Director of Cyber Threat Intelligence (CTI)

About The Position

Requirements

• Leadership and Strategic Impact: 10+ years in cyber threat intelligence, detection engineering, incident response, or related domains; 5+ years leading technical CTI teams in global enterprises. Demonstrated ability to set vision, influence strategy, and deliver outcomes tied to enterprise risk reduction.
• Decision Making and Accountability: Proven ownership of adversary-centric CTI programs that directly drive vulnerability prioritization, detections-as-code, hunts, and incident response. Comfortable making data-driven decisions with clear trade-offs and confidence levels.
• Technical Depth (ATT&CK Enterprise/ICS): Deep expertise mapping TTPs to MITRE ATT&CK, defining coverage strategies, and translating gaps into high-fidelity detections and hunt hypotheses; skilled in industrial/OT contexts.
• Attack Path Modeling and Risk Translation: Hands-on delivery of end-to-end attack paths across IT-to-OT pivots, clinical platforms, and R&D environments; validation via purple-team/adversary emulation; ability to convert findings into prioritized control roadmaps and measurable risk reduction.
• Adversary Prioritization and Scoring: Designed and operated tailored actor scoring incorporating intent/capability, TTP emergence/prevalence, org exposure to CVEs, and global/viral events; maintained dynamic watchlists and escalation triggers.
• Structured Attribution Tradecraft: Applied the Diamond Model and complementary frameworks with documented hypotheses, caveats, disconfirming evidence, and confidence statements; produced reusable actor profiles and pivot paths.
• Metrication (MTTI vs. MTTC): Built mean time-to-impact metrics per actor and operationalized comparisons to IR's mean time-to-containment to guide control improvements and track program effectiveness.
• Vulnerability Intelligence for Hardening: Delivered contextual CVE analysis (exploitability, weaponization, external scanning telemetry, compensating controls) and risk-based patch recommendations across IT, OT/ICS, clinical, and lab environments.
• Detection Engineering Collaboration: Co-developed detections-as-code (e.g., Sigma, KQL, SPL), tuned content to reduce false positives, and closed ATT&CK coverage gaps with feedback loops from hunts/incidents.
• Incident Intelligence Support: Provided real-time adversary context, kill-chain reconstruction, containment recommendations, and post-incident retrospectives that inform detection and architectural improvements.
• Collection, Tooling, and Automation: Operated dark web/closed-source monitoring; integrated findings into TIP/SIEM/EDR pipelines; managed indicator lifecycle, automated enrichment, and measured source fidelity/bias.
• Stakeholder Partnership and Communication: Clear, concise communication of complex technical intelligence to executives and cross-functional partners (Vulnerability Management, Detection Engineering, SOC/IR, OT Security, Clinical Ops, Research IT); ability to influence without authority.
• Education: Bachelor's degree in a relevant field (Computer Science, Information Security, Intelligence Studies, or equivalent experience).

Nice To Haves

• Sector Experience and Regulatory Context: Experience in pharmaceuticals, life sciences, healthcare, or manufacturing; familiarity with GMP/CSV, clinical data obligations, and R&D IP protection.
• OT/ICS and Critical Operations: Hands-on work with MES, SCADA, PLC ecosystems; ATT&CK for ICS usage; understanding of OT-safe response practices and production continuity implications.
• Clinical/R&D Platforms: Exposure to CTMS, EDC, IRT, ELN, LIMS, HPC, and data lake environments; experience safeguarding data integrity and sensitive research/IP.
• Program Metrics and Outcomes: Built dashboards tracking MTTI by actor, ATT&CK coverage indices, intel-informed patch SLAs, hunter ROI, and executive risk narratives; experience presenting to senior leadership and risk committees.
• Advanced Tooling/Automation: TIP administration, SIEM/EDR content engineering, enrichment/orchestration pipelines, case management integration, and indicator lifecycle automation at enterprise scale.
• Threat Modeling and Quantification: Ability to translate attack paths into quantified risk scenarios and prioritized control investments aligned to business objectives and crown jewels.
• External Partnerships: Active engagement with H-ISAC/ISAOs and government/industry partners; track record of rapidly converting global/viral cyber events into enterprise defenses and executive guidance.
• Certifications: One or more of GCTI, GREM, GRID, GCIH, CISSP, or equivalent demonstrated expertise
• People Leadership: Built diverse, high-performing teams; established career paths, coaching frameworks, and a culture of analytic rigor, technical excellence, and continuous improvement.

Responsibilities

• Program Leadership and Strategy: Define CTI vision, operating model, and roadmap aligned to AstraZeneca’s cyber risk reduction strategy, with special emphasis on manufacturing continuity, clinical data integrity, and R&D IP protection
• Adversary Prioritization Framework: Design and operate a scoring rubric that ranks actors based on intent/capability/relevance, TTP emergence and prevalence, organization-specific exposure to known vulnerabilities/CVEs, and global “viral” events , maintain ing dynamic watchlists and escalation triggers.
• MTTI Metric and Analytics: Implement analytic methods to estimate mean time-to-impact per adversary (from initial access to material business impact ) using internal telemetry, historical incidents, industry reporting, and confidence levels , performing comparisons with IR’s MTTC to drive control improvements.
• Attack Path Modeling: Build and maintain end-to-end attack path models from initial access to material impact across IT-to-OT pivots, clinical platforms, and R&D environments , map ping steps to MITRE ATT&CK (Enterprise/ICS), identify control gaps and choke points, derive detections-as-code and hunt hypotheses, and support validat ion efforts including purple-team exercises and adversary emulation to ensure enterprise hardening and measurable risk reduction.
• Dark Web and Closed-Source Monitoring: Establish collection and monitoring across dark web forums, marketplaces, breach dumps, and closed channels to identify emerging TTPs, credential leaks, data exposure, access-broker listings, and targeting of manufacturing, clinical, or R&D assets , integrat ing validated findings into TIP/SIEM pipelines, trigger takedown requests where feasible, and deliver rapid advisories with confidence ratings and specific actions for Vulnerability Management, Detection Engineering, and IR.
• Third-Party and Ecosystem Intelligence: Deliver risk insights for CROs/CMOs/ logistics /technology vendors, monitor credential leakage and domain spoofing, and support/coordinate takedown operations when needed.
• Structured Threat Actor Attribution (Diamond Model): Lead disciplined attribution using the Diamond Model (adversary, capability, infrastructure, victim) and complementary frameworks , correlat ing TTPs, tooling lineage, code-reuse, infrastructure overlaps, and victimology with confidence levels and analytic caveats , document ing hypotheses, alternative explanations, and disconfirming evidenc e, and produc ing reusable actor profiles and pivot paths that inform prioritization, detections, hunts, and incident response playbooks.
• Support Vulnerability Management: Partner with Vulnerability Management to contextualize CVEs (exploitability, weaponization, external scanning telemetry, compensating controls) and deliver risk-based patching prioritization across AstraZeneca’s estate including IT/OT, clinical platforms, and lab environments.
• Support Detection Engineering: Develop detection use cases to feed our detection-as-code pipeline and support detection ATT&CK coverage mapping, content tuning, and false-positive reduction, ensuring feedback loops from hunts and incidents continuously improve detection quality.
• Support GSOC/ Incident Response: Provide real-time adversary context that is highly technical including kill-chain reconstruction, containment recommendations, and countermeasures, producing post-incident intelligence retrospectives and detection/architecture improvements.
• Operational and Executive Reporting: Produce daily threat intelligence highlights , threat actor/campaign profiles, quarterly threat briefings, and other ad hoc intelligence products, ensuring products include quantified risk narratives for senior leadership that also alig n findings to regulatory expectations and business impact.
• Tooling and Automation: Optimize integrations across TIP, SIEM, EDR, case management, and telemetry; manage indicator lifecycle, automate enrichment, and measure source fidelity/bias.
• External Engagement: Lead participation with sector bodies (e.g., H-ISAC), peer sharing groups, and government/industry partners; track and assess global events and rapidly translate into actionable enterprise guidance.
• Team Leadership and Development: Recruit, mentor, and grow a diverse team of CTI analysts; build career paths, training plans, and knowledge-sharing practices; foster a culture of technical excellence and clear, actionable communication.

Benefits

• Benefits offered included a qualified retirement program [401(k) plan]; paid vacation and holidays; paid leaves; and, health benefits including medical, prescription drug, dental, and vision coverage in accordance with the terms and conditions of the applicable plans.