Manager - CyberOps & Assurance-Incident Response

A

American Express

Manager - CyberOps & Assurance-Incident Response

Phoenix, AZ
Full Time
Paid
  • Responsibilities

    JOB DESCRIPTION

    At American Express, our mission is to deliver the world’s best customer experience every day. At the heart of this mission is our Information Security organization, enabling exceptional experiences built on a foundation of trust, service, and security. We leverage advanced technologies and data-driven insights to stay ahead of an evolving threat landscape. We foster a culture of passion, curiosity, and courage-empowering you to innovate, grow, and help shape the future of a Fortune 100 company.

    Trust. Service. Security.

    American Express seeks to recruit a passionate and experienced Leader for its Incident Response team. This is a senior-level, hands-on, highly technical role performing incident response activities ranging from pre-incident preparation, active incident response, and post-incident analysis and recovery. You will be a key technical resource conducting investigations, performing advanced analysis, identifying attacker TTPs, building attack narratives, and executing response actions.

    As part of our evolution toward a Next Generation Agentic SOC, this role will also help drive the adoption of AI-enabled security operations, intelligent automation, and autonomous analyst workflows. The ideal candidate combines deep incident response expertise with curiosity and practical experience in AI-assisted detection, security automation, and modern SOC engineering practices.

    You are a motivated leader who will directly manage, mentor, and develop a team of SOC analysts while driving the people, processes, and technology that empower the team to investigate sophisticated threats at scale. This role requires critical thinking, innovative problem solving, technical leadership, people leadership, and effective communication across both technical and executive audiences.

    RESPONSIBILITIES

    People Leadership & Team Development

    • Directly lead and manage a team of SOC analysts, including hiring, onboarding, day-to-day supervision, performance management, and career development, fostering a high-performing and engaged team culture.
    • Conduct regular 1:1s, performance reviews, and goal-setting with direct reports; provide timely, constructive feedback and coaching to accelerate individual and team growth.
    • Mentor and develop junior and mid-level analysts, building technical skills, investigative rigor, and professional capabilities across the team; create clear career progression pathways from Tier 1 through senior roles.
    • Manage shift schedules, on-call rotations, and workload distribution to ensure 24×7 operational coverage while proactively mitigating analyst burnout and maintaining team morale.
    • Drive a culture of continuous learning by identifying training opportunities, encouraging pursuit of industry certifications (e.g., GCIH, GCFA, GCIA), facilitating hands-on exercises (e.g., Immersive Labs, tabletop exercises), and championing knowledge-sharing across the team.
    • Recruit and retain top talent by partnering with HR and hiring managers to define role requirements, conduct interviews, and build a diverse and skilled analyst pipeline.

    Incident Response & Technical Operations

    • Conduct host forensics, network forensics, log analysis, and malware triage in support of incident response investigations and escalations from junior analysts across Windows, Mac, Linux, Cloud, SaaS, and hybrid environments.
    • Participate in incident response, cyber crisis management, and enterprise-wide security events.
    • Advise leadership on containment, eradication, and recovery strategies during incident response.
    • Fully scope incidents through proper identification of all affected systems, identities, applications, and/or accounts.
    • Recognize attacker tactics, techniques, and procedures (TTPs) as well as Indicators of Compromise (IOCs) and Indicators of Attack (IOAs) applicable to current and future investigations.
    • Serve as a technical escalation point for the analyst team, providing real-time guidance on complex or high-severity investigations and ensuring quality and consistency of investigative outputs.
    • Contribute to team projects, process improvement, and development of new security operations capabilities.
    • Help curate a world-class security operations and incident response program with a relentless focus on innovation, intelligent automation, and continuous improvement.
    • Assess and develop incident response best practices to help mature the overall security operations and AI-assisted defense capabilities of the organization.
    • Produce high-quality written and verbal reports, recommendations, executive briefings, and technical findings.
    • Participate in on-call rotation and provide after-hours support on an as-needed basis.

    AI-Enabled Security Operations & Automation

    • Partner with detection engineering, threat intelligence, data science, and security engineering teams to operationalize AI-driven detection and response capabilities.
    • Assist in the design, tuning, and oversight of AI-enabled SOC workflows, analyst copilots, and autonomous or semi-autonomous response agents.
    • Develop and optimize prompts, workflows, and guardrails for large language model (LLM) and AI-agent-assisted investigations and triage processes.
    • Evaluate and validate AI-generated investigative outputs to ensure operational accuracy, reliability, explainability, and security.
    • Help identify opportunities to leverage AI/ML, orchestration, and automation technologies to reduce analyst toil and accelerate response times.
    • Participate in development and integration of SOAR playbooks, AI-assisted enrichment pipelines, and security automation frameworks.
    • Contribute to AI governance and operational risk management efforts related to AI-enabled security tooling and workflows.
    • Champion AI adoption within the team by training analysts on AI-assisted tools and workflows, gathering analyst feedback to drive iterative improvements, and ensuring responsible use aligned with organizational governance.
    • Stay current on industry trends, attack techniques, AI-enabled threats, adversarial AI risks, mitigation techniques, and emerging security technologies

    QUALIFICATIONS

    • 3+ years of experience in information security, security operations, incident response, threat hunting, or cyber defense.
    • Experience with host, network, and/or memory forensics.
    • Experience with various network and/or host-based security tools used to detect and respond to security events (e.g., SIEM, EDR, NDR, SOAR, web proxy, IDS/IPS, cloud-native security platforms, etc.).
    • Theoretical and practical security knowledge and investigation experience with Mac, Linux, Windows, and cloud environments.
    • Strong understanding of incident response lifecycles, attacker methodologies, and cyber kill chain concepts.
    • Experience performing analysis of complex security incidents in enterprise environments.
    • Familiarity with scripting or programming languages such as Python, PowerShell, Go, or similar.
    • Ability to convey complex technical concepts to audiences with varying levels of technical expertise.
    • Strong analytical, investigative, documentation, and communication skills.
    • Demonstrated curiosity and adaptability toward emerging AI-enabled security technologies and workflows.
    • Demonstrated ability to lead, motivate, and develop technical teams in high-tempo, operationally demanding environments.
    • Strong interpersonal and conflict-resolution skills, with the ability to foster a collaborative, inclusive, and psychologically safe team environment.

    Preferred:

    • 1+ years of experience in a people leadership, team lead, or supervisory role, including direct responsibility for coaching, mentoring, or managing technical staff.
    • Experience working within a modern SOC leveraging AI-assisted analysis, security automation, and/or SOAR technologies.
    • Familiarity with AI/ML concepts and practical applications within cybersecurity operations.
    • Experience with prompt engineering, LLM-assisted workflows, or AI copilots for security investigations and operational efficiency.
    • Understanding of AI agent architecture, orchestration frameworks, retrieval-augmented generation (RAG), vector databases, or autonomous workflow concepts.
    • Experience integrating APIs, automation pipelines, or AI-enabled tooling into SOC workflows.
    • Knowledge of adversarial AI threats, prompt injection risks, model misuse, or AI security governance principles.
    • Experience building or operationalizing automated detection, enrichment, triage, or response capabilities.
    • Knowledge and investigation experience in a global, multi-cloud environment.
    • Experience with detection engineering, threat hunting, or behavioral analytics.
    • Familiarity with cloud-native security technologies and telemetry sources.
    • Multiple applicable certifications (GSE, GDAT, GCIA, GCIH, GCFA, GNFA, GCFE, GREM, CCSP, CISSP, CEH, etc.).
    • AI-related certifications or hands-on experience with enterprise AI platforms, orchestration frameworks, or automation tooling.
    • Experience managing performance cycles, conducting calibrations, and building talent development plans within a security operations or SOC environment.
    • Experience managing geographically distributed or shift-based teams supporting 24×7 operations.

    Employment eligibility to work with American Express in the United States is required as the company will not pursue visa sponsorship for these positions.

  • Industry
    Financial Services