SRE SecOps Engineer

Job Description Summary

GE Vernova's GridOS Platform Engineering team is building the next generation of SaaS reliability for critical energy infrastructure. The SecOps Engineer is the security backbone of the GridOS SRE team, responsible for maintaining the integrity, compliance posture, and regulatory readiness of every customer environment across GE Vernova's SaaS energy management portfolio. Operating within a highly regulated critical infrastructure environment - with active Cyber Security and Architecture Board oversight - this role demands both technical depth in cloud security operations and the process rigor required to satisfy audit, compliance, and customer-facing SLA obligations. You will own the vulnerability remediation lifecycle, enforce GE Vernova Security hardening standards, and serve as the primary point of contact for all security response and patching activities for GridOS SaaS.

Job Description

Roles and Responsibilities

Vulnerability Management & CVE Remediation

• Own the end-to-end CVE lifecycle: triage incoming vulnerability disclosures, working with GE Vernova Cyber and Red team, assess exploitability and blast radius across customer environments, prioritize by CVSS score and business risk, and track remediation to closure.
• Manage patching schedules for OS images (GESOS-hardened), Kubernetes node pools (EKS), container base images, and third-party dependencies - coordinating with Production DevOps for change-controlled deployment windows.
• Operate and tune vulnerability scanning tools across all customer AWS accounts: Amazon Inspector, AWS Security Hub, and supplementary container image scanners (Trivy, Grype, or equivalent).
• Maintain a live vulnerability register with SLA-bound remediation timelines and report status weekly to the SRE Lead.
• Establish and publish CVE patch SLAs aligned to severity: Critical (72 hrs), High (7 days), Medium (30 days), Low (90 days).

• Enforce and maintain GESOS-compliant OS image standards across all customer environments - validate images on each provisioning cycle in coordination with the SaaS Cloud Engineer.
• Own jumphost configuration, hardening, and access control for all customer AWS accounts, ensuring alignment with the principle of least privilege.
• Define and maintain CIS Benchmark-aligned security baselines for EC2 instances, EKS node groups, and IAM configurations.
• Implement and maintain AWS Security Hub custom standards that reflect GE Vernova internal Cyber Guardrail requirements.
• Regularly assess and close configuration drift between GESOS baseline and live environments using automated compliance scanning (AWS Config, Security Hub, or equivalent).

• Own the security incident response runbook: detection, containment, eradication, recovery, and post-incident review for security-category incidents.
• Triage GuardDuty, Security Hub, and CloudTrail anomaly alerts; escalate confirmed security incidents to the SRE Lead and Cyber Board per the defined escalation matrix.
• Coordinate forensic evidence preservation and chain-of-custody documentation for security incidents requiring formal investigation.
• Participate in quarterly tabletop exercises simulating security incidents (ransomware, credential compromise, insider threat) to validate response playbooks.

• Own IAM governance across all customer AWS accounts: enforce least-privilege policies, conduct quarterly access reviews, and remove stale credentials and roles.
• Implement and maintain secrets management standards using AWS Secrets Manager and/or HashiCorp Vault - enforce zero hardcoded secrets across all GridOS SaaS deployments.
• Monitor for IAM misconfigurations and privilege escalation paths using tools such as AWS IAM Access Analyzer and PMapper.
• Define and enforce MFA requirements and session duration policies for all human and service identities across customer accounts.

• Serve as the primary SecOps point of contact for all customer-facing and internal security audits - prepare evidence packages, respond to auditor RFIs, and track remediation commitments.
• Maintain continuous compliance posture for relevant frameworks across the customer portfolio (see Compliance Framework table below).
• Operate CloudTrail and CloudWatch Logs for tamper-evident audit trails; ensure log retention policies meet contractual and regulatory requirements.
• Support the SaaS Cloud Engineer in implementing and maintaining GuardDuty and Macie findings review workflows.
• Produce quarterly compliance posture reports for the SRE Lead and escalate critical findings to the Cyber Security / Architecture Board.

• 3-5 years in security operations, cloud security engineering, or DevSecOps roles with hands-on AWS responsibility.
• Deep expertise in AWS security services: Security Hub, GuardDuty, Inspector, IAM Access Analyzer, CloudTrail, Macie, and Config.
• Proven experience managing vulnerability remediation programs with defined SLAs in production SaaS or critical infrastructure environments.
• Working knowledge of container and Kubernetes security - image scanning, pod security standards, RBAC, and network policies.
• Hands-on experience with at least one compliance framework: SOC 2, NERC CIP, FedRAMP, ISO 27001, or PCI-DSS.
• Experience with IaC security scanning tools - Wiz, Qualys, Aqua, Checkov, tfsec, KICS - integrated into CI/CD pipelines (GHA / ArgoCD).
• Scripting fluency in Python and/or Bash for automation of security runbooks, evidence collection, and remediation scripts.
• Strong documentation skills - able to produce audit-ready evidence packages, security policies, and runbooks independently.

• Knowledge of SIEM tools - Splunk, AWS Security Lake, or Elastic SIEM - for log aggregation and threat detection.
• Exposure to threat modeling methodologies (STRIDE, PASTA) applied to cloud-native SaaS architectures.
• Experience with penetration testing coordination or red team engagement management.
• AWS certifications: Security Specialty, Solutions Architect Professional. CISSP, CISM, or CompTIA Security+ a plus.