Incident Response Advanced Lead - US

About The Position

Requirements

• 10+ years in cybersecurity, with at least 6–7 years directly leading incident response operations at enterprise scale.
• Deep, hands-on experience as a primary incident commander on multiple major incidents across diverse attack scenarios (ransomware, data exfiltration, business email compromise, insider threat, cloud compromise, nation-state activity, or equivalent) with demonstrable ownership from declaration through post-incident closure.
• Expert-level fluency in MITRE ATT&CK, cyber kill chain, diamond model, and IR frameworks (NIST SP 800-61, SANS PICERL) — applied in live incidents.
• Able to challenge and interrogate technical findings with authority, identify gaps, and redirect responders in real time.
• Mastery of executive-level written and verbal communication under pressure.
• Able to produce a defensible sitrep in under 10 minutes mid-incident, calibrated for audience, and structured to support decision-making.
• Advanced program and project management skills: experienced running concurrent live incidents with multiple workstreams, enforcing accountability across organizational boundaries, and managing the program in steady state simultaneously.
• Comprehensive knowledge of regulatory and legal obligations for cyber incidents — SEC disclosure (including 8-K material incident determinations), state breach notification, GDPR, HIPAA, PCI-DSS, and contractual notification clauses.
• Prior experience in a Fortune 500, large-scale entertainment/media/technology company, or heavily regulated industry (financial services, healthcare, critical infrastructure, defense), or equivalent consulting engagement manager experience at a major IR firm (Mandiant, CrowdStrike, Unit 42, Kroll, or similar).
• At least one industry certification demonstrating sustained commitment to the discipline: GCIH, GCFA, GCIA, CISSP, CISM, or equivalent.
• Must be US-based and authorized to work in the United States without sponsorship.
• Must be available outside business hours and carry a formal on-call rotation for major incidents.

Nice To Haves

• ICS-300/400 a strong plus.
• Demonstrated experience building or materially maturing an enterprise IR program from the ground up — including capability gap assessments, tooling selection, playbook authorship, and team development.
• Advanced cloud incident response experience across two or more major platforms (AWS, Azure, GCP) including cloud-native forensics, identity-based attacks, and container/serverless compromise scenarios.
• Experience with OT/ICS incident response or third-party/supply chain incident response in complex, multi-vendor environments.
• Deep familiarity with IR orchestration and case management tooling (ServiceNow SIR, Jira, Resilient, Swimlane, Tines, TheHive) and the ability to drive tooling improvements and workflow automation.
• Experience developing and delivering IR training programs, mentoring junior incident coordinators, or building IR capability within a security operations organization.
• Exposure to threat intelligence integration in IR workflows — including consuming and directing CTI outputs during live incidents to sharpen containment and attribution decisions.

Responsibilities

• Serve as the primary Incident Commander for all high-severity (SEV-1 / SEV-2) cyber incidents, owning the full response lifecycle from declaration through closure under an ICS-aligned model.
• Lead simultaneous active incidents without degraded performance.
• Architect and enforce the incident battle rhythm at an advanced level: establish and adapt sync cadences, drive the task board, assign owners, and enforce accountability across various teams (security engineering, threat hunting, CTI, IT, legal, privacy, comms, business units).
• Translate complex technical findings into authoritative situational awareness for non-technical stakeholders.
• Anticipate and eliminate critical path blockers: containment actions, evidence preservation, regulatory and contractual notification clocks, scope creep signals, and remediation milestones.
• Make independent, time-sensitive decisions on severity classification, scope expansion, external support activation, and incident closure criteria.
• Escalate strategically.
• Mentor and guide junior IR coordinators and incident commanders in real time during live incidents.
• Own the executive communication stream at the highest level during incidents: produce polished, defensible written situation reports (sitreps) and deliver verbal briefings to CISO, CIO, General Counsel, and C-suite.
• Produce expert-level stakeholder-tailored messaging for different audiences (SOC, engineering, executives, business partners).
• Lead coordination with Legal, Privacy, Corporate Communications, and Investor Relations on external notifications, regulatory filings, and customer disclosures.
• Own and deliver board-level reporting on significant incidents, ensuring appropriate privilege protections.
• Proactively identify communication gaps and systemic messaging failures and develop improved templates, protocols, and training.
• Maintain and enforce the authoritative incident timeline standard in real time.
• Own chain of custody and evidence handling requirements end-to-end.
• Lead after-action reports (AARs) and blameless post-incident reviews to identify systemic root causes and corrective actions.
• Continuously mature the IR documentation library (playbooks, runbooks, RACI matrices, escalation paths, contact trees, communication templates).
• Design and lead a sophisticated annual tabletop and functional exercise program.
• Own IR program metrics at a strategic level: MTTD, MTTC, MTTR, SLA adherence, exercise coverage, corrective action aging, and program maturity scoring.
• Produce executive and board reporting that drives resource investment and organizational prioritization.
• Drive enterprise alignment to NIST SP 800-61r3, NIST CSF 2.0, and applicable regulatory frameworks.
• Lead the management of third-party IR retainer relationships, MDR providers, cyber insurance carriers, and law enforcement liaisons.
• Partner deeply with CTI, threat hunting, red team, and security engineering to ensure IR lessons learned are systematically converted into improved detections, prioritized control gaps, and hardened playbooks.
• Shape and drive the multi-year IR program strategy, including capability roadmaps, headcount planning inputs, tooling investments, and organizational design recommendations.

Benefits

• Medical, vision, dental and mental health benefits for you and your family
• Access to a health care concierge
• Flexible or Health Savings Accounts (FSA or HSA)
• Free concert tickets
• Generous paid time off including paid holidays, sick time, and personal days
• 401(k) program with company match
• Stock reimbursement program
• New parent programs including caregiver leave
• Fertility, adoption, foster, or surrogacy support
• Career and skill development programs with School of Live
• Tuition reimbursement
• Student loan repayment
• Volunteer time off
• Crowdfunding match
• Roadie Babies helping new parents care for their babies on work trips
• Access to free live events through our exclusive employee ticketing program