Manager, Security Incident Response & Operations

Manager, Security Incident Response & Operations at American Specialty Health

American Specialty Health Incorporated (ASH) is seeking a Manager, Security Incident Response & Operations to join our Information Security department.

The primary purpose of this position is to provide cyber incident response subject matter expertise while collaborating on numerous security projects and operational improvement initiatives. This role supports junior-level cyber analysts, developing their investigative skillset, processes, and playbooks. You will champion incident response services enrollment to ensure progressive operational effectiveness and alert fidelity, continuously identifying gaps, and managing improvements in security response processes, technologies, and monitoring. Working closely with internal architecture, engineering, and project management teams, you will ensure cyber-defense requirements are identified and communicated early in the project life cycle.

Salary Range: American Specialty Health complies with state and federal wage and hour laws and compensation depends upon candidate’s qualifications, education, skill set, years of experience, and internal equity. $112,500 to $175,000 Full-Time Annual Salary Range.

Remote Worker Guidelines: This position will be trained remotely and must be able to work from home (WFH) in a designated work area with company-provided technology equipment. This WFH position requires a stable Internet connection (minimum 50 down/10 up Mbps, 100 down/20 up recommended) with the ability to participate by video in online meetings over a reliable and consistent network.

Responsibilities

• Provide cyber incident response subject matter expertise, collaborating on security projects and operational improvement.
• Manage SIEM operations effectively.
• Support cyber incident response actions, ensuring proper assessment, containment, mitigation, and documentation.
• Conduct threat hunting to identify anomalous and malicious behavior, enhancing SIEM rules for automated identification.
• Interact and assist other investigative teams within American Specialty Health on time-sensitive, critical investigations.
• Manage third-party MSSP (SOC) to ensure appropriate incident response times, SIEM content enrichment, and identify logging and monitoring coverage gaps.
• Drive continuous improvement of incident response processes, playbooks, and detection capabilities.
• Participate as part of a close team of technical specialists on coordinated responses and subsequent remediation of security investigations.
• Train matrixed team members on hunting, investigative, and forensic tools and processes.
• Help create, support, and participate in purple team exercises.
• Manage the security monitoring enrollment process for adequate coverage and effectiveness of all new and existing cloud and premise-based applications, services, and platforms.
• Maintain a detailed tracking plan of all internal/external enrollment outcomes/recommendations, providing support through to implementation.
• Act as a liaison between security operations, engineering, security architecture, network & system operations, and functional project teams to ensure effective project implementation.
• Work with colleagues in other technology departments as well as business and product offices to establish effective, productive business relationships.
• Define baseline security monitoring requirements for all new projects, services, and applications joining the American Specialty Health network.
• Facilitate the development and tuning of SIEM rules to support enrollments and ensure high fidelity alerting.
• Review and analyze cyber threats, providing SME support and training to junior-level security analysts.
• Perform other duties as assigned and comply with all policies and standards.

Qualifications

• Bachelor’s Degree in Computer Science, Information Security, Computer Engineering, related area of study, or equivalent experience required. High school diploma required if related experience.
• 10+ years of combined relevant experience using hunting and IR technologies and/or industry-standard tools required.
• 5 years in SIEM management required, including content management (parsing/correlation rules), case management, SOAR technology, threat intel feeds, and use case mapping.
• 2 years of management experience required.
• Experience writing thorough investigative reports detailing incident findings required.
• Experience with Threat Intel providers and distribution of relevant information required.
• Demonstrated experience in an enterprise-level incident response team or security operations center; direct experience handling advanced cyber security incidents and associated incident response toolsets required.
• Experience with systems and monitoring within Microsoft Azure preferred.
• Experience managing a third-party SOC preferred.
• Proficiency with analysis and characterization of cyber attacks (Kill Chain, MITRE ATT&CK).
• Proficiency with common operating systems (Linux/Unix, Windows), understanding how they may be compromised.
• Proven subject matter expertise in incident response, intrusion analysis, incident handling, malware analysis, or security engineering.
• Strong ability to lead matrixed teams.
• Strong interpersonal and leadership skills to influence and build credibility as a peer.
• Skilled in identifying different classes of attacks and attack stages.
• Strong knowledge of malware families and network attack vectors.
• Strong knowledge of Windows system internals, web applications, and APIs.
• Strong scripting skills.
• Strong working knowledge of common security tools (SIEM, AV, scanners, proxies, WAFs, netflow, IDS/IPS, Snort, forensics tools).
• Advanced technical knowledge associated with various operating systems, network services, and applications; keen understanding of logging components and capabilities.
• Demonstrated sense of urgency and ability to perform well under significant enterprise-wide pressure.
• Excellent communication and presentation skills, with demonstrated skill in presenting analytical data effectively to varied (including executive) audiences.
• Relevant security-related certifications preferred (GCIA, GSEC, GCIH, GCED, GCFA, GREM, ECIH, CSIH, CIHE).

Core Competencies

• Demonstrated ability to interact in a positive, respectful manner and establish and maintain cooperative working relationships.
• Ability to display excellent customer service to meet the needs and expectations of both internal and external customers.
• Excellent listening and interpersonal communication skills to identify critical core competencies based on success factors and organizational environment.
• Ability to effectively organize, prioritize, multi-task and manage time.
• Demonstrated accuracy and productivity in a changing environment with constant interruptions.
• Demonstrated ability to analyze information, problems, issues, situations, and procedures to develop effective solutions.
• Ability to exercise strict confidentiality in all matters.

Physical & Environmental Conditions

This is primarily a sedentary role, requiring the ability to sit for long periods. Ability to see, speak, hear, and communicate verbally and in writing is essential. Capable of using standard office equipment and lifting up to 10 lbs. This role operates within a work-from-home (WFH) environment.

Key skills/competency

• Incident Response Management
• SIEM Operations & Tuning
• Threat Hunting & Detection
• Cybersecurity Leadership
• Security Process Improvement
• Microsoft Azure Security
• MITRE ATT&CK Framework
• Forensic Analysis
• Third-Party MSSP Management
• Scripting for Automation