CSIRT Manager

About The Position

Requirements

• Bachelor’s degree (or equivalent experience) in Cybersecurity, Computer Science, or related field.
• 5+ years in SOC/IR roles with 2+ years managing incident response teams or programs in large, distributed enterprises.
• Demonstrated leadership during high/critical incidents and familiarity with crisis management communications per established escalation matrices.
• Hands on knowledge of SIEM/SOAR, EDR, network security monitoring, IA detection & Response tools/ framework and cloud/identity telemetry; strong grasp of attacker TTPs and enterprise hardening.
• Experience operating to structured IR frameworks (e.g., NIST style lifecycle) and running formal after action/lessons learned cycles integrated with use case/playbook updates.
• Excellent written/oral communication, stakeholder management, and executive reporting skills; comfortable presenting in MBRs and steering forums.

Nice To Haves

• Prior leadership within a CSIRT/CSOC supporting multiple regions and product/OT security stakeholders.
• Certifications: GCIH, GCFA/GNFA, GCIA, CISSP, OSCP (or comparable).
• Experience with threat-informed defense (MITRE ATT&CK), KPI/SLA governance, and MSSP/retainer management.
• Familiarity with worldwide privacy/security obligations and incident communication expectations in regulated, multi-jurisdictional environments (in partnership with Legal/Privacy).

Responsibilities

• Own the IR Lifecycle & Escalation: Direct the end-to-end response across preparation, detection/analysis, containment, eradication, recovery, and post incident.
• Lead & Develop the Team: Manage, mentor, and schedule CSIRT analysts and leads across shifts and on call rotations within the distributed regional model; drive skills development and readiness.
• Command During Crises: Serve as Incident Commander for high/critical events and integrate the right SMEs into the crisis cell, ensuring disciplined communications and handoffs as defined in the CSIR crisis process.
• Metrics & Reporting: Establish, track, and improve KPIs/SLAs (e.g., MTTD, MTTR, containment time, PIR completion) and present status in monthly business reviews and dashboards.
• Playbooks, Use Cases & Lessons Learned: Ensure playbooks/response procedures are current and threat informed; feed PIR insights back into detections, SOAR workflows, and control hardening in partnership with platform engineering and detection teams.
• Cross Functional Orchestration: Coordinate with CDOC other products (CTI, Redteam, Monitoring) and Legal/Privacy, Comms, and business/IT/Cloud owners; align to the SOC Target Operating Model and service catalogue.
• Threat Informed Response: Consume and task Cyber Threat Intelligence and threat hunting to guide scoping, IOCs, and hypotheses; ensure bidirectional feedback between CTI, Red Team, and CSIRT.
• Tooling & Case Management: Ensure consistent use of the incident/case platform and evidence handling procedures; maintain audit ready documentation and artifacts.
• Vendor & Retainer Oversight: Govern IR retainer(s) and MSSP engagements; validate service performance and integration with internal processes.
• Compliance & Governance: Ensure incident handling aligns with Stellantis policy, applicable regulations, and internal governance boards; prepare materials for audits, PIRs, and leadership readouts (per SOC governance and crisis documentation).