Cybersecurity Incident Lead

The Cybersecurity Incident Lead's primary function is to take command of an active security crisis, directing the Incident Response (IR) team and coordinating internal and external stakeholders—including legal, communication, and executive teams—to execute a comprehensive strategy for immediate containment, threat eradication, system recovery, and evidence preservation. They are responsible for critical decision-making under pressure, serving as the main liaison for executive reporting and regulatory compliance, and subsequently leading the post-incident analysis to identify root causes and implement lessons learned to strengthen future defenses.

Tasks & Responsibilities

• Own incident response (IR) lifecycle: detect, triage, contain, eradicate, recover, and post-incident review per SAMA CSF and NCA ECC-2.
• Lead major incident war-rooms, coordinate SOC, IT, Product, Legal, and Comms, and ensure timely regulator-ready reporting.
• Maintain IR playbooks for fintech/payments threats (account takeover, fraud, ransomware, API abuse, data leakage).
• Run tabletop and simulation drills; measure MTTR, response quality, and control improvements.
• Drive root-cause analysis and track corrective/preventive actions to closure.

Qualifications

• Bachelor’s in Cybersecurity/CS or related field.
• 7–10+ years in SOC/IR with 2+ years leading incidents in regulated environments.
• Strong knowledge of forensics basics, malware triage, cloud/SaaS IR, and crisis communications.
• Working knowledge of SAMA CSF and NCA ECC-2 incident controls.
• Certs preferred: GCIH, GCFA, CISSP, or equivalent.

Location
Riyadh, Riyadh, Saudi Arabia.