coastal - Cybersecurity Operations & Incident Response Lead

• Security Monitoring & Detection Engineering • Own SIEM/SOAR strategy and daily operations; drive log onboarding, normalization, and high-fidelity detections across the entire technology landscape, including but not limited to: • Core technology infrastructure: Active Directory Domain Services, Entra ID, Okta, Azure control plane, Zscaler, Windows and macOS endpoints, hybrid network • Productivity/G&A systems: M365, SaaS • Business-specific systems: Azure IaaS/PaaS services, custom-developed API services, banking core, financial ledger and reporting systems • Coordinate with Engineering and IT to build detection engineering into system development lifecycle. • Develop, test, and maintain detection content (e.g., KQL/Sigma), alert routing, and enrichment pipelines that reduce noise and increase true-positive rates. • Integrate threat intelligence (strategic, operational, and technical) into detections and response workflows. • Incident Response • Serve as incident response commander for high-severity incidents; coordinate cross-functional responders in Infrastructure, IT, Engineering, Legal, and Compliance. • Build, maintain, and continuously improve standard operating procedures (SOPs), runbooks, and playbooks. • Maintain and exercise incident response plans through tabletop and similar activities. • Mature evidence handling, forensics workflows, and case management; ensure accurate timelines and regulator-ready documentation. • Drive post-incident reviews with measurable corrective actions (people/process/technology) and executive readouts. • Vulnerability & Exposure Management and Threat Hunting • Own the vulnerability management lifecycle, ensuring coverage of vulnerability discovery, triage, and management across servers, endpoints, network, cloud subscriptions, containers/images, and custom APIs. • Prioritize remediation using risk-based scoring and exploit intelligence. • Track configuration and identity hygiene (e.g., privileged accounts, conditional access, MFA coverage, device compliance) and partner with owners to close gaps. • Building and maturing a threat hunting and purple team function as part of the overall Security & Threat Operations maturation roadmap. • SOC/MSSP Governance • Lead day-to-day oversight of the third-party SOC: queue hygiene, case quality, SLAs, runbook adherence, and continuous tuning to our environment. • Ensure vendor tooling integrations, data retention, and access are compliant with Coastal policies and regulatory expectations. • Security and Threat Operations Leadership • Establish operating rhythms (standups, metrics reviews, post-incident retrospectives) and standard operating procedures for response, containment, eradication, and recovery. • Build and maintain a Security and Threat Operations strategy in coordination with the Director of Security Engineering and Operations, CISO, and other stakeholders, including software engineering, data engineering, and IT. • Develop and report on KPIs and KRIs for the Security and Threat Operations function. • Governance, Risk, Audit & Reporting • Align SecOps processes to FFIEC/GLBA expectations and industry frameworks (NIST CSF and Cyber Risk Institute Profile). • Prepare evidence for audits/exams; provide clear, actionable metrics and board-level reporting on SOC performance, incident trends, control coverage, and risk reduction. • Partner with Legal, Compliance, Privacy, and Third-Party Risk on obligations and notifications. • Culture, Training & Readiness • Coach analysts on analytical rigor, bias reduction, and structured investigations. • Promote a blameless, learning-oriented culture that prizes speed, accuracy, and craftsmanship.