Sr. Email Security Engineer-L3

The engineer acts as the final escalation point for email security incidents, leads incident response, and drives continuous improvement in detection efficacy and false positive control. Email is currently the top attack vector in most organizations. which is supported by vendors such as Trellix and Forcepoint that highlight email as a primary entry point for ransomware and targeted attacks.

Key Responsibilities

1. Advanced Support and Escalation Management

• Serve as the ultimate escalation point for incidents involving spam, phishing, malware, malicious URLs or attachments, spoofing, and BEC style attacks.
• Lead investigations where malicious or suspicious email has reached users. including message tracking, header analysis, sandbox results, and coordination with SOC.
• Coordinate rapid containment actions. such as mail claw back, quarantine tuning, or temporary blocks on senders and domains.

2. Policy Design, Configuration and Tuning

• Design and maintain email security policies on Cisco ESA. Forcepoint Email Security. Trellix or FireEye EX. and Trend Micro ScanMail to balance security with user experience.
• Configure anti spam, reputation filters, outbreak filters, sandboxing, URL rewriting or filtering, and attachment scanning or blocking policies.
• Tune policies based on false positive or false negative feedback, threat intel, and SOC data. with clear approval workflows.
• Maintain TLS encryption policies for inbound and outbound email and coordinate certificate management with PKI and messaging teams.

3. Email Authentication and Trust Controls

• Implement and maintain SPF, DKIM, and DMARC policies in collaboration with DNS and messaging teams to reduce spoofing and domain abuse.
• Review authentication failures and adjust alignment policies while protecting legitimate business flows.

4. Email DLP and Data Protection Integration

• Work closely with Data Protection and DLP engineers to integrate Forcepoint DLP and classification or DRM policies on email channels. ensuring sensitive data is detected and controlled.
• Support design and tuning of DLP policies for PII, financial data, and other regulated data types in line with SAMA CSF and NCA ECC requirements.
• Manage workflows for DLP incidents, exceptions, and business approvals.

5. Incident Response, Threat Hunting and Reporting

• Lead response during major email-based incidents, such as large phishing campaigns or malware outbreaks.
• Run targeted searches or threat hunting across email logs to identify additional impacted users or campaigns.
• Produce detailed RCAs and management reports for high impact email incidents.
• Provide regular metrics. spam or phishing blocks, malware detections, BEC attempts, and false positive rates.

6. Governance, Compliance and ITIL

• Execute changes through change management with impact assessment, back out plans, and testing.
• Ensure email security configurations and monitoring comply with SAMA CSF, NCA ECC, and internal policies for secure communications, data protection, and logging.
• Maintain audit ready evidence. policy exports, configuration baselines, test results, incident records, and approvals.

7. Collaboration and Stakeholder Engagement

• Work with messaging and collaboration teams for routing, hybrid cloud mail, and migration projects.
• Coordinate with L3 Network Security Engineer when issues cross layers such as TLS handshakes, DNS, or connectivity.
• Align with SOC, SIEM, and threat intel teams to improve detection logic and response playbooks.
• Engage with the Security Compliance Officer to produce evidence for audits and regulatory reviews.

Tooling Scope

Must have deep hands on experience in at least two, and working knowledge of all

• Cisco Secure Email or ESA or IronPort. secure email gateway and advanced threat protection.
• Forcepoint Email Security Gateway. including anti phishing, sandboxing, and DLP capabilities.
• Trellix or FireEye Email Security EX or Email MPS. advanced sandboxing, URL and attachment analysis.
• Trend Micro ScanMail for Exchange.

Good to have

• Integration experience with Forcepoint DLP, Fortra Titus, Seclore, and SIEM platforms.

Required Qualifications

• Bachelor s degree in computer science, Information Security, or related field.
• Minimum 7 years in cybersecurity or messaging security, with at least 4 years dedicated to secure email gateway and email threat protection platforms in large enterprises.
• Strong understanding of SMTP, MIME, TLS for email, DNS, authentication standards such as SPF, DKIM, DMARC, and common email attack techniques.

Desired Skills and Certifications

• Vendor certifications for at least one secure email platform. for example Cisco Email Security, Forcepoint Email Security, Trellix or FireEye Email Security, Trend Micro ScanMail or similar.
• ITIL Foundation or practical experience with Change or Incident Management.
• CISSP, CCSP, or similar certifications are a plus.