Job Summary:
WHAT THIS ROLE WILL DOIncident Command and Coordination- Serve as the primary Incident Commander for all high-severity (SEV-1 / SEV-2) cyber incidents, owning the full response lifecycle from declaration through closure under an ICS-aligned model - with the depth to lead simultaneous active incidents without degraded performance.
- Architect and enforce the incident battle rhythm at an advanced level: establish and adapt sync cadences mid-incident, drive the task board with precision, assign owners and enforce accountability across security engineering, threat hunting, CTI, IT, legal, privacy, comms, and business units - with no ambiguity about who owns what.
- Translate complex technical findings (MITRE ATT&CK technique chains, kill chain progression, diamond model pivots, attacker TTPs, indicators of compromise and attack) into authoritative situational awareness for non-technical stakeholders, drawing on first-hand knowledge of how these frameworks apply in live environments.
- Anticipate and eliminate critical path blockers before they become delays: containment actions, evidence preservation, regulatory and contractual notification clocks, scope creep signals, and remediation milestones - with proven instincts built from repeated high-pressure experience.
- Make independent, time-sensitive decisions on severity classification, scope expansion, external support activation (IR retainer, outside counsel, forensics, cyber insurance), and incident closure criteria. Escalate strategically - not reflexively.
- Mentor and guide junior IR coordinators and incident commanders in real time during live incidents, building organizational depth without sacrificing response velocity.
Executive and Stakeholder Communication- Own the executive communication stream at the highest level during incidents: produce polished, defensible written situation reports (sitreps) on a predictable cadence and deliver verbal briefings to CISO, CIO, General Counsel, and C-suite with the confidence and authority of someone who has done it under fire.
- Produce expert-level stakeholder-tailored messaging with no ramp-up required: deep technical framing for SOC and engineering, risk and financial impact framing for executives, and clear plain-language updates for business partners - adjusting in real time as incident facts evolve.
- Lead coordination with Legal, Privacy, Corporate Communications, and Investor Relations on external notifications, regulatory filings (SEC 8-K for material cyber incidents, state breach laws, GDPR, HIPAA where applicable), and customer disclosures - navigating competing priorities with sound judgment and legal fluency.
- Own and deliver board-level reporting on significant incidents, ensuring appropriate privilege protections under counsel direction, with the gravitas and precision that board audiences require.
- Proactively identify communication gaps and systemic messaging failures in past incidents and develop improved templates, protocols, and training to close them.
Documentation and Evidence Discipline- Maintain and enforce the authoritative incident timeline standard in real time during response - capturing decisions, actions, owners, timestamps, and supporting artifacts with a level of discipline that withstands legal and regulatory scrutiny.
- Own chain of custody and evidence handling requirements end-to-end, ensuring forensic artifacts, logs, and investigative outputs are documented to a standard defensible in litigation, regulatory investigation, or law enforcement engagement.
- Lead after-action reports (AARs) and blameless post-incident reviews that go beyond timeline reconstruction to identify systemic root causes, contributing organizational factors, and corrective actions with owners, due dates, and measurable closure criteria.
- Continuously mature the IR documentation library - playbooks, runbooks, RACI matrices, escalation paths, contact trees, and communication templates - versioning with rigor and ensuring content reflects current threat landscape and organizational changes.
Program Management and Readiness- Design and lead a sophisticated annual tabletop and functional exercise program - including executive-level simulations, cross-functional full-scale drills, and red team / IR integration exercises - capturing findings, tracking remediation, and measuring year-over-year maturity.
- Own IR program metrics at a strategic level: MTTD, MTTC, MTTR, SLA adherence, exercise coverage, corrective action aging, and program maturity scoring. Produce executive and board reporting that drives resource investment and organizational prioritization.
- Drive enterprise alignment to NIST SP 800-61r3, NIST CSF 2.0, and applicable regulatory frameworks (SEC cyber disclosure, state AG requirements, sector-specific regulators), translating requirements into operational IR program obligations with clear ownership.
- Lead the management of third-party IR retainer relationships, MDR providers, cyber insurance carriers, and law enforcement liaisons - including contract negotiation, SLA definition, joint exercise execution, and activation readiness validation.
- Partner deeply with CTI, threat hunting, red team, and security engineering to ensure IR lessons learned are systematically converted into improved detections, prioritized control gaps, and hardened playbooks - closing the loop between response and prevention.
- Shape and drive the multi-year IR program strategy, including capability roadmaps, headcount planning inputs, tooling investments, and organizational design recommendations.
WHAT THIS PERSON WILL BRING - Required Qualifications- 10+ years in cybersecurity, with at least 6-7 years directly leading incident response operations at enterprise scale - not adjacent to it.
- Deep, hands-on experience as a primary incident commander on multiple major incidents across diverse attack scenarios (ransomware, data exfiltration, business email compromise, insider threat, cloud compromise, nation-state activity, or equivalent) with demonstrable ownership from declaration through post-incident closure.
- Expert-level fluency in MITRE ATT&CK, cyber kill chain, diamond model, and IR frameworks (NIST SP 800-61, SANS PICERL) - applied in live incidents, not just cited. Able to challenge and interrogate technical findings with authority, identify gaps, and redirect responders in real time.
- Mastery of executive-level written and verbal communication under pressure. Able to produce a defensible sitrep in under 10 minutes mid-incident, calibrated for audience, and structured to support decision-making - not just information sharing.
- Advanced program and project management skills: experienced running concurrent live incidents with multiple workstreams, enforcing accountability across organizational boundaries, and managing the program in steady state simultaneously.
- Comprehensive knowledge of regulatory and legal obligations for cyber incidents - SEC disclosure (including 8-K material incident determinations), state breach notification, GDPR, HIPAA, PCI-DSS, and contractual notification clauses - with the confidence to advise counsel rather than simply receive direction.
- Prior experience in a Fortune 500, large-scale entertainment/media/technology company, or heavily regulated industry (financial services, healthcare, critical infrastructure, defense), or equivalent consulting engagement manager experience at a major IR firm (Mandiant, CrowdStrike, Unit 42, Kroll, or similar).
- At least one industry certification demonstrating sustained commitment to the discipline: GCIH, GCFA, GCIA, CISSP, CISM, or equivalent. ICS-300/400 a strong plus.
- Must be US-based and authorized to work in the United States without sponsorship. Must be available outside business hours and carry a formal on-call rotation for major incidents.
WHAT THIS PERSON WILL BRING - Preferred Qualifications- Demonstrated experience building or materially maturing an enterprise IR program from the ground up - including capability gap assessments, tooling selection, playbook authorship, and team development.
- Advanced cloud incident response experience across two or more major platforms (AWS, Azure, GCP) including cloud-native forensics, identity-based attacks, and container/serverless compromise scenarios.
- Experience with OT/ICS incident response or third-party/supply chain incident response in complex, multi-vendor environments.
- Deep familiarity with IR orchestration and case management tooling (ServiceNow SIR, Jira, Resilient, Swimlane, Tines, TheHive) and the ability to drive tooling improvements and workflow automation.
- Experience developing and delivering IR training programs, mentoring junior incident coordinators, or building IR capability within a security operations organization.
- Exposure to threat intelligence integration in IR workflows - including consuming and directing CTI outputs during live incidents to sharpen containment and attribution decisions.
Skills and Attributes- Commanding presence under pressure. Runs bridge calls with 30+ stakeholders, cuts through noise, maintains task focus, and projects confidence that steadies the room.
- Writes with precision and economy. Every word earns its place - especially in a sitrep at 2 AM with a C-suite audience.
- High ownership, low ego. Pushes back on executives with facts, confidence levels, and recommended courses of action - then executes without friction.
- Forensic attention to documentation discipline without losing operational momentum.
- Senior business judgment: knows when a situation has changed, when to pull external resources, when to escalate to the board, and when to hold steady. Earns trust quickly.
- Trusted strategic partner to Legal, Privacy, and Compliance - fluent in privilege, evidence preservation, regulatory clocks, and the intersection of legal strategy and incident operations.
- Multiplier effect on the team: raises the game of every IR practitioner in the room by modeling excellence, providing real-time coaching, and holding a high standard.
Work Location and Travel- United States-based required. Remote eligible with a strong preference for candidates located in or able to maintain consistent overlap with US Eastern or Central time zones for executive cadence and on-call response.
- Occasional travel (up to 20 percent) for exercises, major incident activations, leadership offsites, and IR retainer/partner relationship management.
BENEFITS & PERKSOur motto is 'Taking Care of Our Own' through 6 pillars of benefits:
HEALTH: Medical, vision, dental and mental health benefits for you and your family, with access to a health care concierge, and Flexible or Health Savings Accounts (FSA or HSA)
YOURSELF: Free concert tickets, generous paid time off including paid holidays, sick time, and personal days
WEALTH: 401(k) program with company match, stock reimbursement program
FAMILY: New parent programs including caregiver leave, plus fertility, adoption, foster, or surrogacy support
CAREER: Career and skill development programs with School of Live, tuition reimbursement, and student loan repayment
OTHERS: Volunteer time off, crowdfunding match