Senior Director, Security Threat
Job Summary: The Director of Threat Management is responsible for leading the enterprise detection and response function, owning the reactive side of security: identifying, investigating, and containing threats across a global Fortune 500 environment. This role provides leadership for the Security Operations Center (SOC), Cyber Threat Intelligence (CTI), Detection Engineering, and Incident Response (IR), and is accountable for the speed and quality of threat detection, triage, investigation, and response across the enterprise.
The Director of Threat Management leads a 24x7 monitoring and response organization while advancing the detection engineering pipeline, maturing threat intelligence integration, and driving measurable improvement in mean time to detect and mean time to respond. The role combines strategic direction, operational accountability, and organizational leadership to reduce enterprise risk from active and emerging threats, partnering closely with the platform engineering team that owns the underlying security tooling.
What You Will Do:
Strategy, Governance, and Leadership
Define and own the enterprise threat detection and response strategy, roadmap, and operating model aligned to cybersecurity, risk, and business objectives.
Mature the threat management program through formal governance, playbooks, standards, metrics, and leadership reporting.
Present detection and response posture, incident trends, risks, and investment needs to security leadership and executive stakeholders.
Establish and monitor KPIs such as mean time to detect (MTTD), mean time to respond (MTTR), detection coverage, and alert quality.
Lead prioritization decisions across the SOC, threat intelligence, detection engineering, and incident response functions.
Security Operations and Monitoring
Lead a 24x7 Security Operations Center responsible for monitoring, alert triage, escalation, and initial investigation across the enterprise.
Own the detection content lifecycle within the SIEM, and define data source onboarding, log storage, and retention requirements for the platform-owning team.
Drive continuous improvement in alert quality, triage efficiency, and analyst workflow to reduce noise and analyst fatigue.
Establish tiered operating models, shift coverage, and escalation paths that ensure consistent 24x7 response readiness.
Oversee SOC performance metrics, service levels, and quality assurance across monitoring and triage activities.
Detection Engineering
Lead the detection engineering function responsible for building, tuning, and maintaining detection content across SIEM and security telemetry sources.
Drive a detection-as-code approach with version control, testing, peer review, and measurable detection coverage mapped to MITRE ATT&CK.
Prioritize detection development against threat intelligence, red team findings, incident learnings, and emerging adversary techniques.
Establish metrics for detection coverage, efficacy, and false-positive rates, and drive continuous tuning based on outcomes.
Partner with engineering and platform teams to ensure high-quality, well-structured log and telemetry sources feed detection pipelines.
Cyber Threat Intelligence
Lead the Cyber Threat Intelligence function responsible for strategic, operational, and tactical intelligence supporting detection and response.
Operationalize threat intelligence by driving indicator enrichment, threat actor tracking, and intelligence-led detection and hunting priorities.
Deliver executive and stakeholder threat briefings that translate the threat landscape into business-relevant risk and action.
Establish threat hunting programs that proactively search for adversary activity across the environment ahead of alerting.
Manage intelligence sources, sharing partnerships, and integration of intelligence into SIEM, SOAR, and detection workflows.
Incident Response
Own the enterprise incident response process across detection, triage, containment, eradication, recovery, and post-incident review.
Lead major incident coordination, serving as an escalation point and driving cross-functional response during significant events.
Establish and maintain incident response playbooks, runbooks, and tabletop exercises to ensure organizational readiness.
Drive post-incident reviews and lessons-learned processes that feed detection improvements and control gaps back into the program.
Partner with legal, communications, IT, and business stakeholders to ensure coordinated response and regulatory notification where required.
Tooling and Automation Requirements
Define detection and response requirements, use cases, and priorities for the SIEM, SOAR, and log storage platforms owned and operated by the platform engineering team.
Partner with the platform-owning team to shape roadmap, data onboarding, retention, and automation priorities that serve detection and response needs.
Specify SOAR automation use cases for triage, enrichment, and response, and validate that delivered automations meet analyst workflow requirements.
Provide feedback on tooling performance, gaps, and integration needs to drive a unified, efficient analyst workflow across detection, intelligence, and response.
Use modern tools including AI-assisted workflows to accelerate investigation, analysis, documentation, and decision-making across the team.
Organizational and People Leadership
Lead and develop a distributed threat management organization consisting of managers, analysts, detection engineers, threat intelligence analysts, and incident responders.
Build organizational clarity across the SOC, threat intelligence, detection engineering, and incident response functions.
Provide leadership in talent development, succession planning, coaching, performance management, and team engagement.
Manage staffing strategy across full-time employees, partners, and contingent resources, including managed detection and response providers where applicable.
Oversee third-party vendors and consulting partners supporting threat management programs and services.
Minimum Qualifications
Bachelor’s degree in Computer Science, Cybersecurity, Information Technology, Engineering, or a related discipline; equivalent experience may be considered.
12+ years of progressive experience in cybersecurity, security operations, threat detection, incident response, or threat intelligence.
5+ years of leadership experience managing multi-team security operations or threat functions at the Senior Manager or Director level.
Demonstrated success leading detection and response programs across SOC operations, detection engineering, threat intelligence, and incident response.
Experience managing 15+ person organizations including managers, analysts, and engineers with varied technical specializations.
Experience leading major incident response and driving measurable improvement in detection coverage and response times.
Experience building or standing up new detection, intelligence, or response capabilities, teams, or services.
Technical and Functional Qualifications
Strong knowledge of SIEM and log management platforms and log storage technologies such as Elasticsearch or Splunk, including data onboarding, retention, and detection content management.
Strong knowledge of security orchestration, automation, and response (SOAR) platforms such as Swimlane or Cortex XSOAR.
Strong knowledge of detection engineering practices, detection-as-code, and detection coverage mapped to MITRE ATT&CK.
Experience with the cyber threat intelligence lifecycle, threat actor tracking, and intelligence-led detection and hunting.
Experience with incident response frameworks, forensic investigation concepts, and major incident coordination.
Understanding of threat detection across cloud (Azure, AWS, GCP), endpoint, network, and identity telemetry sources.
Familiarity with security frameworks and models such as MITRE ATT&CK, NIST CSF 2.0, and the cyber kill chain.
Preferred Qualifications
Experience in a Fortune 500, global, manufacturing, or industrial environment with complex, heterogeneous technology estates.
Prior experience standing up or transforming a SOC, threat intelligence, detection engineering, or incident response function.
Experience with threat detection and response in operational technology (OT) or industrial control system (ICS) environments.
Familiarity with platforms such as Elastic, Splunk, Swimlane, Cortex XSOAR, CrowdStrike, or Microsoft Sentinel.
Relevant certifications such as CISSP, CISM, GCIH, GCIA, GCTI, or GCFA.
Leadership Competencies
Strategic thinker with the ability to set direction and translate strategy into operational execution.
Decisive leader who operates effectively under pressure and makes sound calls during active incidents and competing priorities.
Delivery-oriented leader with a strong focus on accountability, measurable outcomes, and service quality.
Effective communicator able to translate complex threat and incident topics for executives, stakeholders, and technical teams.
Strong collaborator with the ability to influence across infrastructure, cloud, application, legal, and business teams.
Proven people leader with the ability to coach talent, build teams, and develop future leaders.
Additional Information
The role leads a 24x7 operation and may require off-hours availability for major incidents, escalations, and key initiatives.
Travel up to 10% may be required for site assessments, team collaboration, and vendor engagements.
The role may require coordination across global teams, including off-hours support for key initiatives, escalations, or major incidents.
Annual or Hourly Compensation Range
The base salary range for this position is $168,400.00 - $252,600.00. This position is eligible for annual bonus and long-term incentives based on performance, per plan terms. Many factors are taken into consideration when determining compensation, such as experience, education, training, geography, etc. We comply with all minimum wage and overtime laws.Benefits
Ecolab strives to provide comprehensive and market-competitive benefits to meet the needs of our associates and their families. Click here to see our benefits.
If you are viewing this posting on a site other than our Ecolab Career website, view our benefits at jobs.ecolab.com/working-here.
Potential Customer Requirements Notice
To meet customer requirements and comply with local or state regulations, applicants for certain customer-facing roles may need to:
- Undergo additional background screens and/or drug/alcohol testing for customer credentialing.
Americans with Disabilities Act (ADA)
Ecolab will provide reasonable accommodation (such as a qualified sign language interpreter or other personal assistance) with our application process upon request as required to comply with applicable laws. If you have a disability and require accommodation assistance in this application process, please visit the Recruiting Support link in the footer of each page of our career website.
Our Commitment to a Culture of Inclusion & Belonging
At Ecolab, we believe the best teams are inclusive. We are on a journey to create a workplace where every associate can grow and achieve their best. We are committed to fair and equal treatment of associates and applicants and recruit, hire, promote, transfer and provide opportunities for advancement based on individual qualifications and job performance. In all matters affecting employment, compensation, benefits, working conditions, and opportunities for advancement, we will not discriminate against any associate or applicant for employment because of race, religion, color, creed, national origin, citizenship status, sex, sexual orientation, gender identity and expressions, genetic information, marital status, age, disability, or status as a covered veteran.
In addition, we are committed to furthering the principles of Equal Employment Opportunity (EEO) through Affirmative Action (AA).
We will consider for employment all qualified applicants, including those with criminal histories, in a manner consistent with the requirements of applicable state and local laws, including the City of Los Angeles’ Fair Chance Initiative for Hiring Ordinance, the San Francisco Fair Chance Ordinance, and the New York City Fair Chance Act.