Cybersecurity

Cybersecurity Operations, Investigations, and Incident Response

Position Purpose
This individual contributor role is essential for shaping and enhancing the organization’s cybersecurity operations, cyber investigations, and incident response strategy. The position leads the Security Operations, Cyber Investigations, and Incident Response capabilities, including oversight of third-party managed services. It requires strong communication and relationship-building skills for engaging with all audiences, from executives to non-technical stakeholders, as well as a solid technical background and relevant field experience.

Primary Responsibilities

• Develop and implement strategies to improve the effectiveness of the Security Operations Center (SOC), threat detection, and incident response capabilities in collaboration with technology teams.
• Provide coaching and feedback to third-party security operations staff, ensuring compliance with Key Performance Indicators (KPIs) and escalating any non-compliance issues.
• Lead the development and maintenance of quality SOC playbooks, guiding the third-party team and contributing as necessary.
• Serve as Cyber Incident Commander during cyber incidents, executing Cyber Security Incident Response Team (CSIRT) playbooks and effectively managing the response involving cross-functional teams and executives.
• Oversee cybersecurity investigations and incident handling, coordinating with in-house experts based on the nature of incidents.
• Develop and conduct incident response tabletop exercises and simulations at least biannually.
• Analyze security incidents to identify root causes and recommend corrective actions.
• Partner with platform owners to implement threat detection and monitoring strategies.
• Communicate confidently with executive leadership regarding cybersecurity operations and incidents.
• Collaborate with security engineers and other technology teams to advise on and implement improvements to detection and monitoring platforms.
• Provide regular updates and reports to senior management and stakeholders.
• Prioritize and recommend necessary improvements in alignment with overall cybersecurity and technology strategies.

Key Performance Indicators

• Ensure accountability of security operations partners regarding KPIs outlined in contractual obligations and initiate escalations for unmet KPIs.
• Execute cybersecurity events, investigations, and validations per internal service level agreements (SLAs).
• Improve security tooling and communication efficiency, advancing automation to reduce manual efforts in investigations.
• Successfully implement CSIRT playbooks during incidents.
• Conduct at least two internal incident response tabletop exercises yearly, with one involving C-level executives every 2-3 years.

Position Requirements

• 7+ years of relevant professional experience.
• 5+ years of experience in cybersecurity incident handling, incident response, and security operations, including 2 years overseeing a third-party managed service provider.
• Bachelor’s degree in Cybersecurity, Computer Science, or related discipline, or equivalent practical experience.
• CISSP certification preferred; candidates without certification are encouraged to pursue it within one year of employment.
• Proven experience managing an external managed service provider to maintain KPIs and service levels.

Knowledge, Skills & Abilities

• Exceptional written and verbal communication skills for presenting technical topics to diverse audiences.
• Experience leading a CSIRT team, including interactions with executives, and developing audience-specific reports and presentations.
• Proficient in incident handling/response techniques within cloud environments (AWS/Azure/GCP).
• Confident in engaging with executive leaders, legal teams, auditors, and external assessors during security incidents.
• Strong documentation skills related to incident response analysis.
• Expertise in cybersecurity attacks, tools, techniques, and advanced threat management.
• Ability to tune correlation rules in SIEM and SOAR platforms.
• Familiarity with SIEM, DLP, CASB, EDR, NDR, MITRE ATT&CK framework, and other threat detection platforms.
• Excellent analytical, problem-solving, and interpersonal skills, with composure in high-stress situations.
• Knowledge of digital forensics tools and techniques, including experience in forensic analysis and evidence handling.
• Familiarity with the MITRE ATT&CK framework and VERIS framework.
• Experience with Splunk and Splunk Enterprise Security (ES) is a plus.
• Relevant certifications such as C|EH, CISA, CISM, CSSLP, GIAC, CompTIA Security+, and AWS/Azure certifications are advantageous.

Working Conditions
This is a hybrid position requiring at least three days a week in the office for candidates within 45 miles of downtown Minneapolis. No relocation assistance will be offered.