Consulting/Principal Security Engineer

Principal Incident Response Lead

Job Profile Summary

The Principal Incident Response Lead position provides strategic and tactical leadership for enterprise incident response across a complex hybrid environment. This role serves as the senior incident commander and technical authority for high-severity security events, providing executive-ready decision support based on evolving threats, attack techniques, and advances in technology. The position supports the Information Security department's goals and objectives by leading escalations, guiding containment and recovery actions, and driving measurable improvements to response readiness and detection effectiveness. This role requires deep expertise in leading complex incident response efforts across hybrid environments and advancing cloud-native detection and monitoring capabilities, particularly within AWS. The role also owns the incident response program's readiness lifecycle-including tabletops, cyber range exercises, and after-action governance-to ensure continuous improvement and operational resilience.

Job Description

BASIC FUNCTIONS: This position will provide strategic and tactical incident response leadership, providing management with insight and input into overall security operations decisions based on advances in technology and the evolving threat landscape. The position supports the Information Security department's goals and objectives by leading escalations and coordinating response activities across multiple technical teams, ensuring consistent execution of triage, containment, eradication, and recovery. This position serves as the senior incident commander, establishes and maintains incident response readiness (playbooks, communications patterns, exercises), and drives detection and response improvements through lessons learned and measurable program outcomes.

QUALIFICATIONS:

10+ years of IT security experience, including significant incident response leadership in enterprise environments

BS Engineering/Computer Science or equivalent experience required; advanced degree preferred

Preferred: incident handling/forensics-focused certifications (e.g., GCIH, GCFA or equivalent) and cloud security certification(s) (AWS/Azure/Google Cloud Platform)

TECHNICAL SKILLS:

Advanced knowledge of modern security operations environments, including hybrid enterprise architectures and common attack paths.

Demonstrated experience leading incident response activities across complex hybrid environments, including on-premises infrastructure and multi-cloud platforms (AWS, Azure, Google Cloud Platform).

Strong hands-on experience engineering detections, telemetry, and monitoring solutions within AWS (e.g., CloudTrail, GuardDuty, VPC Flow Logs, and related services).

Expertise in incident command practices: severity assessment, stakeholder coordination, containment strategies, evidence handling, eradication and recovery planning, and post-incident review.

Strong ability to monitor, triage, and investigate security events; apply structured analysis for anomalous activity and adversary behaviors.

Experience with enterprise logging and telemetry pipelines, log onboarding strategies, and data quality expectations (coverage, fidelity, retention).

Experience improving detection quality and signal-to-noise (e.g., tuning, suppression, enrichment, validation, and feedback loops).

Working knowledge of identity and access security concepts (SSO/MFA, privileged access, conditional access) and identity-driven attack patterns and detections.

Understanding of compliance and governance initiatives and the ability to translate requirements into operational controls, procedures, and evidence.

Vulnerability and exposure understanding sufficient to prioritize response actions (active exploitation, blast radius, compensating controls) and guide remediation.

Familiarity with automation/SOAR concepts and scripting for investigation and response workflows (e.g., Python/PowerShell or equivalent).

Ability to develop and implement incident response programs with measurable outcomes (response readiness, containment speed, detection coverage, exercise cadence).

Strong organization/project planning, time management, and change management skills across multiple functional groups and departments, including prioritizing work during incident conditions.

Advanced problem-solving experience involving leading teams in identifying, researching, and coordinating resources necessary to troubleshoot/diagnose complex issues; success translating findings into options/solutions; identifying risks/impacts and schedule adjustments to facilitate management decision-making.

Advanced communication (verbal and written) and customer service skills, including the ability to brief senior/executive leadership with clear, concise, decision-oriented updates.

ACCOUNTABILITIES:

Serve as the senior incident commander and technical lead for high-severity incidents; drive structured triage, containment, eradication, and recovery across the enterprise.

Lead and coordinate incident response efforts for high-severity events spanning hybrid and multi-cloud environments (on-prem, AWS, Azure, Google Cloud Platform), ensuring effective containment, eradication, and recovery.

Own and continuously improve the incident response program: playbooks/runbooks, severity definitions, escalation paths, on-call expectations, evidence handling standards, and crisis communications patterns.

Plan, run, and mature readiness activities including tabletop exercises and cyber range events; define objectives, measure outcomes, and ensure follow-through on remediation actions.

Own after-action governance: facilitate post-incident reviews, establish root cause and contributing-factor analysis, drive corrective action plans, and track closure to completion (closed-loop improvement).

Lead analysis and review of security events for anomalous activity; collaborate with peer groups to take appropriate action to safeguard company information assets against current and foreseen threats.

Drive improvements to detection, investigation, and response processes through lessons learned, measurable corrective actions, and operational performance metrics.

Drive the design, implementation, and continuous improvement of detection engineering and monitoring capabilities within AWS environments.

Partner with infrastructure, cloud, endpoint, identity, and application teams to ensure response-ready logging, telemetry, and access to required investigative data sources.

Provide guidance for threat-informed mitigation and hardening activities resulting from incidents (e.g., containment controls, identity protections, logging improvements, segmentation, credential hygiene).

Communicate incident status, impact, and risk in executive-ready written and verbal updates; produce high-quality incident summaries and post-incident reports.

Support compliance and governance efforts by operationalizing response procedures, documenting evidence, and ensuring repeatable execution aligned to policy and regulatory expectations.

Assist with reviewing tools, applications, and processes to strengthen and optimize current incident response and detection capabilities, identify gaps, and recommend practical solutions to enhance effectiveness.

Assess and measure incident response program effectiveness to ensure closed-loop operations (e.g., readiness/exercise cadence, time-to-contain, repeat incident reduction, detection coverage and quality).

All other duties as assigned.
U.S. National Base Pay Range: $104,900 - $174,700. Geographic differentials may apply in some locations to better reflect local market rates.This job is eligible for an annual incentive bonus.
We know your well-being and happiness are key to a long and successful career. We are delighted to offer country specific benefits. Click here to access benefits specific to your location.

We are committed to providing a fair and accessible hiring process. If you have a disability or other need that requires accommodation or adjustment, please let us know by completing our Applicant Request Support Form or please contact 1-.

Criminals may pose as recruiters asking for money or personal information. We never request money or banking details from job applicants. Learn more about spotting and avoiding scams here

Please read our Candidate Privacy Policy.

We are an equal opportunity employer: qualified applicants are considered for and treated during employment without regard to race, color, creed, religion, sex, national origin, citizenship status, disability status, protected veteran status, age, marital status, sexual orientation, gender identity, genetic information, or any other characteristic protected by law.

USA Job Seekers:

EEO Know Your Rights.