SOC Digital Forensic and Incident Response (SVP)
As a bank with a brain and a soul, Citi creates economic value that is systemically responsible and in our clients’ best interests. As a financial institution that touches every region of the world and every sector that shapes your daily life, our Enterprise Operations & Technology teams are charged with a mission that rivals any large tech company. Our technology solutions are the foundations of everything we do. We keep the bank safe and provide the technical tools our workers need to be successful. We design our digital architecture and ensure our platforms provide a first-class customer experience. Our operations teams manage risk, resources, and program management. We focus on enterprise resiliency and business continuity. We develop, coordinate, and execute strategic operational plans. Essentially, Enterprise Operations & Technology re-engineers client and partner processes to deliver excellence through secure, reliable, and controlled services.
Trust is part of our DNA at Citi. As such, we take safeguarding our customer data very seriously. The Chief Information Security Office (CISO) is made up of deeply dedicated and talented colleagues who work together to ensure the safety of Citi’s and our clients’ assets and information. We manage information security as an end-to-end program – one with a clear mandate and accountability. Our mission is to continually execute and enhance a global security program that is fully anchored to modern control and security frameworks, fully aligned with the technology of the firm, threat-focused and data-driven, and deeply integrated across all Citi businesses globally.
Being talent-driven, we are focused on attracting, developing, and retaining diverse and inclusive talent with a high technical skill level. As a member of our team we will provide you with career development opportunities at all stages of your career. Our employees model a passion for protecting Citi and our clients and believe in treating others with dignity and respect.
Our commitment to diversity includes a workforce that represents the clients we serve globally from all walks of life, backgrounds, and origins. We foster an environment where the best people want to work. We value and demand respect for others, promote individuals based on merit, and ensure opportunities for personal development are widely available to all. Ideal candidates are innovators with well-rounded backgrounds who bring their authentic selves to work and complement our culture of delivering results with pride. If you are a problem solver who seeks passion in your work, come join us. We’ll enable growth and progress together
SOC Incident Response Group Manager (SVP)
Citi's Security Operations Center (SOC) Incident Response Team seeks a highly skilled and experienced incident response hands-on practitioner to support and execute critical efforts aimed at protecting Citi infrastructure, assets, clients, and stakeholders. This is a demanding role with global exposure and responsibility. You will serve both as a technical subject matter expert and as an ambassador for the incident response team. You will be assigned to Citi's SOC and will collaborate closely with a talented cadre of security specialists and incident responders to triage and contain security events. Your observations and recommendations will impact security decisions across the organization and play an important part in maturing Citi's security posture.
This position requires strong leadership, active in-depth hands-on technical expertise, and prior experience in leading global cyber incident response operations within a SOC. As a Senior Vice President, you will assist a group of incident response professionals who triage and investigate cybersecurity incidents in cloud, traditional (i.e. on-premises), and hybrid environments. This position will be technically challenging and rewarding, but will also provide ample opportunity to establish partnerships, mentor colleagues and shape team culture.
The ideal candidate will be a technically experienced hands-on individual contributor and innovative security professional who has the ability and experience to lead a team of security professionals and execute broad security goals within a global team. Candidates should be experienced in coaching junior team members.
Responsibilities
Related activities include but are not limited to:
- Lead and/or support in-depth triage and investigations of BAU, and urgent cyber incidents in traditional, and hybrid environments.
- Perform hands-on incident response functions including but not limited to host-based analytical functions (e.g. digital forensics, metadata, malware analysis, etc.) through investigating Windows, Unix based, appliances, and Mac OS X systems to uncover Indicators of Compromise (IOCs) and/or Tactics, Techniques and Procedures (TTPs).
- Participate in incident response efforts using forensic and other custom tools to identify any sources of compromise and/or malicious activities taking place.
- Serve as the SOC incident response regional contact in major cyber events and security incidents. This will include collaborating with global multidisciplinary groups to triage and define scope, as well as documenting and presenting investigative findings.
- Provide security expertise to the SOC IR team, leveraging industry standards as appropriate. Train and coach junior colleagues on relevant best practices.
- Partner with SOC Incident Response management on all program governance activities, including the development and/or maintenance of standards, procedures, metrics, reporting and training.
- Collaborate with other incident response functions such as Citi Security Investigative Services (CSIS) and Security Incident Management (SIM).
- Oversee and participate in the hands-on execution of SOC IR processes. Identify and measure critical metrics and continually improve the efficiency and effectiveness of all core services in scope.
- Provide appropriate updates to management regarding security event handling, trends, analysis, incident response resolutions and lessons learned.
- Participate in readiness exercises such as purple team, table tops, etc.
Qualifications- You should be all of the following:
A passionate leader. Success will depend on your ability to:
- Lead by example.
- Enable team success by being approachable and available.
- Innovate and inspire others.
- Embrace challenges and approach any failures as opportunities for learning and improvement.
A skilled and creative incident responder. Success will depend on your ability to:
- Stay current with the evolving landscape of threat activities and cybersecurity best practices.
- Quickly synthesize information from disparate sources.
- Scrutinize evidence thoroughly to identify relationships and develop leads.
- Establish defensible working theories to explain observations and findings.
- Perform investigations in a forensically sound manner.
A goal oriented individual contributor. Success will depend on your ability to:
- Stay motivated and work independently with minimal oversight.
- Adapt to changing requirements in a fast paced environment.
- Multitask and meet deadlines despite competing priorities.
- Navigate operational impediments in order to complete time sensitive tasks.
- Identify and document any opportunities for process improvement.
A reliable team player. Success will depend on your ability to:
- Practice mutual respect at all times.
- Establish trust, build strong partnerships, and relationships.
- Resolve conflict in a constructive manner and use as an opportunity to develop team unity.
- Prioritize collective success ahead of individual ambition.
A great communicator. Success will depend on your ability to:
- Establish clear narratives to describe investigative findings and working theories.
- Clearly and concisely articulate any recommendations that arise from investigative activities.
- Motivate colleagues and partners to cooperate and support as needed.
- Exert influence both verbally and in writing.
Requirements and Critical Competencies
Education, knowledge, and Experience:
- Bachelor's and Master's degree in a technically rigorous domain such as Computer Science, Information Security/Technology, Engineering, Digital Forensics, etc.
- 13+ years of professional experience in cybersecurity and/or information security, or demonstrated equivalent capability.
- 8+ years hands-on working in cyber incident response and investigations in medium to large organizations with cloud and forensics components.
- Incident response and hands-on technical experience in a global financial institution.
- Experience with performing and managing tasks of 24x7 Incident Response services.
- Experience with creation, leading the development, implementation, and management of incident response plans and response activities.
- Proven leadership, communication, issue resolution and performance management skills.
Experience in Cloud Forensics/IR
- Hands-on Dev/Sec/Ops experience with cloud environments and underlying storage, compute and monitoring services
- Prior experience with cloud common services
- Hands-on experience with forensic investigations or large scale incident response in cloud environments.
- Hands-on experience with containerization methods and tools (e.g. Docker, Kubernetes) including incident response and digital forensics.
- Certifications (e.g. GIAC, AWS, etc.) in cloud or demonstrated equivalent capability.
Experience in Incident Response
- Hands-on experience with interpreting and pivoting through large data sets.
- Current hands-on experience in digital forensics (e.g. computer, network, mobile device forensics, and forensic data analysis, etc.).
- Activities include but not limited to:
- Memory collection and analysis from various platforms
- Evidence preservation, and chain of custody following industry best practices.
- Familiarity with malware analysis and Reverse Engineering of samples (e.g. static, dynamic, de-obfuscation, unpacking)
- In-depth File system knowledge and understanding.
- In-depth experience with timeline analysis.
- In-depth experience with Registry, event, and other log file and artifact analysis.
- Activities include but not limited to:
- Hands-on experience with a DFIR toolset and related scripting
- Current expertise with an EDR system
- More than one GIAC (e.g. GCFE, GCFA, GREM, GCIH, GASF, GNFA, etc.) or other digital forensic and/or incident response certifications.
Experience in the following operating systems:
- Windows Operating Systems / UNIX / Mac OS X, specifically in system administration, command line use, and file system knowledge.
Experience in Basic Scripting and Automation
- Proficient in basic scripting and automation of tasks (e.g. C/C++, Powershell, JavaScript, Python, bash, etc.).
Network Concepts and Understanding
- Working knowledge of networking protocols and infrastructure designs; including routing, firewall functionality, host and network intrusion detection/prevention systems, encryption, load balancing, and other network protocols.
Other
- Working knowledge of relational database systems and concepts (SQL Server, PostgreSQL, etc.)
- Working knowledge of virtualization products (e.g. VMware Workstation)
- Must have flexibility to work outside of normal business hours when necessary.
- Must be flexible in outlook and attitude.
- Ability to travel, if and when necessary.
- Master of Science degree in Information Security Engineering (MSISE) preferred (SANS Technology Institute).
- This job description provides a high-level review of the types of work performed. Other job-related duties may be assigned as required.
------------------------------------------------------
Job Family Group:
Technology------------------------------------------------------
Job Family:
Information Security------------------------------------------------------
Time Type:
Full time------------------------------------------------------
Primary Location:
Irving Texas United States------------------------------------------------------
Primary Location Full Time Salary Range:
$156,160.00 - $234,240.00
In addition to salary, Citi’s offerings may also include, for eligible employees, discretionary and formulaic incentive and retention awards. Citi offers competitive employee benefits, including: medical, dental & vision coverage; 401(k); life, accident, and disability insurance; and wellness programs. Citi also offers paid time off packages, including planned time off (vacation), unplanned time off (sick leave), and paid holidays. For additional information regarding Citi employee benefits, please visit citibenefits.com. Available offerings may vary by jurisdiction, job level, and date of hire.
------------------------------------------------------
Most Relevant Skills
Please see the requirements listed above.------------------------------------------------------
Other Relevant Skills
For complementary skills, please see above and/or contact the recruiter.------------------------------------------------------
Anticipated Posting Close Date:
Jul 08, 2025------------------------------------------------------
Citi is an equal opportunity employer, and qualified candidates will receive consideration without regard to their race, color, religion, sex, sexual orientation, gender identity, national origin, disability, status as a protected veteran, or any other characteristic protected by law.
If you are a person with a disability and need a reasonable accommodation to use our search tools and/or apply for a career opportunity review Accessibility at Citi.
View Citi’s EEO Policy Statement and the Know Your Rights poster.
Featured Career Areas
Saved Jobs
You have no saved jobs
Previously Viewed Jobs
You have no viewed jobs