# Director, Cyber Security Incident Response Team (CSIRT) **Company**: Cyber Security Defence Operations **Location**: Gaithersburg, Maryland, United States of America **Work arrangement**: hybrid **Experience**: senior **Job type**: full-time **Salary**: Annual base pay for this position ranges from $169,320.00 - $253,980.00 USD **Category**: IT **Industry**: Healthcare **Apply**: https://astrazeneca.eightfold.ai/careers/job/563877690452471?utm_source=yubhub.co&utm_medium=jobs_feed&utm_campaign=apply **Canonical**: https://yubhub.co/jobs/job_1f5156d5-e68 ## Description Leverage technology to impact patients and ultimately save lives. Do you have expertise in, and passion for, information technology? Would you like to apply your expertise to impact the IT strategy in a company that follows the science and turns ideas into life-changing medicines? If so, AstraZeneca might be the one for you! The Director, CSIRT is a senior individual contributor leader in the Global Cybersecurity Operations Center (GSOC), based in Gaithersburg, Maryland, reporting to the Head of GSOC. You will command enterprise response to material cyber incidents across cloud, on-premises, and OT/ICS environments, own incident governance and readiness, and drive executive reporting, lessons learned, and control hardening in partnership with Detection Engineering, CTI, Vulnerability Management, Offensive Security, IT, Legal, Risk and Compliance, and Physical Security. **Key Responsibilities:** - Lead execution of the Incident Response (IR) plan to rapidly scope, contain, eradicate, and investigate incidents across hybrid and OT environments. - Define and maintain incident categories, severity, decision authorities, activation criteria, and crisis management handoffs. - Coordinate preservation, collection, and analysis with chain-of-custody rigor; in collaboration with Legal, manage asset litigation hold and retention as well as facilitation of artifact sharing for malware analysis and CTI. - Run regular tabletop and purple-team exercises; ensure 24x7 coverage, seamless follow-the-sun handoffs with Regional SOCs, and retainer surge playbooks. - Operationalize agentic SIEM features, XDR and SOAR playbooks, LLM-assisted runbooks, and automated triage packages to reduce MTTD/MTTC/MTTR. - Own IR targets/KRIs (e.g., MTTD, MTTC, MTTR, dwell time, business impact) and deliver executive-ready briefings, dashboards, and quarterly lessons learned. - Orchestrate IR with IT, Legal, Privacy, Risk, Comms, Physical Security, and Insurance for notification obligations, privilege, and crisis communications. - Drive post-incident detection and control improvements with Detection Engineering, Identity, Cloud, Endpoint, and OT teams. - Partner with Vulnerability Management and Offensive Security to prioritize testing and remediation informed by incident findings and CTI. **People Leadership:** - Develop and maintain CSIRT area plans aligned to GSOC strategy; set direction and goals with autonomy. - Define and review reporting and team targets; align objectives to incident outcomes and customer experience. - Maintain 24x7 on-call rotations, surge models, and cross-regional handoff standards. - Lead inclusive recruitment; build career paths and targeted upskilling in DFIR, cloud identity, OT/ICS, and automation/SOAR through regional/external partnerships. Provide mentorship to junior CSIRT resources. **Knowledge, Experience, and Understanding of:** - Incident command & IR lifecycle: Proven command across cyber incident lifecycles, plans and playbooks. Deep understanding of the incident lifecycle, from preparation to scoping, containment, eradication and remediation at enterprise scale. - DFIR evidence handling: Experienced in managing the collection, preservation and analysis of digital evidence and chain of custody; timeline reconstruction; attacker attribution; concise executive reporting. - Attacker tradecraft (MITRE ATT&CK): Deep knowledge of the attack lifecycle (i.e. MITRE ATT&CK), timeline construction and familiarity with attribution and common threat actor TTPs - Automation & AI: Experience with operationalization of modern security tools (SIEM, SOAR, XDR) including integration of artificial intelligence, large language models and agentic features to enable triage, analysis and eradication at scale. - Cloud, identity, and endpoint visibility: Proficiency with logging prioritization and telemetry from industry standard cloud platforms, identity providers, operating systems and security tools. - Manufacturing Operational Technology/Industrial Control Systems: Coordinating IR in industrial/OT environments with safety and production continuity considerations. - Legal/regulatory & crisis communications: Comfortable building partnerships outside of cyber operations with legal, risk & compliance, physical security and other business collaborators relevant to incident response. - Retainer and vendor readiness: Maintaining IR retainer partner readiness; knowing when to escalate and how to integrate external specialists during major incidents. **Minimum Skills & Experience Required:** - Education: Bachelor’s degree in information security, computer science, or related field (or equivalent experience). - Enterprise-scale SOC/IR leadership: Over five (5) years managing Cyber Security Operations Centre Incident Response in enterprise-sized organizations, commanding events across hybrid cloud, on-premises, and OT. - Global coordination with Regional SOCs: Experience integrating and working alongside global, 24x7, distributed teams to complete incident response and cyber operations missions. - Communication and facilitation: Well-developed skills to explain complex technical issues in clear business terms; produce concise written material (executive updates, IR reports); and lead briefings. - Analytical decision making: Ability to analyze complex situations, assess risk, and balance strategic and tactical security requirements with business pragmatism, risk appetite, and innovation. - Customer orientation and cross-cultural working: Demonstrated ability to collaborate across regions and functions (IT, Legal, GRC, Physical Security) with a strong service outlook. **Preferred Skills & Experience:** - Certifications: Security certifications preferred (e.g., CISSP, CISM, GIAC such as GCIH/GCFA/GREM; CCSP; ITIL). ## Skills ### Required - Incident command & IR lifecycle - DFIR evidence handling - Attacker tradecraft (MITRE ATT&CK) - Automation & AI - Cloud, identity, and endpoint visibility - Manufacturing Operational Technology/Industrial Control Systems - Legal/regulatory & crisis communications - Retainer and vendor readiness ### Nice to have - Security certifications (e.g., CISSP, CISM, GIAC such as GCIH/GCFA/GREM; CCSP; ITIL) --- Source: [Apply at astrazeneca.eightfold.ai](https://astrazeneca.eightfold.ai/careers/job/563877690452471?utm_source=yubhub.co&utm_medium=jobs_feed&utm_campaign=apply)