The Cybersecurity Security Operations Center (CSOC) Incident Response (IR) Lead is a cybersecurity professional responsible for overseeing and coordinating the response to all security incidents within the organization, acting as the primary decision-maker during a breach by leading the incident response team, assessing the situation, implementing response plans, and communicating updates to stakeholders throughout the incident lifecycle, with the primary goal of minimizing risk and restoring operations quickly and safely. This role requires a strategic thinker with strong leadership and technical skills, capable of making quick and informed decisions in high-pressure situations. Ability to support the IR lifecycle using our Security Information and Event Monitoring (SIEM) and Security Orchestration and Automated Response (SOAR) technologies.

This role reports directly to the CSOC manager.

At Sherwin-Williams, our purpose is to inspire and improve the world by coloring and protecting what matters. Our paints, coatings and innovative solutions make the places and spaces in our world brighter and stronger. Your skills, talent and passion make it possible to live this purpose, and for customers and our business to achieve great results. Sherwin-Williams is a place that takes its stability, growth and momentum and translates it to possibility for our people. Our people are behind the strength of our success, and we invest and support you in:

Life … with rewards, benefits and the flexibility to enhance your health and well-being
Career … with opportunities to learn, develop new skills and grow your contribution
Connection … with an inclusive team and commitment to our own and broader communities
It's all here for you... let's Create Your Possible

At Sherwin-Williams, part of our mission is to help our employees and their families live healthier, save smarter and feel better. This starts with a wide range of world-class benefits designed for you. From retirement to health care, from total well-being to your daily commute—it matters to us. A general description of benefits offered can be found at http://www.myswbenefits.com/. Click on “Candidates” to view benefit offerings that you may be eligible for if you are hired as a Sherwin-Williams employee.

Compensation decisions are dependent on the facts and circumstances of each case and will impact where actual compensation may fall within the stated wage range. The wage range listed for this role takes into account the wide range of factors considered in making compensation decisions including skill sets; experience and training; licensure and certifications; and other business and organizational needs. The disclosed range estimate has not been adjusted for the applicable geographic differential associated with the location at which the position may be filled. The wage range, other compensation, and benefits information listed is accurate as of the date of this posting. The Company reserves the right to modify this information at any time, with or without notice, subject to applicable law.

Qualified applicants with arrest or conviction records will be considered for employment in accordance with applicable federal, state, and local laws including with the Los Angeles County Fair Chance Ordinance for Employers and the California Fair Chance Act where applicable.

Sherwin-Williams is proud to be an Equal Employment Opportunity employer. All qualified candidates will receive consideration for employment and will not be discriminated against based on race, color, religion, sex, sexual orientation, gender identity, national origin, protected veteran status, disability, age, pregnancy, genetic information, creed, marital status or any other consideration prohibited by law or by contract.

As a VEVRAA Federal Contractor, Sherwin-Williams requests state and local employment services delivery systems to provide priority referral of Protected Veterans.

Please be aware, Sherwin-Williams recruiting team members will never request a candidate to provide a payment, ask for financial information, or sensitive personal information like national identification numbers, date of birth, or bank account numbers during the application process.

Formal Education & Certification

· Bachelor’s degree in computer science, Information Technology, or related field (or equivalent experience).

· Relevant certifications such as the GIAC Incident Handler (GCIH) are preferred.

Knowledge & Experience

· 8+ years IT/Cybersecurity experience. · Proven experience leading and coordinating IR efforts in a fast-paced environment.

· Strong technical knowledge of network security, malware analysis, intrusion detection, and related technologies.

· Excellent communication and interpersonal skills, with the ability to interact effectively with stakeholders at all levels and explain technical information to non-technical stakeholders.

· Ability to remain calm and focused under pressure, with a commitment to delivering results.

· Understanding of various operating systems (z/OS, Window, UNIX, Linux, AIX, etc.).

Preferred Experience

· Previous experience with IR and handling

· Deep understanding of cybersecurity concepts, including incident response methodologies and threat intelligence

· Familiarity with relevant cybersecurity frameworks and regulations (e.g., NIST, GDPR)

· SIEM/SOAR solutions, such as Splunk and Sumo Logic.

· CSOC or working with a Managed Security Service Provider.

· Threat Intelligence Platform (TIP) and importance of integrating into the SIEM in support of IR and Indicators of Compromise.

· Exposure to Incident Response in the Operational Technology domain.

Personal Attributes

· Strong analytical, conceptual, and problem-solving abilities.

· Strong written and oral communication skills.

· Strong presentation and interpersonal skills.

· Ability to conduct research into database issues, standards, and products.

· Ability to present ideas in user-friendly language.

· Able to prioritize and execute tasks in a high-pressure environment.

· Ability to work in a team-oriented, collaborative environment.

· Strong commitment to inclusion and diversity.

· Curiosity and willingness to learn about systems, tools, and networking.

· Ability to step in and lead others in the absence of direction.

· Serve as the primary point of contact and decision-maker during cybersecurity incidents.

· Assist in utilization of full CSOC toolset in support of IR (i.e. SIEM / SOAR, sandbox, email security, End Point Detection and Response, etc.)

· Lead and coordinate incident response efforts within the Triage & Response team, including mobilizing resources, assessing the situation, and implementing response plans.

· Collaborate with internal and external stakeholders to gather information, assess impact, and prioritize response actions.

· Provide clear and timely communication to stakeholders, including executive leadership, throughout the incident lifecycle.

· Implement and refine the analysis and forensics process.

· Implement and refine incident response procedures, protocols, and playbooks to enhance effectiveness and efficiency.

· Conduct monthly post-incident reviews to help identify lessons learned, areas for improvement, and enforce consistent action item remediation with analysts, engineers, and relevant stakeholders.

· Stay abreast of emerging cyber threats, vulnerabilities, and best practices in incident response through collaboration with Vulnerability management and Cyber Threat Intelligence teams.

· Hold monthly workshops with stakeholders from Information Technology and Operational Technology to discuss on-going and future initiatives related to Incident Response.

· Collaborate with security engineers to enhance detection and playbook automation.

· Lead tabletop exercises with CSOC team members and internal stakeholders to facilitate training, identify gaps, and support continuous improvement.

· Assist with managing the IR database to ensure adherence to audit and compliance requirements.

· Support CSOC manager with vendor management of the IR retainer(s).

· Oversee formal / informal IR training. Identify training opportunities with unused IR retainer credits.