Director of Incident Response

The Company   NorthMark   Compute & Cloud (NMC²) is backed by dedicated leadership and investment, with a clear mission as it   operates   at the bleeding edge of technology. Its goal is to scale and enhance the high-performance computing (HPC) and cloud infrastructure that supports its clients’ research, production, and delivery, enabling breakthroughs that shape the industries of tomorrow. Its engineers build critical infrastructure to   eliminate   friction in scientific research, simulations, analysis, and decision-making, accelerating discovery and driving faster innovation.   The Position   The Director of Incident Response owns the full incident lifecycle across NMC²'s HPC and multi-tenant cloud environments, reporting to the CISO. This is a builder role. You will stand up the IR function from the ground up: playbooks, on-call rotations, tooling integration, forensic capability, and the team itself. You will run major incidents in environments where detection-to-containment is measured in minutes, where forensic preservation must survive tenant-specific legal hold requirements, and where every post-incident finding feeds directly into engineering backlogs with enforceable SLAs.   You will   operate   as the senior IR authority across Security Engineering, Platform Engineering, Data Center Operations, and customer-facing technical teams.   Responsibilities:   Build the IR function end to end: staffing model, 24/7 coverage plan, severity matrix, escalation tree, retainer relationships, and tooling stack aligned to NIST SP 800-61r2 phase structure   Own major incident command for all Sev-0 and Sev-1 events, security and operational, including customer-facing communications and regulatory notification decisions   Develop detection-to-containment runbooks mapped to MITRE ATT&CK techniques relevant to HPC and cloud tenancy threats: credential abuse (T1078), lateral movement via Kubernetes and scheduler primitives (T1610, T1613), data exfiltration over research network egress (T1041, T1567), and supply chain compromise in scientific software pipelines (T1195)   Establish forensic readiness across bare-metal HPC nodes, Kubernetes workloads, and hypervisor layers: memory capture, disk imaging, container runtime evidence, and audit log chain-of-custody standards   Drive root cause analysis to engineering remediation with measurable closeout SLAs, not   written   reports that sit on a Confluence page   Build and   maintain   the Known Error Database, runbook library, and tabletop exercise program with scheduled red team, customer-triggered, and infrastructure failure scenarios   Instrument the IR function with hard metrics: MTTD, MTTA, MTTC, MTTR by severity and incident class, recurrence rate, playbook coverage percentage, and on-call load distribution   Operate Jira Service Management as the authoritative incident system of record, with defined integrations to detection tooling, paging (PagerDuty or equivalent), and engineering backlog systems   Partner with Security Engineering on detection engineering feedback loops: every incident either   validates   an existing detection, triggers a new one, or exposes a detection gap that becomes a tracked engineering item   Own executive and board-level incident reporting, including quarterly trend analysis, regulatory and contractual incident disclosures, and customer trust reporting for enterprise accounts   Co-own business continuity and disaster recovery testing with Platform and DC Operations, ensuring IR plans integrate cleanly with BCP/DR runbooks   Requirements:   10+ years in security operations or incident response, with at least 5 years running major incident response in high-availability, multi-tenant, or mission-critical infrastructure environments   5+ years leading IR or SOC teams, including direct accountability for hiring, performance management, and 24/7 operational coverage   Demonstrated incident command experience on Sev-0 events with customer, regulatory, or board-level exposure   Deep technical fluency in at least two of: HPC environments ( Slurm , InfiniBand, GPU clusters), Kubernetes and container security, hypervisor and bare-metal forensics, or public cloud incident response (AWS, Azure, GCP)   Working command of NIST SP 800-61r2, MITRE ATT&CK, and CIS Controls v8 Incident Response domain (Controls 17.1 through 17.9)   Hands-on experience with Jira Service Management, PagerDuty or equivalent, and at least one enterprise SIEM or XDR platform in a production IR context   Experience building detection-to-response feedback loops with a detection engineering or SOC counterpart, not   operating   IR as a downstream consumer of alerts   T rack record   of RCA work that produced engineering remediation with measurable defect reduction, not documentation for its own sake   Comfort   operating   in a pre-scale organization where tooling, process, and team do not yet exist and must be designed before they can be run   Preferred :   GCIH, GCFA, GCFR, or equivalent hands-on IR certification   ITIL 4 Foundation or Practitioner certification   Experience with regulated or contractually constrained environments: financial services customers, export-controlled workloads, or sovereign cloud requirements   Prior experience during a CSP independence or infrastructure repatriation program   It is impossible to list every requirement for, or responsibility of, any position.  Similarly, we cannot identify all the skills a position may require since job responsibilities and the Company’s needs may change over time.  Therefore, the above job description is not comprehensive or exhaustive.  The Company reserves the right to adjust, add to or eliminate any aspect of the above description.  The Company also retains the right to require all employees to undertake additional or different job responsibilities when necessary to meet business needs. Must be legal