Program Manager, Cybersecurity Operations

Primary Responsibilities 

• Develop and implement strategies to enhance the SOC's effectiveness, threat detection, and incident response capabilities with other technology teams. 

• Provide coaching and feedback to third party security operations staff (responsible for level 1-2) and account manager(s). Ensure KPIs are maintained. Escalate non-compliance to contractual agreement(s). 

• Lead development and maintenance of quality SOC playbooks (direct third-party team and contribute as needed). 

• In the event of a cyber incident, will execute CSIRT (Cyber Security Incident Response Team) playbooks as Cyber Incident Commander which includes adhering directly to CSIRT playbooks and navigating the event(s) with confidence which includes VP+ level executives and mobilizing cross-functional teams. 

• Lead cybersecurity investigations and incident handling activities and coordinate with other in-house experts based on the nature of the event, notable or incident. 

• Develop and conduct incident response tabletop exercises and simulations at least twice annually (may or may not include engaging a third party to conduct the exercise) 

• Analyze security incidents to identify root causes and recommend and/or implement corrective actions. 

• Develop and implement threat detection and monitoring strategies in partnership with platform owners who may reside on other teams across the company. 

• Communicate effectively and confidently with executive leadership (VP and above) on the status of cybersecurity operations and incidents.  

• Partner closely with security engineers and other technology teams to advise and help implement improvements to detections, monitoring platforms and workflow platforms. 

• Provide regular updates and reports to senior management and relevant stakeholders. 

• Drive prioritization and ownership of improvements needed in alignment with overall cybersecurity and technology strategies, make thoughtful recommendations to leadership and when required, make well-crafted pitches for resources, technologies. 

Key Performance Indicators 

• Hold security operations partner(s) held accountable to KPIs outlined as part of contractual obligations and escalation procedures initiated where KPIs are not met. 

• Lead and execute cybersecurity events, notables, investigations and validations in accordance with internal service level agreements (“SLAs”). 

• Achieve improvements to comprehensive security tooling and communications, including advancing automations across technology teams to reduce manual steps and expedite investigations. 

• Successful execution of published CSIRT playbook(s) should an incident situation arise. 

• Conduct at least two internal incident response tabletops per year among internal technology teams and one every 2-3 years with C-level executives. 

Position Requirements 

• 7+ years of relevant professional experience. 

• 5+ years of demonstrated experience in cybersecurity incident handling, incident response and security operations, which includes at least 2 years of oversight of a third-party managed service provider.  

• BA/BS Degree in Cybersecurity, Computer Science, or related discipline, or equivalent practical experience. 

• CISSP Certification (exceeding years of confirmed experience can circumvent this requirement).  Non-CISSP-certified candidates would be encouraged to pursue CISSP certification as part of developmental expectations within one year of start date. 

• Proven experience in managing an outside managed service provider (e.g., MDR, SOC as service) to ensure KPIs and service levels are maintained. 

Knowledge, Skills & Abilities 

• Exceptional written and verbal communication skills to present technical topics to technical and non-technical audiences. 

• High level of comfort leading a CSIRT team which includes VP+ level executives and developing audience-targeted read outs and reports relating to incidents. 

• Proven experience in incident handling/incident response techniques within a cloud-based environment such as AWS/Azure/GCP 

• Interacts confidently with executive leaders in technology, legal, internal audit and our cybersecurity insurance provider(s), external counsel or external assessors/auditors and coordinates with internal and external stakeholders during security incidents which includes non-technical and/or executive stakeholders. 

• Experience with thorough, quality documentation around incident response analysis activities 

• Expertise in Cyber Security attacks, tools & techniques, and experience with Advanced Threat management  

• Ability to tune correlation rules and outcomes via security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms 

• Has a sound understanding of SIEM, DLP, CASB, EDR, NDR, operating systems, MITRE ATT&CK framework and other threat detection platforms 

• Excellent analytical, problem-solving, and interpersonal skills. Maintains composure during high stakes/high stress situations. 

• Knowledge of digital forensics tools and techniques (e.g., EnCase, FTK). Experience in conducting forensic analysis of compromised systems, including understanding of evidence handling and chain of custody procedures. 

• Proven experience and knowledge in the MITRE ATT&CK framework and VERIS Framework 

• Experience with Splunk and Splunk Enterprise Security (ES) are a plus. 

• Any of the following certifications are a plus:  C|EH, CISA, CISM, CSSLP, GIAC, CompTIA Security+, CCSP, GIAC, AWS/Azure Certifications. 

Working Conditions

This is a hybrid position that requires at least 3 days a week in our Minneapolis office for candidates within 45 miles of our downtown Minneapolis office. No relocation assistance will be offered. 

• Travel possible – up to 10%