Cybersecurity Operations & Incident Response Lead

About The Position

Requirements

• Demonstrated success operating in hybrid environments spanning on-prem AD, Entra ID (Azure AD), Okta, Azure, Microsoft 365, Zscaler, and containerized workloads/APIs.
• Hands-on expertise with SIEM/SOAR, EDR, log pipelines, and detection content development including tuning and QA.
• Proven incident commander for high-impact events; adept with forensics, scoping, containment, and executive communication.
• Strong vulnerability management leadership across technology areas, including risk-based prioritization and remediation orchestration.
• Familiarity with MITRE ATT&CK, cyber kill chain, and threat-led validation (purple teaming).
• Experience managing outsourced SOC/MSSP providers with measurable improvements to signal quality and response times.
• Excellent communication skills—able to translate technical risks into business terms and influence across stakeholders.
• Familiarity with scripting or automation tools (e.g., Python, TypeScript) to streamline operations processes.
• 8+ years in Security Operations, Incident Response, Detection Engineering, or Threat Hunting.
• 3+ years team lead experience.
• Bachelor’s degree in Information Security, Computer Science, or related field, or equivalent practical experience.

Nice To Haves

• Prior experience in a regulated environment (finance, healthcare, etc.) is strongly preferred.

Responsibilities

• Own SIEM/SOAR strategy and daily operations; drive log onboarding, normalization, and high-fidelity detections across the entire technology landscape, including but not limited to: Core technology infrastructure: Active Directory Domain Services, Entra ID, Okta, Azure control plane, Zscaler, Windows and macOS endpoints, hybrid network; Productivity/G&A systems: M365, SaaS; Business-specific systems: Azure IaaS/PaaS services, custom-developed API services, banking core, financial ledger and reporting systems.
• Coordinate with Engineering and IT to build detection engineering into system development lifecycle.
• Develop, test, and maintain detection content (e.g., KQL/Sigma), alert routing, and enrichment pipelines that reduce noise and increase true-positive rates.
• Integrate threat intelligence (strategic, operational, and technical) into detections and response workflows.
• Serve as incident response commander for high-severity incidents; coordinate cross-functional responders in Infrastructure, IT, Engineering, Legal, and Compliance.
• Build, maintain, and continuously improve standard operating procedures (SOPs), runbooks, and playbooks.
• Maintain and exercise incident response plans through tabletop and similar activities.
• Mature evidence handling, forensics workflows, and case management; ensure accurate timelines and regulator-ready documentation.
• Drive post-incident reviews with measurable corrective actions (people/process/technology) and executive readouts.
• Own the vulnerability management lifecycle, ensuring coverage of vulnerability discovery, triage, and management across servers, endpoints, network, cloud subscriptions, containers/images, and custom APIs.
• Prioritize remediation using risk-based scoring and exploit intelligence.
• Track configuration and identity hygiene (e.g., privileged accounts, conditional access, MFA coverage, device compliance) and partner with owners to close gaps.
• Building and maturing a threat hunting and purple team function as part of the overall Security & Threat Operations maturation roadmap.
• Lead day-to-day oversight of the third-party SOC: queue hygiene, case quality, SLAs, runbook adherence, and continuous tuning to our environment.
• Ensure vendor tooling integrations, data retention, and access are compliant with Coastal policies and regulatory expectations.
• Establish operating rhythms (standups, metrics reviews, post-incident retrospectives) and standard operating procedures for response, containment, eradication, and recovery.
• Build and maintain a Security and Threat Operations strategy in coordination with the Director of Security Engineering and Operations, CISO, and other stakeholders, including software engineering, data engineering, and IT.
• Develop and report on KPIs and KRIs for the Security and Threat Operations function.
• Align SecOps processes to FFIEC/GLBA expectations and industry frameworks (NIST CSF and Cyber Risk Institute Profile).
• Prepare evidence for audits/exams; provide clear, actionable metrics and board-level reporting on SOC performance, incident trends, control coverage, and risk reduction.
• Partner with Legal, Compliance, Privacy, and Third-Party Risk on obligations and notifications.
• Coach analysts on analytical rigor, bias reduction, and structured investigations.
• Promote a blameless, learning-oriented culture that prizes speed, accuracy, and craftsmanship.

Benefits

• Medical Coverage
• Health Savings Account (HSA)
• Flexible Spending Accounts (FSA)
• Dental and Vision Insurance
• Life Insurance
• Long-Term /Short-Term Disability (LTD)
• Supplemental Benefits
• 401(k) Retirement Plan
• Paid Time Off
• Holidays