Cybersecurity Incident Commander
SoFi · Seattle, WA · 3 days ago
Information TechnologyFull-time
The Role
We are seeking a Cybersecurity Incident Commander to join SoFi’s Cyber Defense program and lead incident command efforts across the organization. This role will serve as a central driver for security incident response, ensuring effective management of day-to-day incidents as well as large-scale, high-impact cybersecurity events.
What You’ll Do
- Serve as the primary Security Incident Commander for security incidents identified by the SOC.
- Lead and manage the end-to-end lifecycle of security incidents, including triage validation, containment, eradication, recovery, and closure.
- Establish and maintain incident command during high-severity or large-scale incidents.
- Drive cross-functional collaboration and decision making across technical and business teams to ensure timely and effective response.
- Facilitate incident communication, coordinate response resources, and maintain clear situational awareness for all engaged.
- Ensure consistent documentation of incident timelines, impact assessments, decisions, evidence chain of custody, and actions taken.
- Develop and maintain incident severity classifications and escalation criteria that are aligned with organizational and business needs and expectations.
- Provide executive-ready status updates and summaries during major incidents.
- Coordinate post-incident reviews, including root cause analysis, lessons learned, and tracking of remediation actions.
- Identify and facilitate opportunities to improve incident response processes, playbooks, and communication workflows.
- Partner with SOC leadership to enhance incident metrics, reporting, and operational maturity.
- Organize and participate in tabletop exercises, simulations, and readiness activities to improve Cyber Defense and SOC response capabilities.
What You’ll Need
- 3–7+ years of experience in cybersecurity operations, incident response, or SOC environments.
- Direct experience coordinating or leading security incident response efforts in enterprise environments.
- Strong understanding of the incident response lifecycle and frameworks (e.g., NIST 800-61).
- Experience handling high-severity incidents such as ransomware, business email compromise, insider threats, cloud compromise, or data exfiltration events.
- Ability to interpret technical findings and translate them into clear, actionable updates for both technical and non-technical stakeholders.
- Excellent written and verbal communication skills, especially in high-pressure situations.
- Strong organizational skills with the ability to manage multiple concurrent incidents.
- Experience facilitating cross-functional communication across various media channels and driving accountability during live incidents.
- Ability to operate independently while collaborating effectively across distributed teams.
Nice to Have
- Experience in a formal CSIRT or Incident Commander role.
- Working knowledge of security technologies such as SIEM, EDR, email security, IAM, cloud security controls, and network monitoring tools.
- Knowledge of regulatory and compliance considerations (e.g., financial services, PCI, SOX, GLBA).
- Experience directing or conducting digital forensics or deep technical investigations.
- Familiarity with cloud-native security incident response (AWS, GCP, or Azure).
- Exposure to MITRE ATT&CK framework and threat intelligence integration.
- Relevant certifications such as GCIA, GCIH, GCED, CISSP, CISM, or similar.
- Experience developing or maintaining incident response playbooks and runbooks.