Citibank (Switzerland) AG
SOC Incident Response Manager - Senior Vice President
Citibank (Switzerland) AG, Irving, Texas, United States, 75084
## For additional information, please review .As a bank with a brain and a soul, Citi creates economic value that is systemically responsible and in our clients’ best interests. As a financial institution that touches every region of the world and every sector that shapes your daily life, our Enterprise Operations & Technology teams are charged with a mission that rivals any large tech company. Our technology solutions are the foundations of everything we do from keeping the bank safe, managing global resources, and providing the technical tools our workers need to be successful to designing our digital architecture and ensuring our platforms provide a first-class customer experience. We reimagine client and partner experiences to deliver excellence through secure, reliable, and efficient services. ## Responsibilities:* Lead, mentor, and manage a global team of 6-10 Security Operations Center Incident Responders, fostering a culture of excellence and continuous improvement.* Oversee and direct incident response functions, ensuring adherence to established playbooks and best practices across diverse computing environments.* Drive strategic initiatives to enhance incident detection, containment, and eradication capabilities.* Lead and support in-depth triage and investigations of urgent cyber incidents.* Manage team performance, conduct regular reviews, and facilitate career development for direct reports.* Ensure the team effectively performs host-based analytical functions (e.g., digital forensics, metadata, malware analysis, etc.) through investigating Windows, Unix-based, appliances, and Mac OS X systems to uncover Indicators of Compromise (IOCs) and/or Tactics, Techniques and Procedures (TTPs).* Oversee the creation and tracking of metrics based on the MITRE ATT&CK Framework and other standard security-focused models, using these to drive continuous improvement.* Lead collaboration with application and infrastructure stakeholders to identify key components and information sources such as various environments (on-premises versus other distributed systems), servers, workstations, middleware, applications, databases, logs, etc.* Direct incident response efforts using forensic and other custom tools to identify sources of compromise and/or malicious activities.* Collaborate with global multidisciplinary groups for triaging and defining the scope of large-scale incidents.* Direct the documentation and presentation of investigative findings for high-profile events and other incidents of interest to senior leadership.* Lead and participate in readiness exercises such as purple team, table tops, etc.* Develop and implement training programs for junior and mid-level colleagues on relevant best practices and advanced incident response techniques.* Act as a key escalation point for critical incidents and provide expert guidance to the team.* Bachelor's degree in a technically rigorous domain such as Computer Science, Information Security, Engineering, Digital Forensics, etc.* 10+ years of professional experience in cybersecurity and/or information security, or demonstrated equivalent capability.* 5+ years hands-on working in cyber incident response and investigations, with at least 3 years in a leadership or management capacity, overseeing medium to large global teams, with exposure to various computing environments including cloud and traditional infrastructure.* Proven experience in leading, mentoring, and developing technical teams.* Demonstrated expertise or oversight in Dev/Sec/Ops practices within various computing environments.* Deep understanding and experience with common services and platforms from a security and incident response perspective.* Proven experience leading or directing forensic investigations or large-scale incident response efforts across diverse environments.* Strong understanding and strategic leadership in containerization methods and tools (e.g., Docker, Kubernetes), including incident response and digital forensics considerations.* Advanced certifications (e.g., GIAC, CISSP) in security or equivalent expertise.* Demonstrated ability to lead teams in analyzing and pivoting through large data sets during incident investigations.* Extensive experience in leading digital forensics (e.g., computer, network, mobile device forensics, and forensic data analysis) activities, including:
+ Memory collection and analysis from various platforms.
+ Evidence preservation, following industry best practices.
+ Familiarity with malware analysis and Reverse Engineering of samples (e.g., static, dynamic, de-obfuscation, unpacking).
+ In-depth file system knowledge and analysis.
+ In-depth experience with timeline analysis.
+ In-depth experience with Registry, event, and other log file and artifact analysis.
+ Hands-on experience with a DFIR toolset and related scripting.
+ Current expertise with an EDR system.* Multiple advanced GIAC (e.g., GCFE, GCFA, GREM, GCIH, GASF, GNFA, etc.) or other digital forensic and/or incident response certifications.* **Leadership & Mentorship:** Ability to inspire, motivate, and develop a high-performing global team.* **Strategic Thinking:** Capacity to define and execute incident response strategy aligned with business objectives.* **Communication:** Excellent verbal and written communication skills for presenting complex technical information to both technical and non-technical audiences, including senior management.* **Stakeholder Management:** Proven ability to build and maintain strong relationships with internal and external stakeholders.* **Decision-Making:** Sound judgment and decision-making skills under pressure during critical security incidents.* **Problem-Solving:** Advanced analytical and problem-solving skills to guide the team through complex technical challenges.* **Adaptability:** Ability to adapt to rapidly changing threat landscapes and evolving technologies.* Working knowledge of relational database systems and concepts (SQL Server, PostgreSQL, etc.).* Working knowledge of virtualization products (e.g., VMware Workstation).* Must have flexibility to work outside of normal business hours when necessary to lead incident response efforts.* Exceptional candidates from non-traditional backgrounds or who otherwise do not meet all of these criteria may be considered for the role provided they demonstrate sufficient skill and experience. #J-18808-Ljbffr
+ Memory collection and analysis from various platforms.
+ Evidence preservation, following industry best practices.
+ Familiarity with malware analysis and Reverse Engineering of samples (e.g., static, dynamic, de-obfuscation, unpacking).
+ In-depth file system knowledge and analysis.
+ In-depth experience with timeline analysis.
+ In-depth experience with Registry, event, and other log file and artifact analysis.
+ Hands-on experience with a DFIR toolset and related scripting.
+ Current expertise with an EDR system.* Multiple advanced GIAC (e.g., GCFE, GCFA, GREM, GCIH, GASF, GNFA, etc.) or other digital forensic and/or incident response certifications.* **Leadership & Mentorship:** Ability to inspire, motivate, and develop a high-performing global team.* **Strategic Thinking:** Capacity to define and execute incident response strategy aligned with business objectives.* **Communication:** Excellent verbal and written communication skills for presenting complex technical information to both technical and non-technical audiences, including senior management.* **Stakeholder Management:** Proven ability to build and maintain strong relationships with internal and external stakeholders.* **Decision-Making:** Sound judgment and decision-making skills under pressure during critical security incidents.* **Problem-Solving:** Advanced analytical and problem-solving skills to guide the team through complex technical challenges.* **Adaptability:** Ability to adapt to rapidly changing threat landscapes and evolving technologies.* Working knowledge of relational database systems and concepts (SQL Server, PostgreSQL, etc.).* Working knowledge of virtualization products (e.g., VMware Workstation).* Must have flexibility to work outside of normal business hours when necessary to lead incident response efforts.* Exceptional candidates from non-traditional backgrounds or who otherwise do not meet all of these criteria may be considered for the role provided they demonstrate sufficient skill and experience. #J-18808-Ljbffr