Incident Response & Forensics Manager (IT & OT)

The Incident Response & Forensics Manager (IT & OT) is responsible for managing and leading the organization's incident response and forensic investigation efforts across both Information Technology (IT) and Operational Technology (OT) environments. This role ensures that security incidents are promptly detected, contained, investigated, and remediated, while also overseeing the collection and analysis of forensic evidence. The manager coordinates across multiple teams to enhance the organization's ability to respond to cyber incidents, minimize damage, and prevent future security breaches within both IT and OT domains.

KEY ACCOUNTABILITIES:

Incident Response Management (IT & OT):

• Lead and manage the organization's incident response efforts across both IT and OT systems, ensuring rapid detection, containment, and resolution of security incidents.
• Develop and maintain incident response playbooks, ensuring that they address specific threats to both IT and OT environments.
• Coordinate with internal teams and external stakeholders to ensure effective communication and collaboration during incident response efforts.
• Oversee the triage, prioritization, and escalation of security incidents, ensuring that critical threats are addressed in a timely manner.
• Provide incident response support to both IT and OT infrastructure teams, advising on containment actions and recovery steps.
• Offer remediation guidance including configuration changes and preventive measures to minimize future threats in both IT and OT systems.
• Triage alerts from detection platforms, identifying and removing false positives across IT and OT environments.
• Escalate genuine threats and security incidents to the appropriate teams for further investigation and remediation, ensuring timely and accurate response to both IT-based and OT-based threats.

Forensic Investigation (IT & OT):

• Lead digital forensic investigations within both IT and OT systems to determine the root cause of security incidents, ensuring the proper collection, preservation, and analysis of digital evidence.
• Utilize forensic tools and techniques to investigate compromised systems, networks, and devices across IT and OT infrastructures.
• Ensure that forensic processes adhere to legal and regulatory requirements, and that evidence is documented in a formal and defensible manner for potential legal proceedings.

Threat Detection & Analysis (IT & OT):

• Conduct continuous monitoring of security events across both IT and OT environments using SIEM, XDR, and other Threat Detection, Investigation, and Response (TDIR) platforms.
• Analyze telemetry from multiple sources (network traffic, endpoints, OT systems, etc.) to detect and investigate potential cyber threats, ensuring comprehensive coverage across both digital and physical systems.
• Monitor and analyze security events from various sourcesincluding SIEM, intrusion detection/prevention systems (IDS/IPS), firewalls, endpoint detection systems, and OT-specific monitoring toolsto identify potential threats and vulnerabilities.
• Lead efforts to correlate security information from both IT and OT environments to identify patterns of anomalous behavior and mitigate potential threats.

Incident Reporting & Documentation:

• Document formal technical incident reports for consumption by IT and OT infrastructure teams and senior leadership, providing detailed information on root causes, affected systems, and next steps.
• Ensure clear and concise communication of incident details to both IT and OT stakeholders, enabling effective decision-making during and after incidents.
• Ensure accurate and detailed documentation of all security incidents, including timelines, actions taken, and outcomes, for post-incident reviews and compliance reporting.
• Prepare formal incident reports and technical summaries for senior management, internal stakeholders, and regulatory authorities as required.
• Conduct post-incident reviews and lessons learned sessions to identify opportunities for improvement in incident response procedures for both IT and OT environments.

Collaboration & Coordination:

• Work closely with threat hunting teams to optimize TDIR capabilities by incorporating findings from threat hunting activities in both IT and OT environments.
• Continuously improve detection and response strategies based on real-world threat activity affecting both IT networks and OT systems.
• Collaborate with IT engineering, OT operations, cybersecurity teams, and third-party vendors to coordinate response efforts and ensure that both IT and OT systems are fully protected during and after an incident.
• Work closely with threat intelligence teams to stay updated on emerging threats to both IT and OT systems and ensure that the organization's incident response strategy remains current and effective.
• Provide incident response support to both IT and OT infrastructure teams, advising on containment actions and recovery steps.
• Offer remediation guidance including configuration changes and preventive measures to minimize future threats in both IT and OT systems.

Incident Response Training & Drills:

• Develop and conduct regular incident response simulations and training exercises across both IT and OT teams to ensure readiness for real-world cyber incidents.
• Ensure that all relevant personnel are trained in their roles during an incident and are familiar with the incident response plan for both IT and OT systems.

Detection Platform Enhancement (IT & OT):

• Work with threat detection content development teams to fine-tune detection platforms and create new detection rules tailored to the unique needs of both IT and OT environments.
• Continuously enhance detection capabilities to improve alert accuracy and reduce false positives in both IT systems (e.g., endpoints, networks) and OT systems (e.g., SCADA, ICS).

Root Cause Analysis & Prevention (IT & OT):

• Conduct in-depth root cause analysis of security incidents across IT and OT systems, identifying vulnerabilities, misconfigurations, or other weaknesses.
• Provide recommendations for mitigating future risks, including configuration changes and security controls for both IT infrastructure and OT control systems.

Policy Development & Incident Response Governance:

• Assist in the development and refinement of incident response policies, forensic procedures, and security standards for both IT and OT environments.
• Ensure that incident response efforts comply with relevant regulatory requirements and industry best practices for both IT and OT sectors.

compliance & Performance Reporting (IT & OT):

• Support the development and execution of compliance reporting for both IT and OT teams, ensuring that security incidents and responses are documented in line with organizational and regulatory requirements.
• Provide SOC performance reporting to ensure key metrics and Service Level Agreements (SLAs) are met for both IT and OT operations.

Vulnerability & Exposure Analysis (IT & OT):

• Conduct analysis and testing to identify vulnerabilities, misconfigurations, and other exposures across both IT and OT environments.
• Validate user policies, configurations, and access controls to ensure they align with the security posture of both IT and OT systems, maintaining a holistic security approach.
• Efficiency & SLA Adherence (IT & OT):
• Work efficiently to meet SOC metrics and SLAs, ensuring timely and effective response to incidents affecting both IT infrastructure and OT control systems.

QUALIFICATIONS:

• Bachelor's degree in Cybersecurity, Information Technology, Computer Science, or a related field (Master's preferred).
• 5+ years of experience in incident response, digital forensics, or cybersecurity operations, with at least 2 years focusing on OT environments.
• Proficiency in incident response tools, forensic tools, and SIEM platforms (e.g., Splunk, ELK, QRadar).
• Experience with both IT and OT-specific security platforms (e.g., SCADA, ICS, PLC systems).
• Knowledge of forensic analysis techniques across networks, endpoints, and OT systems.
• Familiarity with threat intelligence, malware analysis, and vulnerability management for both IT and OT infrastructures.