• Oversee 24/7 monitoring, triage, and escalation of OT security alerts across industrial environments • Support complex incident investigations and ensure quality of analysis across all tiers • Ensure adherence to SLAs, ticket quality, and operational KPIs • Lead and manage a team of OT SOC analysts (Tier 1 / Tier 2) • Provide coaching, mentoring, and performance feedback • Support shift planning, coverage, and handovers • Drive improvements to detection rules, playbooks, and SOC procedures • Identify gaps in monitoring, response, and tooling • Collaborate with engineering and threat detection teams for tuning and optimisation • Act as a key point of contact for customers during incidents and escalations • Ensure proper communication during major incidents • Support reporting, service reviews, and customer discussions • Coordinate with internal teams (engineering, IR, service delivery)

• You will report to the VP, Information Security. • Own the execution and continuous improvement of Aya Healthcare’s enterprise Security Operations program. • Lead a blended security operations model combining internal analysts, nearshore/offshore resources, and managed service providers. • Establish clear operating models, escalation paths, staffing coverage expectations, and accountability across all SecOps resources. • Serve as the primary owner of ServiceNow Security Incident Response (SIR) workflows, data models, and operating procedures. • Design, implement, and continuously improve SIR playbooks to automate triage, enrichment, containment, and response actions. • Drive automation that reduces manual analyst effort and improves MTTD, MTTR, and MTTC through standardized playbook execution. • Ensure incidents are consistently triaged, investigated, documented, and remediated using ServiceNow SIR. • Oversee detection and response capabilities across EDR and SIEM platforms, ensuring high-quality signal ingestion and routing into SIR. • Operate confidently across Microsoft Azure security capabilities available through Microsoft E5 environments (e.g., Defender, Sentinel). • Define, track, and improve MTTx metrics, using data to prioritize automation and process improvements. • Lead post-incident reviews and ensure lessons learned translate into improved detections, playbooks, and response procedures. • Manage, coach, and develop security operations personnel while fostering a high-energy, accountable team culture. • Act as a trusted escalation point during security incidents and clearly communicate operational risk and response status to leadership.

• Operate and tune enterprise security tools (EDR, SIEM/SOAR, WAF/proxy, email security). • Manage proxy filtering policies, exceptions, SSL inspection, and performance troubleshooting. • Build automation and playbooks (Python/PowerShell, SOAR, APIs) to streamline SecOps tasks. • Implement CI/CD pipelines and Infrastructure-as-Code workflows for consistent, auditable security configuration changes. • Author and tune detection rules; improve signal quality and reduce false positives. • Maintain and author health dashboards, uptime/coverage metrics, and change governance documentation. • Conduct knowledge transfers through runbooks, how-to guides, tabletop exercises, and lunch & learn training sessions. • Maintain upgrade schedules, license compliance, configuration baselines, and key/secret rotations. • Administer URL/category policies, SSL inspection, identity-aware policies, geo/risk-based controls, and performance troubleshooting. • Analyze block events for false positives; measure impact; retire exceptions on schedule and report residual risk. • Build and maintain an automation backlog in partnership with SecOps, prioritizing high-frequency, high-toil tasks. • Provide on-call support for tooling availability and ingestion/normalization issues. • Report on metrics (uptime, coverage, MTTR, lead time, change success rate, exception aging). • Keep documentation, diagrams, and asset inventories current. • As needed, monitor and respond to alerts raised by various toolsets as part of an ongoing 24/7 Security Operations Center. • Report outages or incidents following guidelines and procedures. • Detect, analyze, and respond to incidents, coordinate with other stakeholders for containing, eradicating, and recovering from an incident. • Assist in developing testing criteria to implement new signatures/rules. • Participate in on-call rotations, including nights, weekends, and holidays.

• Engineer and maintain security operations platforms (SIEM, EDR, NDR, email, cloud) • Apply a detections-as-code approach • Architect and implement security engineering capabilities • Collaborate with cross-functional teams to embed security controls • Research, evaluate, and operationalize security products and services