Director, Global Cyber Operations - NYC

Our client is a cybersecurity company built to help organizations reduce exploitable risk-fast, measurably, and defensibly. They combine a disciplined operating model for risk reduction with a platform-led approach that turns exposures and detections into prioritized remediation plans, validated outcomes, and executive-ready reporting.

Their methodology centers on Exposure-Driven Security Operations wherein they identify what is truly exploitable, drive decisions on what matters most, and orchestrate the work required to reduce risk quarter over quarter. Our client operationalizes this through a repeatable cadence-weekly, monthly, quarterly, and annual-using EOS-style execution rhythms to ensure risk reduction is not a one-time project, but an ongoing program.

Our client's services are delivered as Managed Preemptive Detection & Response (MPDR) and structured risk reduction programs that connect security operations to the business outcomes leaders care about. Outcome is fewer critical exposures, faster decision cycles, and clear accountability. They partner directly with customer IT and security teams to plan remediation, guide execution without being the change implementer, and validate results so every quarter shows tangible progress, not noise.

Our client operates as a distributed company with teams in the United States, Mexico, and the Philippines, enabling always-on delivery and scalable operations. Their reporting and governance model is designed for executive stakeholders supporting CIO and CISO decision-making, and producing board-, lender-, and investor-grade narratives tied to measurable reduction in exposure and risk.

POSITION SUMMARY

The Director, Global Cyber Operations, is responsible for the leadership, maturity, and day-to-day performance of our client's 24x7 MSSP/MDR Security Operations Center. This role leads a distributed team of analysts and incident responders; owns service delivery KPIs and SLAs; drives detection and response effectiveness; and partners with Engineering, Security Automation, and Customer Success to evolve their managed offerings.

The ideal candidate has hands-on leadership experience running an MSSP/MDR SOC, with proven success operationalizing EDR/SIEM-based detections, incident response workflows, and client communications at scale. Familiarity with CrowdStrike Falcon, LogScale, and Trellix ePO/EDR is important, with the ability to guide detection quality, case handling standards, and collaboration across platform and automation teams.

KEY RESPONSIBILITIES:

SOC Leadership and Service Delivery

• • Lead 24x7 SOC operations across tiers (T1–T3), ensuring consistent, high-quality monitoring, triage, investigation, containment, and recovery for all managed clients.
  • Own and improve SOC KPIs/SLAs: MTTD, MTTR, case quality, false positive rates, detection coverage, and client satisfaction.
  • Establish and enforce SOC standards: playbooks, runbooks, case handling procedures, severity models, escalation matrices, and on-call schedules.
  • Serve as Incident Manager for priority incidents; coordinate cross-functional response and executive/client communications.
  • Other, as needed.

Detection Quality and Content Evolution

• • Direct service-wide detection quality across EDR and SIEM by defining case-quality expectations, tuning criteria, and feedback loops from investigations.
  • Collaborate with the Engineering and Security Automation teams to ensure high-fidelity signal intake, enrichment, and case workflow efficiency.
  • Nice to have: author or guide the creation of SIEM detection rules/content and content lifecycle processes (use-case definition, tuning, deprecation).

Threat Hunting Program Maturation

• • Define the strategy, success criteria, and operational model to introduce and evolve a threat hunting capability within the service.
  • Pilot and iterate on lightweight hunting motions aligned to high-value hypotheses and client needs, then scale programmatically.
  • Translate lessons learned from hunts into durable detections and improved investigation playbooks.

Platform and Automation Collaboration

• • Partner closely with the dedicated Platform Engineering team (who configure/manage/optimize CrowdStrike Falcon, LogScale, Trellix ePO/EDR, and other tooling) to align SOC needs with platform roadmaps and configurations.
  • Collaborate with the Security Automation Engineer responsible for Swimlane SOAR to identify automation opportunities, improve case orchestration, and reduce analyst toil.
  • Provide operational requirements and feedback to guide integrations, data quality, enrichment, and playbook automation.

Client Engagement and Communications

• • Act as senior SOC point-of-contact for escalations, major incidents, and executive briefings.
  • Drive clear, outcome-focused communications: incident reports, advisories, monthly/quarterly service reviews, and operational metrics that demonstrate value.

People Management and Operations Excellence

• • Recruit, develop, mentor, and retain SOC talent; build clear career paths, training plans, and certification tracks.
  • Manage team capacity and scheduling for 24x7 coverage; perform quality assurance and case audits; coach for continuous improvement.
  • Lead capacity modeling and forecasting in partnership with the VP, CISO, and Workforce Management; provide inputs for hiring plans and shift optimization.

MINIMUM QUALIFICATIONS

• 7 years in cybersecurity with 3 years directly managing a SOC for an MSSP/MDR provider or a multi-tenant SOC environment.
• Demonstrated success running 24x7 operations with measurable improvements in MTTD/MTTR, detection fidelity, and service quality.
• Hands-on leadership experience operationalizing and/or overseeing:
• • CrowdStrike Falcon (required)
  • CrowdStrike LogScale (required)
  • Trellix ePO/EDR (required)
• Strong incident management experience leading containment and recovery across endpoints, identity, email, and cloud.
• Experience building and enforcing SOC processes: case handling standards, playbooks/runbooks, severity and escalation models, and on-call.
• Excellent analytical, written, and executive communication skills; able to translate technical risk and response into business impact for clients.
• Proven ability to collaborate with platform engineering and SOAR/automation stakeholders to improve scale, quality, and efficiency.

PREFERRED QUALIFICATIONS

• Experience with any of the following:
• • CrowdStrike NG-SIEM
  • Trellix Helix
  • Splunk Enterprise Security
  • Microsoft Defender (MDE/MDO/MDI)
  • Microsoft Sentinel
• Experience guiding SOAR workflows and automation requirements (e.g., Swimlane, Falcon Fusion, Splunk SOAR, Sentinel automation).
• Nice to have: experience creating SIEM detection rules/content and establishing a repeatable content lifecycle (design, test, deploy, tune, retire).
• Exposure to multi-cloud security monitoring (AWS, Azure, GCP) and identity-centric detections (AAD/Entra ID, Okta).
• Bachelor’s degree in Computer Science, Engineering, Cybersecurity, or equivalent experience.
• Relevant certifications: CISSP, GCIH, GCIA, GCFA, GMON, GCED, or vendor-specific credentials (CrowdStrike, Trellix, Splunk, Microsoft).

SUCCESS METRICS (first 6-12 months)

• Reduce MTTR and false positive rates while improving detection fidelity and coverage aligned to prioritized threats.
• Mature and document incident response playbooks for top use cases (EDR, identity compromise, ransomware, BEC).
• Establish an initial threat hunting roadmap with piloted hunts and a plan for phased expansion; convert hunt findings into detections.
• Automation ROI: Number of analyst hours saved per month through SOAR integrations. Partner with Platform Engineering and Security Automation to deploy automations that remove recurring analyst toil and speed containment.
• Achieve high CSAT/NPS across onboardings, incidents, and QBRs; improve case audit scores and analyst productivity.
• eNPS/Retention: Health and stability of the SOC analyst team.

COMPENSATION/BENEFITS

Our client offers a compensation and benefits package that truly supports you and your family. In addition to a competitive compensation package, you'll receive comprehensive health, dental, and vision insurance, along with life and disability coverage. They are also invested in your future, which is why they offer a 401(k) plan with a generous company match. They are a remote-first with a high-collaboration culture. You'll enjoy a culture built on support and optimism, with flexible paid time off and paid holidays to help you recharge. Best of all, you're joining a team that genuinely believes in having fun while they work. There will be occasional travel for team meetings, client workshops, or incidents.

Core Accountabilities (EOS-Ready, 5–7)

1. SOC Service Ownership & Performance

• Own end-to-end 24x7 SOC service delivery across all tiers and clients
• Be accountable for KPIs, SLAs, and client outcomes
• Ensure consistent monitoring, response, and recovery at scale

2. SOC Standards, Governance & Incident Management

• Establish and enforce SOC standards: runbooks, severity models, escalation paths, and on-call structure
• Act as Incident Manager for priority and high-visibility incidents
• Own cross-functional coordination and executive/client communications during major events

3. Detection Effectiveness & Content Quality

• Own service-wide detection quality and case standards across EDR and SIEM
• Ensure feedback loops from investigations improve signal fidelity and coverage
• Partner with Engineering and Automation to improve intake, enrichment, and workflows

4. Threat Hunting Program Ownership

• Define and mature the threat hunting strategy , operating model, and success criteria
• Ensure hunts translate into improved detections, playbooks, and SOC capability
• Scale hunting from pilot motions into a repeatable service component

5. Platform & Automation Alignment

• Represent SOC operational needs in platform and automation roadmaps
• Ensure tooling (CrowdStrike, LogScale, Trellix, SOAR) supports efficient, high-quality response
• Reduce analyst toil through automation and workflow optimization

6. Client Engagement & Service Narrative

• Serve as senior SOC escalation point for clients and executives
• Own the SOC service story : incidents, advisories, metrics, and value realization
• Ensure communications are outcome-focused and confidence-building

7. People Leadership & Capacity Management

• Recruit, develop, and retain SOC talent; build career paths and training plans
• Own staffing models, scheduling, QA, and performance coaching
• Lead capacity forecasting and hiring inputs in partnership with executive leadership

Key Measurables (EOS Scorecard)

These should be owned by this seat, even if others influence them:

• MTTD / MTTT
• MTTR
• SLA adherence (%)
• Case quality / QA pass rate
• False positive rate trend
• Detection coverage growth
• Client satisfaction (CSAT / retention)
• Analyst attrition & capacity utilization