Booking Holdings Romania - Cyber Defense Technical Operations & Response Team Leader

Booking Holdings Romania is a Center of Excellence based in Bucharest, Romania and was created to support the increasing business demands of the Booking Holdings Brands. The Center of Excellence provides access to specialized and highly skilled talent, leading industry best practices, and collaboration opportunities across all of our Brands.
As part of our Booking Holdings Romania team, you will have the opportunity to be a part of the world’s leading provider of online travel, with a mission of making it easier for everyone to experience the world through five-primary consumer facing brands: Booking.com, Priceline, Agoda, KAYAK and OpenTable.
This role provides a hybrid way of working with an onsite presence of 2 days/week.
Key Job Responsibilities and Duties
Identifies and automates manual, repetitive tasks within the security operations center (SOC) workflows, in alignment with departmental continuous improvement goals, in order to remove operational bottlenecks and increase analyst efficiency.
Leads and mentors a mixed operational shift team of full-time employees and external contractors, in accordance with company human resource guidelines and delivery baselines, in order to maintain high team morale, prevent attrition, and ensure stable shift coverage.
Evaluates and audits daily security alerts and analyst investigation notes across corporate cloud, identity, network, and endpoint infrastructures, based on established quality assurance standards, in order to identify technical gaps, verify correct alert handling, and prevent missed security incidents.
Coordinates response and mitigation efforts for complex security events alongside the Incident Response (IR) team and external vendors, utilizing CSIRT playbooks and modern security tools like SIEM, EDR, and SOAR, in order to achieve fast threat containment and determine the root cause of active threats.
Translates and communicates technical risk and incident status to non-technical business partners, stakeholders, and clients, in alignment with corporate communication and stakeholder protocols, in order to ensure clear visibility, build trust, and resolve cross-departmental security gaps.
Updates and maintains operational documentation, runbooks, and assigned projects for the detection and response ecosystem, under the direction of the Cyber Detection and Response (CDR) Manager, in order to guarantee standardization of team workflows and protect long-term service stability.
Role Qualifications and Requirements
Experience: 5+ years working in a SOC or an Incident Response environment.
Leadership: Experience leading a team, managing shift schedules (ROTA), and mentoring junior analysts.
Problem Solving: A proven track record of changing processes and workflows to make a team more efficient.
Communication: Clear and direct communication skills in English, both written and spoken.
Certifications: Security+, CySA+, GCIH, or CISSP are helpful, but your actual work experience is more important to us. Advanced technical certifications (like OSCP or GREM) are a bonus.
Must have strong experience evaluating security alerts across modern corporate infrastructures (Cloud, Identity, Network, Endpoint).
Ability to quickly read an analyst's investigation notes, spot technical gaps or missing evidence, and guide the next steps of the incident lifecycle.
Proven experience using enterprise-grade SIEM, EDR, and SOAR tools to identify attack patterns (such as living-off-the-land techniques or lateral movement).
Collaborate with the IR team on complex security incidents to achieve efficient mitigation for active threats and identification of the root cause.
Collaborates on various departmental projects that help the organization improve its cyber security posture and achieve its mission/objectives
Collaborates with different CDR stakeholders and vendors to remediate any identified gaps
Masters and uses CSIRT’s playbooks, runbooks, workflows, operational documentation, and processes. Contributes to the writing and maintenance of all such documents.
Owns and delivers on assigned projects (often around improvements to detections, processes and playbooks) while balancing execution and deliveries with operations and IR workload; Supports other team members in projects.
Drives continuous improvements of our detection and response capabilities by identifying and owning improvement areas in the technology, methods, processes (including opportunities around detection tuning and automation).
Offers on-call support during the nights, weekends and public holidays (optional)
Benefits & Perks
Contributing to a high scale, complex, world renowned product and seeing real-time impact of your work on millions of travelers worldwide
Working in a fast-paced and performance driven culture
Technical, behavioral and interpersonal competence advancement via on-the-job opportunities, experimental projects, hackathons, conferences and active community participation
Competitive compensation and benefits package
Vast amounts of data to validate your ideas and the opportunity to experiment with real users
Booking Holdings is proud to be an equal opportunity workplace and is an affirmative action employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, gender, gender identity or expression, sexual orientation, national origin, genetics, disability, age, or veteran status. We strive to move well beyond traditional equal opportunity and work to create an environment that allows everyone to thrive.
Pre-Employment Screening
If your application is successful, your personal data may be used for a pre-employment screening check by a third party as permitted by applicable law. Depending on the vacancy and applicable law, a pre-employment screening may include employment history, education and other information (such as media information) that may be necessary for determining your qualifications and suitability for the position.