Director, Cyber Security Incident Response Team (CSIRT)

About The Position

Requirements

• Proven command across cyber incident lifecycles, plans and playbooks.
• Deep understanding of the incident lifecycle, from preparation to scoping, containment, eradication and remediation at enterprise scale.
• Experienced in managing the collection, preservation and analysis of digital evidence and chain of custody; timeline reconstruction; attacker attribution; concise executive reporting.
• Deep knowledge of the attack lifecycle (i.e. MITRE ATT&CK), timeline construction and familiarity with attribution and common threat actor TTPs
• Experience with operationalization of modern security tools (SIEM, SOAR, XDR) including integration of artificial intelligence, large language models and agentic features to enable triage, analysis and eradication at scale.
• Proficiency with logging prioritization and telemetry from industry standard cloud platforms, identity providers, operating systems and security tools.
• Coordinating IR in industrial/OT environments with safety and production continuity considerations.
• Comfortable building partnerships outside of cyber operations with legal, risk & compliance, physical security and other business collaborators relevant to incident response.
• Maintaining IR retainer partner readiness; knowing when to escalate and how to integrate external specialists during major incidents.
• Bachelor’s degree in information security, computer science, or related field (or equivalent experience).
• Over five (5) years managing Cyber Security Operations Centre Incident Response in enterprise-sized organizations, commanding events across hybrid cloud, onprem, and OT.
• Experience integrating and working alongside global, 24x7, distributed teams to complete incident response and cyber operations missions.
• Well developed skills to explain complex technical issues in clear business terms; produce concise written material (executive updates, IR reports); and lead briefings.
• Ability to analyze complex situations, assess risk, and balance strategic and tactical security requirements with business pragmatism, risk appetite, and innovation.
• Demonstrated ability to collaborate across regions and functions (IT, Legal, GRC, Physical Security) with a strong service outlook.

Nice To Haves

• Security certifications preferred (e.g., CISSP, CISM, GIAC such as GCIH/GCFA/GREM; CCSP; ITIL).

Responsibilities

• Lead execution of the Incident Response (IR) plan to rapidly scope, contain, eradicate, and investigate incidents across hybrid and OT environments.
• Define and maintain incident categories, severity, decision authorities, activation criteria, and crisis management handoffs.
• Coordinate preservation, collection, and analysis with chain‑of‑custody rigor; in collaboration with Legal, manage asset litigation hold and retention as well as facilitation of artifact sharing for malware analysis and CTI.
• Run regular tabletop and purple‑team exercises; ensure 24x7 coverage, seamless follow‑the‑sun handoffs with Regional SOCs, and retainer surge playbooks.
• Operationalize agentic SIEM features, XDR and SOAR playbooks, LLM‑assisted runbooks, and automated triage packages to reduce MTTD/MTTC/MTTR.
• Own IR targets/KRIs (e.g., MTTD, MTTC, MTTR, dwell time, business impact) and deliver executive‑ready briefings, dashboards, and quarterly lessons learned.
• Orchestrate IR with IT, Legal, Privacy, Risk, Comms, Physical Security, and Insurance for notification obligations, privilege, and crisis communications.
• Drive post‑incident detection and control improvements with Detection Engineering, Identity, Cloud, Endpoint, and OT teams.
• Partner with Vulnerability Management and Offensive Security to prioritize testing and remediation informed by incident findings and CTI.
• Develop and maintain CSIRT area plans aligned to GSOC strategy; set direction and goals with autonomy.
• Define and review reporting and team targets; align objectives to incident outcomes and customer experience.
• Maintain 24x7 on‑call rotations, surge models, and cross‑regional handoff standards.
• Lead inclusive recruitment; build career paths and targeted upskilling in DFIR, cloud identity, OT/ICS, and automation/SOAR through regional/external partnerships.
• Provide mentorship to junior CSIRT resources.

Benefits

• short-term incentive bonus opportunity
• equity-based long-term incentive program
• retirement contribution
• commission payment eligibility
• qualified retirement program [401(k) plan]
• paid vacation and holidays
• paid leaves
• health benefits including medical, prescription drug, dental, and vision coverage