Job description

Why this role matters

You will own and evolve GOTEC’s global hybrid-cloud backbone—powering >10 plants and 2000+ colleagues—while embedding Zero-Trust and segmentation-by-design across our entire tech stack.

Key outcomes – first 12 months

• Build complete PAW environment for Admins, Devs and OT ENgineers

• Migrate domains to Azure AD PIM, incl. scoped admin roles and JIT workflows

• Enforce Zero‑Trust segmentation across WAN, Azure and OT VLANs—reducing lateral movement paths by 80 %

• Reduce SIEM false positives by 50 % and maintain SLA adherence on all “high” severity alerts

What you will do

• Lead architecture and operations in your domain across Azure, VMware/Hyper‑V, HCI, SAN

• Design and enforce Zero‑Trust policies: PAWs, Tier‑0, NAC, micro‑segmentation, SCADA overlays

• Build and maintain secured network topologies (ExpressRoute, SD‑WAN, BGP, MACsec, 802.1X, ACLs)

• Drive infra-as-code across cloud & on‑prem (Terraform/Bicep, GitHub/Azure DevOps)

• Stand-up and operate global SOC coverage incl. MSSP onboarding & runbooks

• Implement ITIL service processes, KPIs and risk remediation plans (incl. audit readiness)

• Work closely with our development department to ensure fast and secure deployment processes

• Mentor engineers, lead tabletop drills & participate in red‑team simulations

• Ensure compliance with TISAX, ISO 27001, GDPR, and EU Cloud Security requirements

• Act as escalation and take part in on-call rotation (≤ 20 % travel)

Must-have skills

• 10+ years building & operating enterprise-grade Azure / hybrid infrastructures

• Expert in VMware or Hyper-V (incl. vSAN, SCVMM), HCI, backup/DR, SAN/NAS

• Proven track record in Zero-Trust architecture (Tier-0 design, NAC, OT isolation)

• Strong hands-on with enterprise networking: ExpressRoute, SD-WAN, BGP, routing/security zones

• IaC and CI/CD pipelines using Terraform/Bicep and GitHub / ADO

• Security monitoring & tuning (Wazuh, Prometheus, Grafana)

• Process leadership (ITIL KPIs, SLA governance, CAB participation)

• Excellent written/spoken English (C1), confident presenter and documentation lead

Nice-to-have

• AZ‑305, VCAP‑DCV, NSE 6/7, CISSP/CCSP, ITIL MP

• ISA/IEC 62443 familiarity (zones, conduits, firewall patterns)

• Familiarity with TISAX, ISA/IEC 62443, ISO 27001

• Experience designing and leading red‑team or tabletop security drills

• Language: German or Polish beneficial