Head of Cyber Defence & Incident Response

Job Description

• Location: Qaudient offices, Markham Ontario, Canada or Eastern USA (EST Time zone)
• The Head of Cyber Defence and Incident Response owns the organisation’s cyber defence capability across a hybrid environment (mix of on‑prem and cloud platforms), ensuring effective monitoring, detection, response and recovery.
• Reports directly to the CISO and leads cyber defence operations (including the MSSP) and cybersecurity incident response across the organisation. This fits within the context of the broader organizational Crisis Management plan owned outside Technology.
• A key focus is optimising security tooling (e.g., SIEM, SOAR, EDR/XDR, NDR, email security, vulnerability scanning) and driving strong vulnerability and threat management, using threat intelligence to prioritise defensive improvements.

Key Responsibilities

• Own the incident response lifecycle (prepare, detect, analyse, contain, eradicate, recover), ensuring playbooks, tooling, and decision-making processes are in place and exercised.
• Lead and coordinate response to security incidents, acting as incident commander where required, including stakeholder communications, forensic triage, and recovery coordination.
• Manage the MSSP relationship end‑to‑end: service definition, SLAs/KPIs, escalation paths, continuous improvement plans, quality assurance, and commercial governance.
• Optimise security monitoring and response tooling working across technology teams  (e.g., SIEM, SOAR, EDR/XDR, NDR, email security) including use‑case coverage, alert quality, automation, logging strategy, and operational runbooks.
• Own the vulnerability management programme (on‑prem and cloud), including scanning coverage, prioritisation, remediation SLAs, exception handling, verification, and executive reporting.
• Drive threat management by operationalising threat intelligence (internal and external) into defensive priorities: detection use cases, hardening actions, control uplift and proactive hunting themes.
• Lead continuous improvement of the defence stack: rationalise tools, tune detections, improve signal quality, reduce noise, and expand automation to accelerate triage and response.
• Establish and run a threat hunting programme using hypothesis‑driven approaches, telemetry coverage mapping, and lessons learned from incidents and red-team activity.
• Run regular tabletop exercises and simulations (including ransomware and cloud compromise scenarios), ensuring roles, escalation paths, and technical procedures are validated and improved.Own incident response governance: severity model, on‑call and escalation processes, evidence handling, case management, and alignment to legal/regulatory obligations.
• Define and report cyber defence metrics (e.g., MTTD/MTTR, alert volumes and precision, incident trends, vuln remediation performance, control coverage), presenting insights and recommendations to senior leadership.
• Lead post-incident reviews and root cause analysis, ensuring lessons learned translate into measurable improvements (detections, hardening, identity controls, backups, segmentation, and training).
• Support business continuity and crisis management processes during cyber events, contributing to executive updates and coordinated communications with Legal/Privacy and other stakeholders.
• Maintain and improve incident response documentation and readiness (playbooks, runbooks, contact trees), and ensure training is delivered for technical responders and business stakehol
• Communicate cyber risk and active incidents clearly to technical and non‑technical audiences, including concise executive briefings and after‑action summaries.

Qualifications

• Strong experience leading cyber defence/SOC and incident response, including major incident coordination, investigation, containment and recovery.
• Hands-on understanding of detection and response tooling and concepts (SIEM, SOAR, EDR/XDR, NDR, email security, log pipelines), including tuning, use-case engineering and operational workflows.
• Proven experience managing an MSSP or outsourced SOC capability, including SLAs/KPIs, service governance, escalations, and continuous improvement.
• Strong experience running vulnerability management and threat management programmes, including prioritisation based on exploitability, exposure, and business impact.
• Knowledge of incident response processes, digital forensics fundamentals, evidence handling, and working with legal/privacy and external forensic partners.
• Experience defending hybrid environments (on‑prem and cloud), including identity signals, network telemetry, endpoint visibility, and cloud-native security monitoring.
• Ability to operate under pressure and lead cross-functional teams through high-severity incidents, communicating clearly and making timely risk-based decisions.
• Fluent in English – excellent written and verbal communication skills, including producing clear architecture guidance, standards, and security design documentation.

Desirable

• Certifications such as GCIH, GCIA, GNFA, CISSP, CISM, or equivalent experience in incident response and security operations.
• Experience with threat hunting, purple teaming, and using MITRE ATT&CK to structure detections, gaps analysis, and defensive improvements.
• Experience with security operations in cloud platforms and common tools (e.g., Microsoft Defender, Sentinel, Splunk, CrowdStrike, Palo Alto, AWS/Azure security services) and integrating telemetry across environments.
• Calm under pressure, able to lead effectively during incidents and make timely decisions with incomplete information.
• Highly collaborative, able to coordinate across IT, engineering, legal/privacy, and business leaders during investigations and recovery.
• Operationally rigorous with strong attention to detail, documentation and evidence quality (case notes, timelines, lessons learned).
• Continuous improvement mindset—drives measurable outcomes through tooling optimisation, process refinement, and coaching teams to improve security hygiene.

Additional Information

See Full Job description

Rewards & Benefits  

• Flexible Work: Embrace a hybrid work model blending office and remote setup for a balanced lifestyle.  
• Endless Learning: Access global opportunities for growth through our 24/7 online learning platform.  
• Inclusive Community: Join our Empowered Communities and engage in our Philanthropy program.  
• Comprehensive Rewards: Enjoy competitive Total Rewards covering wellness, work/life balance, and more, including a generous referral scheme.  
• Caring for Wellbeing: Access our complimentary employee assistance program for mental health support.  

Smart Work at Quadient 
At Quadient, our Smart Work approach fosters connection, collaboration, and innovation while offering flexibility based on role requirements. Whether on-site, hybrid, or remote, our work environments are designed to support productivity and engagement. Hybrid employees balance remote and in-office work, on-site roles contribute daily to our vibrant workplace culture, and remote employees stay connected through virtual collaboration and in-person events. No matter where you work, you’ll be part of a dynamic, people-first community that drives success together. 

Be yourself at Quadient  
Our values define how we work as a team: Empowerment, Passion, Inspiration and Community.  They inspire us to be EPIC. Together. What makes Quadient different is how different we are. We’re a team of individuals with one goal but many perspectives. When you connect with Quadient, you become part of a community that cares - in a culture that embraces differences and values every voice.  

We will consider any reasonable modifications to the interview process. If you require any assistance with the application process, please email us at [email protected]  

Quadient is an Equal Employment Opportunity Employer. *: We firmly believe in zero discrimination in employment on any basis, including race, color, religion, sex, national origin, age, disability, veteran or military status, genetic information, citizenship status, and any other characteristics protected by local, state, or federal law. 

People. Connected.