INCIDENT RESPONSE LEAD - 72004003

Requisition No: 870459 

Agency: Management Services

Working Title: INCIDENT RESPONSE LEAD - 72004003

 Pay Plan: SES

Position Number: 72004003 

Salary:  $100,000 - $140,000 

Posting Closing Date: 02/26/2026 

Total Compensation Estimator Tool

SOC Manager
Florida Digital Service
State of Florida Department of Management Services
This position is located in Tallahassee, FL

The SOC Manager provides strategic and operational leadership for the State’s Security Operations Center, overseeing two analyst teams that perform enterprise-wide cyber threat intelligence (CTI), threat monitoring, and incident response (IR) functions. The SOC Manager ensures operational coverage, analytic consistency, and effective coordination across the enterprise to detect, analyze, and respond to cybersecurity threats affecting state and local government systems. 
 

This position manages SOC staff scheduling, directs operations, validates detection efficacy, and ensures the timely production of reports, key performance indicators (KPIs), and situational awareness deliverables. The SOC Manager works closely with Engineering, Enterprise Architecture, and other cybersecurity units to strengthen detection capabilities, refine operational processes, and drive continuous maturity improvements across the SOC program. 
 

The SOC Manager is expected to possess and demonstrate hands-on technical expertise in security operations. This role requires the ability to independently analyze alerts, validate detections, guide investigations, and make informed technical decisions during active incidents. The SOC Manager must be capable of leading analysts by technical example, reviewing analytic work products for accuracy and quality, and directly engaging with SOC tooling, telemetry, and workflows when required. 

Key Responsibilities:

Leadership and Operations Management 
    Provide technical leadership for SOC operations by reviewing, validating, and, when necessary, personally conducting advanced alert triage, incident investigation, and threat analysis activities. The SOC Manager must be able to step into analyst or team lead functions during high-impact incidents or staffing gaps. 
    Provide leadership and direction to SOC Team Leads and Analysts, ensuring effective execution of cyber threat intelligence and incident response operations, and related cybersecurity analytical functions. 
    Manage schedules and shift rotations to maintain expected SOC coverage levels. 
    Oversee daily operations, workload balance, and coordination between SOC teams to ensure unified execution of operational, project, and improvement responsibilities. 
    Supervise the performance and professional development of SOC personnel through coaching, mentoring, and structured feedback. 
    Serve as the SOC escalation point for critical incidents and analytic or operational issues requiring management intervention. 
    Collaborate with the Deputy State CISO and other security leaders to align SOC operations with broader cybersecurity strategy and enterprise risk priorities, including workforce planning to ensure sustained operational readiness and continuity of expertise. 

Operational Oversight and Coordination 
    Demonstrate working knowledge of SOC technologies by actively validating telemetry ingestion, detection fidelity, alert thresholds, and response workflows across SIEM, SOAR, EDR/XDR, and CTI platforms. 
    Ensure SOC processes, reporting activities, and escalation procedures comply with applicable cybersecurity statutes and administrative rules, including s. 282.318, F.S., s. 282.3185, F.S., and Chapter 60GG-2, F.A.C. 
    Validate the efficacy of detection and response capabilities across tools, processes, and workflows, including identifying gaps in detection coverage and recommending improvements to enhance enterprise visibility across telemetry and data sources. 
    Direct the creation and maintenance of standard operating procedures (SOPs), playbooks, and analytic standards to ensure consistent incident handling and intelligence production. 
    Coordinate with Security Engineering and Enterprise Architecture teams to improve detection logic, data integration, and telemetry visibility. 
    Ensure timely and accurate recording of information to be used in CSOC performance management. 
    Oversee quality assurance and timely production of all SOC outputs, including metrics, threat intelligence products, incident documentation, situational awareness reports, and ad-hoc reporting. 
    Ensure effective information sharing and coordination with external partners, including the Florida Department of Law Enforcement (FDLE) Cybercrime Division, Division of Emergency Management, and other public-sector entities. 

Program Development and Continuous Improvement 
    Lead SOC maturity initiatives to enhance detection coverage, response speed, and analytic quality. 
    Analyze performance metrics, incidents, and threat data to identify trends and opportunities for improvement. 
    Support the development and implementation of incident reporting, automation, orchestration, and analytics improvements within SOC tools and platforms. 
    Establish and maintain a culture of accountability, collaboration, and operational excellence across SOC teams. 
Communication and Collaboration 
    Serve as the primary operational liaison between the SOC and other cybersecurity, IT, and business units. 
    Communicate SOC priorities, status updates, and operational impacts to leadership and stakeholders in clear, actionable terms. 
    Coordinate with other teams on projects and initiatives, ensuring SOC participation aligns with enterprise objectives and respects the priorities of partner teams. 
    Provide formal and informal briefings and reports to the Deputy State CISO, executive leadership, and other stakeholders as required. 
    Oversee SOC contributions to statewide cybersecurity deliverables, exercises, and activities. 
*Other duties as assigned. 

Knowledge, Skills, and Abilities:

Knowledge 
    Advanced knowledge of security monitoring and detection concepts, including log sources, event correlation, alert fidelity, false positive reduction, and analytic validation. 
    Cybersecurity governance principles and how SOC operations align with organizational missions and strategic priorities. 
    Cyber threat intelligence processes, incident response lifecycle, and public-sector reporting and coordination requirements (including but not limited to s. 282.318, F.S., and s. 282.3185, F.S.). 
    SOC operations, including monitoring, detection engineering, telemetry sources, analytics, situational reporting, and case documentation standards. 
    Cybersecurity policies, regulatory requirements, and statewide cybersecurity expectations of FLDS, state agencies, and local government entities (including s. 282.318, F.S., s. 282.3185, F.S., and Chapter 60GG-2, F.A.C). 
    Program and project management principles, including resource planning, scheduling, prioritization, and performance measurement using KPIs and operational metrics. 
    Security architecture, engineering practices, and detection logic development sufficient to coordinate with Engineering and Enterprise Architecture teams. 
    Automation, orchestration, and analytics concepts used to improve SOC processes and response efficiency. 

Skills 
    Leading and developing high-performing teams, providing coaching, structured feedback, and fostering a culture of accountability and continuous improvement. 
    Ability to independently review and challenge analytic conclusions, detection logic, and investigative approaches to improve SOC outcomes. 
    Managing operational schedules, balancing workloads, and ensuring consistent coverage for detection and incident response activities. 
    Communicating complex cyber risks, operational impacts, and SOC priorities clearly to technical teams, leadership, and enterprise stakeholders. 
    Coordinating cross-functional initiatives with other cybersecurity, IT, and partner teams, while respecting differing priorities and constraints. 
    Establishing, maintaining, and improving SOC playbooks, SOPs, documentation standards, and workflows. 
    Evaluating and improving detection and response capabilities through validation, tuning, and collaboration with engineering functions. 
    Analyzing metrics, incident trends, intelligence indicators, and historical case data to identify gaps and guide improvements. 
    Overseeing the production of accurate, timely SOC work products.  

Abilities 
    Leverage cybersecurity tools and data platforms including Security Lake, SIEM, SOAR, EDR/XDR, CTI feeds, and log/telemetry pipelines to strengthen threat visibility, streamline detection and response workflows, and support decision making. 
    Personally perform advanced alert analysis, incident investigation, and technical review activities when required to maintain operational continuity or quality.   
    Make sound operational and escalation decisions during high-pressure incidents, ensuring coordinated and timely response. 
    Build and sustain strong relationships with leadership, operational teams, stakeholders, and mission partners. 
    Lead strategic SOC maturity initiatives that enhance detection coverage, response speed, analytic consistency, and operational quality. 
    Manage complex operational and cross-functional projects from initiation through completion, ensuring SOC contributions meet shared objectives. 
    Integrate lessons learned from incidents and intelligence into improved detection logic, procedures, and automation opportunities. 
    Ensure SOC readiness by anticipating technology changes, emerging threats, and organizational needs, and adapting processes accordingly. 

Minimum Qualifications:
    Bachelor’s degree in Computer Science, Cybersecurity, Information Systems, or a related field; graduate degree preferred. 
    7+ years of progressively responsible experience in cybersecurity operations, incident response, threat intelligence, or SOC environments. 
    At least 3 years of experience leading or supervising cybersecurity analysts or operational teams, including responsibility for analytic quality, detection outcomes, and operational performance. 
    At least 2 years of experience maintaining structured case documentation, producing written analytic products, and briefing technical or leadership audiences. 
    Demonstrated hands-on experience performing security monitoring, alert triage, and incident response activities within a SOC environment, beyond managerial oversight responsibilities. 
    Technical incident response and detection certifications such as GCIH, GCIA, GCED, GSOC, or GCTI are strongly preferred. Leadership-only certifications (CISSP, CISM, etc) without prior operational experience are not sufficient on their own. 
    Applicants must be prepared to discuss specific examples of incidents they personally analyzed or led, including the technical reasoning used to reach conclusions. 

Other job-related requirements for this position:

•    Ability to sit for extended periods of time. Ability to stand for extended periods of time. Ability to drive and/or fly long distances. Ability to lift, push and pull up to 30lbs. 

•    Criminal background investigation including fingerprinting and statewide and national criminal history records check per Section 110.1127 Florida Statutes, Chapter 435 Florida Statutes and the Federal Bureau of Investigation’s CJIS Security Policy CJISD-ITS-DOC-08140.

Our Organization and Mission:

Under the direction of Governor Ron DeSantis, Interim Secretary Tom Berger and DMS’ Executive Leadership Team, the Florida Department of Management Services (DMS) is a customer-oriented agency with a broad portfolio that includes the efficient use and management of real estate, procurement, human resources, group insurance, retirement, telecommunications, fleet, and federal property assistance programs used throughout Florida’s state government. It is against this backdrop that DMS strives to demonstrate its motto, “We serve those who serve Florida.”

Special Notes:

DMS is committed to successfully recruiting and onboarding talented and skilled individuals into its workforce. We recognize the extensive training, experience and transferrable skills that veterans and individuals with disabilities bring to the workforce. Veterans and individuals with disabilities are encouraged to contact our recruiter for guidance and answers to questions through the following provided email addresses:
DMS.Ability@dms.myflorida.com
DMS.Veterans@dms.myflorida.com
An individual with a disability is qualified if he or she satisfies the skills, experience, and other job related requirements for a position and can perform the essential functions of the position with or without reasonable accommodation. Candidates requiring a reasonable accommodation, as defined by the Americans with Disabilities Act, must contact the DMS Human Resources (HR) Office at (850) 488-2707. DMS requests applicants notify HR in advance to allow sufficient time to provide the accommodation.
Criminal background investigation including fingerprinting and statewide and national criminal history records check per Section 110.1127 Florida Statutes, Chapter 435 Florida Statutes and the Federal Bureau of Investigation’s CJIS Security Policy CJISD-ITS-DOC-08140.
Pursuant to F.S. 215.422 every officer or employee who is responsible for the approval or processing of vendors’ invoices or distribution of warrants to vendors are mandated to process, resolve and comply as section 215.422 requires
 

The State of Florida is an Equal Opportunity Employer/Affirmative Action Employer, and does not tolerate discrimination or violence in the workplace.

Candidates requiring a reasonable accommodation, as defined by the Americans with Disabilities Act, must notify the agency hiring authority and/or People First Service Center (1-866-663-4735). Notification to the hiring authority must be made in advance to allow sufficient time to provide the accommodation.

The State of Florida supports a Drug-Free workplace. All employees are subject to reasonable suspicion drug testing in accordance with Section 112.0455, F.S., Drug-Free Workplace Act.