CIRT Technical Expert I

Duquesne Light Company, headquartered in downtown Pittsburgh, is a leader in providing electric energy and has been in the forefront of the electric energy market, with a history rooted in technological innovation and superior customer service. Today, the company continues its role as a leader in the transmission and distribution of electric energy, providing a secure supply of reliable power to more than half a million customers in southwestern Pennsylvania.

Duquesne Light Company is committed to creating a culture of inclusion. We value and respect the unique differences and experiences of our employees. We believe that our differences lead to better collaboration, innovation and outcomes. We want you to join our team

Job Title: CIRT Technical Expert

Position Summary:

We are seeking a highly skilled and strategic Cybersecurity Incident Response Team (CIRT) Technical Expert to lead our incident response, insider threat detection, and threat intelligence operations within the energy and utilities sector. This role is pivotal in protecting critical infrastructure, ensuring rapid response to cyber threats, and proactively identifying and mitigating risks. The ideal candidate will possess deep technical expertise, leadership capabilities, and a strong understanding of the unique cybersecurity challenges in energy and utilities environments.

Location: Hybrid, Pittsburgh, Pennsylvania at Woods Run Complex

Job Duties and Responsibilities:

Incident Response Leadership

• Lead the CIRT team in detecting, analyzing, and responding to cybersecurity incidents across IT and OT environments.
• Develop and maintain incident response playbooks tailored to energy and utility systems, including SCADA, ICS, and smart grid technologies.
• Coordinate with internal stakeholders and external partners during major incidents and ensure timely resolution and recovery.

Insider Threat Management

• Design and implement insider threat detection and mitigation strategies.
• Collaborate with HR, legal, and compliance teams to investigate and respond to insider threat cases.
• Utilize behavioral analytics and user activity monitoring tools to identify anomalous behavior.

Threat Intelligence Operations

• Establish and manage threat intelligence programs to proactively identify emerging threats.
• Integrate threat intelligence feeds and collaborate with industry ISACs and government agencies.
• Translate threat intelligence into actionable insights for security operations and architecture teams.

Governance and Compliance

• Ensure incident response and threat management practices to comply with NERC CIP, NIST CSF, and other relevant regulations.
• Support audit and reporting requirements related to cybersecurity incidents and threat intelligence.
• Maintain documentation and evidence for regulatory reviews and investigations.

Collaboration and Mentorship

• Partner with cybersecurity architecture, SOC, and infrastructure teams to enhance detection and response capabilities.
• Mentor junior analysts and engineers, fostering a culture of continuous learning and operational excellence.
• Conduct tabletop exercises and training sessions to improve incident response readiness.
• Engage with external partners to enhance and mature the organization's security posture.
• Embed security across the DevSecOps pipeline by partnering with application development teams to implement secure coding practices, automated code and library scans, and software supply chain validation.
• Drive application hardening efforts through secure configuration, vulnerability remediation, and centralized secrets management to reduce attack surface and enforce consistency.
• Enhance visibility into CIRT operations by integrating application-level telemetry, security logging, and threat indicators to support proactive detection and rapid incident response.

Education and Experience Required:

• Bachelor's or Master's degree in Cybersecurity, Computer Science, or related field.
• 15+ years of experience in IT/cybersecurity, with 5+ years in incident response and threat intelligence leadership roles.
• Deep understanding of OT systems (SCADA, DCS, PLCs), IT/OT integration, and industrial cybersecurity.
• Expertise in SIEM, SOAR, EDR, UEBA, and threat intelligence platforms.
• Familiarity with NERC CIP, NIST 800-series, and ISA/IEC 62443 standards.
• Certifications such as CISSP, GIAC, or GCTI preferred.

Preferred Qualifications:

• Experience with insider threat programs and behavioral analytics.
• Familiarity with AI/ML applications in threat detection and response.
• Experience in application security practices including secure coding, vulnerability remediation, code and dependency scanning, secrets management, and integration of security telemetry to support incident response

Skills/Abilities:

• Knowledge of threat hunting methodologies and adversary tactics (MITRE ATT&CK).
• Strong communication skills and ability to brief executive leadership on cybersecurity posture and incidents.

Scope

Primary focus is on daily deliverables, outputs, reporting along with the proactive improvement of process and workflows for the larger group. Confidently manages ones own time and work flow and prioritizes work effectively. Responsibilities are both operational and strategic in nature. Daily work is typically complex in nature requiring the incumbent to draw on previous knowledge to perform role. Has well established capabilities, acts as a resource to less experienced staff and peers on complex issues which require subject matter expertise.

Decision Impact

Problems and issues faced are vague and require reasoning of a broader set of variables to identify root cause. Expert in their field and makes sound decisions regularly. Other employees typically seek advice and decisioning support from this role on a regular basis.

Hybrid Work

Position follows our hybrid work model, with a minimum of two days working in the office and the remaining days working remotely. Reporting location and frequency may be subject to change based on job role and department needs.

Storm Roles

All Non-Union Employees will serve in storm roles as appropriate to their role and skillset. Please be sure to discuss storm roles with the hiring manager for this position, as duties can vary across the Company. Examples of storm roles could include but aren't limited to duties such as: working with operations for service center support or with the communications, customer service or government affairs teams to respond to public and customer requests for information, etc.

Data Governance

Utilize data to make business decisions as appropriate for the position, support data stewardship activities and partner with IT on underlying data needs.

EQUAL OPPORTUNITY EMPLOYER

Duquesne Light Holdings is committed to providing equal employment opportunity to all people in all aspects of the employment relationship, without discrimination because of race, age, sex, color, religion, national origin, disability, sexual orientation and gender identity or status as a Vietnam era or special disabled veteran or any other unlawful basis, as defined by applicable law, and fostering a workplace free of unlawful discrimination and retaliation. This policy affects decisions including, but not limited to, hiring, compensation, benefits, terms and conditions of employment, opportunities for promotion, transfer, layoffs, return from a layoff, training and development, and other privileges of employment. An integral part of Duquesne Light Holdings' commitment is to comply with all applicable federal, state and local laws concerning equal employment and affirmative action.

Duquesne Light Holdings is committed to offering an inclusive and accessible experience for all job seekers, including individuals with disabilities. Our goal is to foster an inclusive and accessible workplace where everyone has the opportunity to be successful.

If you need a reasonable accommodation to search for a job opening, apply for a position, or participate in the interview process, connect with us at and describe the specific accommodation requested for a disability-related limitation.