Apply now »

Mgr, Incident Response


The Incident Response Manager is an executive leader with an integration of skills (incident responder, computer forensics, threat analysis, behavioral & predictive analytics) combined with a technology subject matter expert. This role will consult with Royal Caribbean Group (RCG) business groups, external researchers, local, Federal, and international law enforcement. Within the RCG Incident Management Program the Incident Response Manager will lead cyber investigations or act as Cyber Incident Commander for RCG enterprise including those related to external hackers, insider abuse and fraud. The Incident Response Manager will develop and deploy as needed the enterprise incident response and assist with the threat analysis program and supporting documentation, participating in operational & technical analysis, and leading investigation of actual or potential cyber incidents. The Incident Response Manager will be proactive and highly technical subject matter expert in security, technologies, threat analysis and indicators of compromise.

The Incident Response Manager will collaborate their efforts with Global Information Security (GIS) senior and executive leadership as well as key personnel within Information Technology (IT), Legal, Crisis Management, Compliance and Ethics, Human Resources, Global Security, Internal Audit, Privacy and Global Business Management. This collaboration helps ensure the Cyber Threat program is evaluating and managing threats in all external information sharing relationships. This role needs to have an expert understanding of forensic tools, develop SIEM queries and dashboards, develop and implement analytical models and review threat intelligence data. The role requires sound judgment with a high level of integrity, ethics and ability to calmly, diplomatically and effectively deal with stressful situations.






- Understanding skill gaps on team and actioning steps for the team to be a successful Breach Class IR team

- Managing the operations of a 24x365 incident response organization including staffing, queue management, etc.

- Providing leadership for major cyber incidents including guiding the development of investigation/scoping, containment and remediation plans for resolving major cyber incidents, aligning resources to execute on incident tasking, reporting findings to executive leadership, and managing both optics and tone of the response.

- Defining a strategic vision for your team, build an effective roadmap for the realization of the vision, and executing on the roadmap with proactive management of deliverables, timelines and expectations

- Guiding and mentoring incident response talent and developing them into advanced, technical, experienced incident responders

- Generating and presenting metrics and reporting on the performance, risk, and operations status for the team to leadership, executive committee, and external agencies (auditors, regulators)

- Acts as a trusted advisor to senior leaders for making business decisions and implementing strategic initiatives.

- Develops an expert understanding of business/group challenges.

- Networks with industry contacts to gather competitive insights and best practices.

- Recommends measures to improve organizational effectiveness.

- Recommends business priorities, advises on resource requirements and develops roadmap for strategic execution.

- Acts as the prime contact for internal/external stakeholder relationships, which may include regulators, law enforcement, and outside legal counsel.

- Prepares and delivers presentations for senior management.

- Leads the execution of IR operational programs; assesses and adapts as needed to ensure quality of execution.

- Recommends and sets strategic goals and budget for operational activities.

- Plans and controls unit operating expenses in accordance with forecasts.

- Ensures processes and procedures are well documented and promotes their implementation.

- Monitors and evaluates overall performance by gathering, analyzing, and interpreting data and metrics.

- Assesses and adapts existing operational programs; develops new capabilities to ensure ongoing success.

- Monitors & maintains IR security tools and applications.

- Collaborates with internal and external stakeholders to deliver on business objectives and to support operational activities for Global Information Security.

- Develops an understanding of organizational interactions and complexity to engage with the appropriate matrix areas.

- Actions service requests, transactions, queries etc. within relevant service level agreements.

- Coordinates and facilitates incident management activities. Includes deploying changes to the production environment and engaging 3rd party providers contracted to RCG during an incident.

- Recommends approaches or changes to streamline and integrates security processes and systems in the organization, while considering Information Security methodology to improve overall efficiency.

- Provides technical Information Security subject matter expertise.

- Stays abreast of industry technical and business trends through participation in professional associations, practice communities and individual learning.

- Ensures consistent, high-quality practices/work and the achievement of business results in alignment with business/group strategies and with productivity goals.

- Influences how teams/groups work together.

- Applies expertise and thinks creatively to address unique or ambiguous situations and to find solutions to multiple, interdependent, complex problems.

- Communicates abstract concepts in simple terms.

- Fosters strong internal and external networks and works with and across multiple teams to achieve business objectives.

- Anticipates trends and responds by implementing appropriate changes.

- Broader work or accountabilities may be assigned as needed.



- Stays current about technology development of computer forensics; evaluates and introduces advanced methodologies and technologies to the organization.

- Leads a team to conduct computer forensics of various information security incidents and suspicious events in the enterprise.

- Forecasts the development of computer forensics future trends; makes evaluation of corresponding impacts on the enterprise.

- Develops computer forensics best practices to provide cost-effective measures for the information security incidents investigation.

- Designs training courses on computer forensics methods, tools and techniques for the organization.

- Designs policies, processes and standards for the computer forensics practices of the organization.



- Stays current about technology development of computer forensics; evaluates and introduces advanced methodologies and technologies to the organization.

- Leads a team to conduct computer forensics of various information security incidents and suspicious events in the enterprise.

- Forecasts the development of computer forensics future trends; makes evaluation of corresponding impacts on the enterprise.

- Designs policies, processes and standards for the computer forensics practices of the organization.



- Expounds on future developments in digital forensics tools and their applications.

- Provides insight into a wide spectrum of tools and technologies for digital media analysis.

- Develops strategies to minimize potential risks when using digital forensics analysis tools.

- Designs best practices to ensure the efficiency of forensics processes.

- Develops and implements mechanisms to monitor use, performance and growth of tools used in extracting evidence.



- Participates in the development of best practices and standards for mobile/BYOD environment globally.

- Demonstrates expertise in integrating and implementing enterprise-wide security systems.

- Monitors industry for emerging or improved information security technologies.

- Presents and actively participates at Information Security conferences.

- Researches and evaluates emerging security technologies in terms of their business benefit.

- Monitors the processes and procedures of security analysis.

- Collaborates on best practices for addressing various types of attacks.



- Acted as an incident responder and performed investigations

- Performed as an Incident Commander

- Previous experience with breach investigations

- Develops strategies and business goals of intrusion detection and prevention for the organization.

- Keeps informed of evolving threat landscape, introduces advanced approaches and technologies of intrusion detection and prevention.



- Able to identify security gaps in other business unit processes and runbooks, work with business units to drive the process change

- Manage large IR investigations and assign appropriate parts to other team members

- Take a lead role in tabletop exercise

- Fulfill the role of incident commander of major cyber incidents

- Demonstrates creative thinking and the ability to solve high complex issues

- Oversees focus groups to discuss emerging challenges and best practices related to incident response and investigations

- Leads discussions on the historical background and future perspective of incident response

- Coaches on the adoption of advanced technologies and tools for incident response related investigations

- Supervises the development of evidence used to accuse a person of perpetrating a computer crime.

- Analyzes complex computer crime evidence in legal proceedings.

- Advises senior management on risk management and computer security.




· Previous experience at the NSA, DoD, NOAA Emergency Operation Center, Maritime Security Operations or as a Military Threat Operations team member, Cyber Crime investigator, or Counter Threat Unit required.

· Required 7+ years combined years of experience in I.T, Information Security, Cyber Response, Maritime Security, or threat intelligence.

· Preferred 7+ years combined years of forensic investigation, incident response, and cyber intelligence operations.

· Preferred 7+ years of progressive leadership experience.

· Bachelor’s degree or equivalent work experience

· Previous experience in static and dynamic code analysis, cloud services, forensic level packet capture, reverse code engineering, identifying indicators of compromise (IOC), threat analysis, anomaly detection, next generation firewalls (NGFW) and security incident and event management (SIEM) technologies, wired and wireless intrusion prevention systems.

· Previous experience with penetration testing and vulnerability assessment tools, such as IBM AppScan, HP Fortify, Burp Suite, Metasploit, HP Webinspect, Nexpose, Nessus and NMAP.

· Strong understanding of TCP/IP networking; UNIX, Linux and Microsoft Windows-based operating system platforms and relational database management systems such as Oracle, MS SQL, and MySQL.

· Working understanding of cryptographic controls.

· Must have strong verbal and written communication skills; interpersonal collaborative skills; and the ability to communicate IS and risk-related concepts to technical and non-technical audiences.

· Working understanding of compliance measurement and contractual requirements for SOX, GLBA, PCI and GDPR.

· The ability to exercise independent judgment in support of corporate goals & strategy.

· Must have a strong understanding of Apple, Linux and Windows Operating systems.

· Must have performed hands-on operations of one or more of the following: Intrusion Protection Systems (IPS), Firewalls, Wireless Intrusion Protection Systems (WIPS), Web Application Firewall (WAF), DLP and other security technologies.

· Must have hands-on SIEM experience including custom report writing and correlation rules

· Must have experience performing hands-on investigations of mobile devices and have familiarity with associated tools.

· Must demonstrate innovative analytical and problem-solving skills

· Familiarity with ISO27001, ISO27002, ISO27005, NIST and other industry standards

· Working experience of one or more forensics tools (i.e. EnCase, FTK, etc.)

· Working experience performing eDiscovery and working with legal teams

· Working knowledge of malware detection, malware reverse engineering, and data exfiltration.

· Expert knowledge of a Security Operations Center (SOC) as part of a larger continuous monitoring program

· Must demonstrate strong organization skills and time management and ability to manage multiple tasks / projects while ensuring deadlines are met.

· Experience with satellite communications


Work Environment:

· 80% of work is done in main office

· 10% of work is done shipboard

· 10% of work requires domestic or international travel

· On-Call rotation

Nearest Major Market: Miami

Apply now »