Senior Director of Digital Forensics & Incident Response
About the role
The Senior Director of Digital Forensics & Incident Response (DFIR) is a strategic and operational leader responsible for building, scaling, and leading a global capability to detect, respond to, and investigate cyber incidents across the enterprise.
Responsibilities
Lead and operate a 24x7x365 Global Security Operations Center (GSOC) serving enterprise IT and OT environments.
Define and execute the GSOC strategy, including partnering with detection engineering, automation, threat-intelligence integration, and continuous maturity improvement.
Establish and monitor Service Level Agreements (SLAs), Key Performance Indicators (KPIs), Key Risk Indicators (KRIs).
Drive continuous improvement of advanced technologies (SIEM, SOAR, UEBA, XDR) to enhance visibility and reduce response times.
Lead the global Digital Forensics and Incident Response (DFIR) program across a large, distributed enterprise environment.
Build, mentor, and retain high-performing global teams across DFIR, DLP, and eDiscovery functions.
Act as a senior advisor to executive leadership during major cyber incidents and crisis situations.
Incident Response & Cyber Operations
Oversee the end-to-end incident response lifecycle including preparation, detection, analysis, containment, eradication, and recovery.
Lead and continuously improve the GSOC.
Establish and test cyber incident response playbooks, tabletop exercises, and crisis simulations.
Drive threat-driven and intelligence-led response capabilities.
Digital Forensics & Investigations
Lead advanced digital forensic investigations involving endpoints, cloud, identity systems, and network environments.
Ensure forensic readiness, evidence preservation, and chain-of-custody standards are maintained.
Partner with Legal, HR, and Compliance on internal investigations, litigation support, and eDiscovery efforts.
Data Protection & Insider Risk
Oversee enterprise Data Loss Prevention (DLP) and insider risk programs, including policy design, monitoring, and enforcement.
Leverage platforms such as Microsoft Purview and M365 security capabilities to protect sensitive data.
Align DLP and insider risk initiatives with regulatory requirements and business objectives.
Vendor & Service Management
Manage strategic relationships with Managed Security Service Providers (MSSPs) and digital forensics vendors.
Establish and monitor SLAs, KPIs, and KRIs.
Ensure vendors meet performance, quality, and compliance expectations.
Technology & Innovation
Drive adoption and optimization of security technologies, including: Microsoft 365 Security & Compliance (Purview, Defender), Digital forensics tooling (e.g., EnCase, FTK, X-Ways, etc.), Endpoint Detection & Response (EDR/XDR), DLP solutions, and SASE and modern network security architecture.
Continuously evaluate emerging technologies to enhance detection, response, and investigative capabilities.
Qualifications
Bachelor’s degree in Cybersecurity, Computer Science, Information Systems, or related field.
Relevant certifications strongly preferred: CISSP, CISM, or equivalent, GIAC (e.g., GCFA, GCIH) or forensic certifications, eDiscovery or legal/forensic certifications a plus.
15+ years of progressive experience in cybersecurity within a large, global enterprise environment.
Proven experience building and leading a GSOC and incident response program.
Deep expertise in: Incident Response (IR) & Cyber Crisis Management, Digital Forensics & Investigations, DLP & Insider Risk, and eDiscovery processes and technologies.
Experience managing and governing MSSPs.
Strong track record defining and managing SLAs, KPIs, and KRIs.
Strong hands-on or leadership familiarity with: Microsoft 365 / Microsoft Security ecosystem (Defender, Purview, Sentinel), EDR/XDR platforms (e.g., CrowdStrike, Microsoft Defender, etc.), Digital forensics tools and methodologies, Cloud security (especially SaaS and hybrid environments), SASE / Zero Trust architectures.
Exceptional leadership, team-building, and mentoring capabilities.
Executive-level communication skills with the ability to translate technical issues into business risk.
Strong decision-making under pressure, particularly during live cyber incidents.
Ability to influence cross-functional stakeholders including Legal, Compliance, Privacy, and IT.