Incident Response Lead

Job Summary

The Incident Response (IR) Lead leads a 24/7 virtual team who monitor and respond to ISIRT major incidents. This role requires management of Incident Response activities and team communication with SOC analysts, SME and other IT technical personnel. This role is also required to work closely with stakeholders and cybersecurity’s leadership team. Additionally, the Incident Response Lead will ensure staff members prioritize their work related to suspected and confirmed incidents, which may vary in severity and impact. The Incident Response Lead will direct analysts to investigate, validate, remediate and communicate known details about the incident and is a point of contact for escalation.

Due to coverage requirements, this is a permanent position based in a country within the Asia time zone.

What you will do

Role and responsibilities:

The Incident Response Lead will analyze and organize to help the team rank complex work. As a central figure, Incident Response Lead brings order to a fast-paced, constantly evolving operation. Incident Response Lead to enforce policies, playbooks and methodologies, which have been adopted for the best course of action.

Personal, organizational, communication and analytical skills are vital, as well as the ability to communicate effectively with cybersecurity leadership. This role requires technical aptitude, and managers are also expected to be adept at working well with people who will be under stress and subject to burnout.

Key Responsibilities:

• Manage a team of incident responders for ISIRT response and interact with cybersecurity leadership and business stakeholders.
• Coordinate and ensure ISIRT incidents are prioritized at all hours of the day.
• Implement a cross-functional team of analysts working closely with cybersecurity, IT and developers.
• Serve as a point of escalation and incident commander.
• Review ISIRT incidents that may be related to ransomware, host compromise, account compromise, phishing, anomalous user behavior, third parties and data leakage.
• Ensure the ISIRT response team is following processes embraced by leadership and adhering to best practices.
• Measure and give feedback to the team to improve mean time to respond, key performance indicators (KPIs) and service-level objectives.
• Proactively adjust to upcoming company changes affecting the operation to modify ISIRT response processes.
• Possess advanced knowledge of attackers’ methods of escalation; lateral movement; and tactics, techniques and procedures.
• Present incident analysis and trend reporting to leadership, highlighting KPIs.
• Review events and process effectiveness and make recommendations for change to leadership.
• Require participation in ISIRT tabletop exercises designed to identify gaps, improve skills, enhance communication and engage with key stakeholders.
• Oversee IR playbooks, policies, procedures and guidelines to ensure they align with industry best practices.
• Collaborate with infrastructure, IT, vulnerability, threat intelligence and application security leads.
• Participate in monitoring internal and external events and stay tightly aligned with infrastructure and third-party, hosted, on-premises and end-user systems.
• Review and communicate ISIRT incident details from initial investigation through root cause analysis and post-mortem.
• Maintain operational rigor and recognize when team members need time away to refocus and refresh.
• Identify strengths and weaknesses in ISIRT team members and provide training to improve skills and knowledge.
• Remain current with emerging threats and share knowledge with colleagues to improve incident response. Perform other duties as assigned.

We believe you have

Strong organizational and team management skills are required to excel in this role, as well as previous experience in security administration, IR and security operations center (SOC) roles.

• Seven-plus years’ experience in security administration and SOC, with three-plus years’ security IR.
• Demonstrated experience leading people both in person and remotely distributed.
• Self-aware and capable of remaining calm under intense pressure.
• Strong written and oral communication skills across varying levels of the organization.
• Excellent judgment and the ability to make quick decisions when working with complex situations.
• Organized, with the ability to prioritize and respond within defined SLAs and maintain composure.
• Understanding of threats and vulnerabilities, as well as principles of ISIRT incident response and chain of custody.
• Knowledge with multiple solutions such as security orchestration, automation and response; SIEM; threat intelligence platform; directory services; malware sandboxes; vulnerability management; MITRE ATT&CK; IR playbooks; and endpoint/extended detection and response
• Generally familiar with one or more but not limited to: NIST, ISO 27001, NIS 2, CRA
• Track record of acting with integrity, taking pride in work, seeking to excel, and being curious and flexible.
• High degree of integrity, trustworthiness, professionalism and character.

Education Requirements:

• Bachelor’s degree preferred in cybersecurity, computer science, engineering or related field.
• Certification in CRISC, CISSP, CISA, CISM will be a plus.