond capability across the global estate to safeguard our data, people and brand.

Key accountabilities and measures

As a senior member of the Cyber Operations Team you will be in the front line of defence against security incidents directed at the IT platforms and automated information systems (IT security incidents) of M&S. The CSIRT Lead is also responsible for the performance of the CSIRT from our Offshore Level 1 & 2 Service. You will be the focal point for the execution of the response process and coordination of relevant parties when an information security incident occurs. You will be responsible for maintaining the preparedness of M&S for effective response and for supporting other teams responding to incidents that have peripheral security implications.

The Cyber Operations teams provides a multi-located service that covers, event management; identity & access management; incident management and response; IT process interface; investigations and forensics; endpoint security operations; threat hunting; Cyber security incident response (CIRT) and security Monitoring.

This role is complex and varied; you will be responsible for ensuring Marks and Spencer have a robust secure perimeter whilst ensuring our defence in depth remains active, either through effective management of often disparate tools or through complex technical investigations. This role is also the immediate escalation point for junior resource within the team both in and out of hours.

• Protect M&S and its customers from materially impactful events to its Business, Brand and Customer e.g. catastrophic events, significant financial losses and highly embarrassing events

• Implement and operationalise effective Cyber Security Services and controls to protect core business processes and customer data i.e. (Identify, Detect, Protect, Respond and Recover controls)

• Identify and respond to threats: Incorporate industry intelligence enabling proactive threat detection, containment and response

• Operation and optimisation of security tooling/products, including network security (IDS/IPS/Firewalls), logging and auditing, event and incident management, privileged access management

• Coordinate Incident Response and Management with on and off-shore resources

• Respond to endpoint protection and malware detection tools alert escalations from level 1 and 2 SOC teams • Conduct digital forensics and post incident investigation

• Make recommendations to improve operational effectiveness

• Create and review CSIRT documentation

• Defend systems against unauthorized access, modification and/or destruction

• Identify abnormalities and investigate violations

• Monitor routine security administration and Identity and Access Management activities

• Effectively communicate with internal stakeholders (technical and non-technical) and suppliers to provide updates on threats

• Coordinate Vulnerability management Operations activities

• Create, modify and update Intrusion Detection Systems (IDS)

• Create, modify and update Security Information Event Management (SIEM) Tools

Supplier and Vendor Management:

• Working with the Cyber Operations Service Management to deliver value for M&S Technology group by driving quality, efficiency and cost effectiveness from all Cyber Operations contracts

• Provide Cyber Operations governance for Changes and Proposal


• Leverage key supplier relationships to sustain competitive advantage and manage ongoing relationships with existing suppliers

• Identify area and solutions to introduce efficiencies of scale

• Keep abreast of developments within the Cyber Industry and Retail market space to ensure that Cyber Operations are kept in line with defined or emerging industry best practices

• Identify continuous improvement opportunities and ensure they are implemented in a timely and controlled manner via Managed Service Providers and/or Third-Party Vendors

• Work with Cyber Security Architecture and Engineering functions to assist with the strategic development of Security Capabilities and their introduction to Operations.


• Represent Cyber Operations at Change Advisory Boards

• Identify and drive areas for service improvements in conjunction with the vendor or managed service supplier

• Ensure that reporting is provided on a regular and defined basis with clear, concise and meaningful content


• Set appropriate direction within M&S to ensure investments are made to Cyber Operations that best support the requirements of M&S Technology group

• Govern utilisation against licence entitlement for core security tooling

• Communicate up, down, and across all levels of the organization and technical product teams

Key skills General:

• Ability to work well in a diverse team

• Methodical and disciplined work approach

• Good problem solving and analytical skills

• Strong verbal and written communication skills

• Familiarity with appropriate legal frameworks - GDPR being the key focus

• Deep understanding of Risk Management Framework

• Experience of working in an Agile environment as part of a multi-disciplined team

• Strong knowledge and demonstrable experience of cyber security technologies and methods

• Security event log collection and analysis

• Strong experience in enterprise operating systems (Wintel; Linux; Unix)

• Solid experience in multi-vendor networks and firewalls (Cisco, Palo Alto, Juniper)

• Good experience in Database technologies (SQL, Oracle, DB2, Mongo)

• Experience of vulnerability and threat assessment

• Experience of Intrusion detection and prevention systems

• Experience of Web-based application security including Akamai Kona, Apigee etc.

• Ability to develop custom code (perl / shell scripting etc.)

• Experience of Cloud systems and their Architecture (Azure, AWS, Office 365)

• Experience of working in a 24/7 Security Operations Centre environment or similar

• Experience of Incident Handling processes and procedures

• Proficient in working in a fast-paced, complex, dynamic, multicultural business environment

• Knowledge of legal requirements for privacy of personal information from employees and customers

• Demonstrable experience of working effectively with managed suppliers and vendors

• Strong working knowledge of Splunk and log analysis in an enterprise environment

• Exposure to numerous malware variations and IOC's.

• Understanding of Java web applications and their security configurations.

• Splunk (Core, ES and UBA)

• Knowledge of protocols including E-mail / SMTP, DNS, SSL / TLS

• Windows Active Directory and Policies

• CASB • System Configuration including Microsoft Intune & SCCM

• IBM Resilient • ITSM Tools including Remedy & Remedy CMDB

• Ideally have Industry Standard qualifications and training (SANS; GIAC; CISP), and/or recognised security certifications


• Ideally have Industry Standard qualifications and training such as SANS; GIAC; CISSP

• Preferably a Bachelors or Master’s Degree in Information Technology or related subject

Key relationships and stakeholders

• No direct reports

• Collaboration with Infrastructure and Application support and delivery teams

• Co-ordination of cross team activities within the portfolio of Cyber Operations

Apply or

Talk to our insiders

Ask us a question

Sign up for alerts

Interested InStart typing to search for a category and select one from the list of suggestions. Start typing to search for a location and select one from the list of suggestions. Finally, click “Add” to create your job alert.