Senior Manager, Incident Response & Forensics

Security @ Compass

The Security organization is a crucial business partner dedicated to protecting the company's information, systems, and reputation while enabling secure growth, product development, and innovation. Operating within the dynamic context of the leading public real estate company, our mandate includes developing and executing a comprehensive security strategy that addresses evolving threats and meets stringent regulatory requirements (SOX, Data Privacy law, GLBA, etc.). Key functions involve proactive risk management, robust security operations and engineering, secure architecture design, compliance oversight, incident response, and fostering a strong security culture. We collaborate across all business units to integrate security seamlessly into the development lifecycle and operational processes, ensuring the confidentiality, integrity, and availability of our services and data for our shareholders, agents, and stakeholders.

What You Will Do (Key Responsibilities):

• Hands-On Leadership & Strategy: Develop, implement, and continuously improve the strategic roadmap for IR and Forensics, while actively participating in day-to-day operations, investigations, and response activities.
• Team Development & Mentorship: Lead, mentor, coach, and develop a high-performing team through regular feedback and 1:1s, while fostering a collaborative environment. Grow and train multiple Incident Commanders within the organization.
• Detection & Response Enhancement: Lead and contribute to detection and response capabilities, focusing on creating high-fidelity alerts and developing automated responses and runbooks for repeated events.
• Incident Response Lifecycle Management: Own, refine, and participate in the end-to-end IR process (preparation, detection, analysis, containment, eradication, recovery, post-mortem) ensuring consistency, rigor, and adherence to frameworks across the company, subsidiaries, and joint partnerships.
• Incident Command: Serve as a primary Incident Commander (IC) during significant security incidents, demonstrating calm, clear coordination and decision-making, while also developing this capability in others.
• Digital Forensics & Investigation: Oversee and perform digital forensics activities across various platforms. Personally engage in challenging investigations to identify root cause and drive impactful responses, analyzing and correlating large, diverse datasets.
• Post-Mortem & Improvement Cycle: Drive a rigorous post-mortem process focused on thorough root cause analysis and actionable remediation plans. Conduct regular assessments of detection and response controls to improve security posture and prevent regression.
• AI Integration & SOC Optimization: Champion and guide the utilization of AI/ML techniques to improve threat detection, automate response, reduce analyst fatigue, and optimize SOC staffing/resource allocation. Collaborate closely with the Security Detection Engineers.
• Automation & Telemetry: Drive an automation-first approach to IR and forensics tasks. Enhance and drive telemetry around the company platform and leveraged technologies to improve visibility and detection.
• Collaboration & Partnership: Partner effectively with other information security teams, SOC, Threat Intelligence, Engineering, IT, Legal, Compliance, and business units to improve operational capabilities, provide preventative control feedback, and ensure alignment during incidents.
• Communication & Reporting: Clearly communicate technical findings, security vulnerabilities, and remediation techniques in an accessible way to diverse audiences, including executive leadership. Define and report on KPIs for IR effectiveness.

Who You Are (Qualifications & Attributes):

• Experienced Leader & Practitioner: Bachelor's degree in a relevant field or equivalent practical experience. 7+ years in cybersecurity, with 4+ years directly focused on hands-on Incident Response and/or Digital Forensics. 2+ years managing/leading technical teams, with demonstrated success in team growth through mentoring and coaching.
• Technically Proficient: Deep understanding of IR lifecycle, cyber kill chain, MITRE ATT&CK, modern attacker exploits, and persistence techniques. Strong knowledge of operating systems, networking, and security infrastructure (SIEM, EDR, Forensics tools). Well-versed in event analysis/triage.
• Domain Expertise: Demonstrate strong understanding in several of the following: Web Application Security, Cloud Infrastructure Security (AWS, GCP preferred), Network Security, Operating System Security, Identity and Access Management (IAM), including Okta, SaaS Security.
• Investigative & Analytical: Enjoy the challenge of investigation, possess strong analytical and problem-solving skills, and have the ability to analyze and correlate across large datasets to drive remediation.
• Automation Focused: You take an automation-first approach and understand leveraging automation to address security challenges at scale.
• Strong Communicator: Excellent ability to communicate complex technical concepts clearly and concisely to both technical and non-technical audiences.
• Collaborative & Empathetic: You are empathetic, accountable, and build trust. You foster psychological safety and inclusivity and excel at working across multiple departments.
• Strategic & Proactive: Ability to prioritize team investments based on business goals and risk, proactively identify areas for growth and efficiency, and operate effectively in a fast-paced, public company environment.
• Incident Command Presence: Proven experience leading as an Incident Commander during significant events.

Preferred Qualifications:

• Master's degree in a relevant field.
• Relevant industry certifications (e.g., CISSP, GCIH, GCFA, GCFE, GNFA, GREM, CHFI).
• Experience applying AI/ML concepts to security use cases.
• Experience with Security Orchestration, Automation, and Response (SOAR) platforms.
• Proficiency in scripting languages (e.g., Python, PowerShell).
• Familiarity with compliance frameworks (e.g., SOX, PCI-DSS, GDPR, CCPA).