Director Cybersecurity Operations and Threat Intelligence - #4623

About the position Our mission is to detect cancer early, when it can be cured. We are working to change the trajectory of cancer mortality and bring stakeholders together to adopt innovative, safe, and effective technologies that can transform cancer care. We are a healthcare company, pioneering new technologies to advance early cancer detection. We have built a multi-disciplinary organization of scientists, engineers, and physicians and we are using the power of next-generation sequencing (NGS), population-scale clinical studies, and state-of-the-art computer science and data science to overcome one of medicine’s greatest challenges. GRAIL is headquartered in the bay area of California, with locations in Washington, D.C., North Carolina, and the United Kingdom. It is supported by leading global investors and pharmaceutical, technology, and healthcare companies. For more information, please visit grail.com We are seeking a strategic and battle-tested Director of Cybersecurity Operations and Threat Intelligence to lead our defensive security strategy. In this pivotal role, you will own the "shield" of the organization, overseeing the Security Operations Center (SOC), Incident Response (IR), and Cyber Threat Intelligence (CTI) functions. You will be responsible for detecting, analyzing, and neutralizing sophisticated cyber threats while proactively gathering intelligence to predict future attacks. This is a leadership role requiring a balance of deep technical expertise in defensive operations and the ability to communicate risk to executive leadership. This role requires more than technical proficiency. We are looking for a leader who models GRAIL’s core values, embodies our LEAD leadership attributes, and delivers results with integrity, inclusivity, and strategic insight. This role is based in Menlo Park, California, and will move to Sunnyvale, California in Fall 2026. It offers a flexible work arrangement, with the ability to work from GRAIL's office or from home. Our current flexible work arrangement policy requires that a minimum of 60%, or 24 hours, of your total work week be on-site. Your specific schedule, determined in collaboration with your manager, will align with team and business needs and could exceed the 40% requirement for the site. At our Menlo Park campus, Tuesdays and Thursdays are the key days where we encourage on-site presence to engage in events and on-site activities.

Responsibilities

• Security Operations (SecOps) Leadership
• SOC Management: Direct the 24/7 Security Operations Center (internal or MSSP/MDR), ensuring rapid detection and containment of threats.
• Incident Response: Serve as the primary commander during high-severity security incidents. Develop and maintain the Incident Response Plan (IRP) and conduct regular tabletop exercises.
• Tooling & Architecture: Oversee the deployment and optimization of security tooling, including SIEM, SOAR, EDR/XDR, and IDS/IPS systems.
• Automation: Drive the adoption of automation to reduce alert fatigue and decrease Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).
• Threat Intelligence & Hunting
• Intelligence Program: Build and mature a Cyber Threat Intelligence (CTI) program that aggregates strategic, operational, and tactical intelligence.
• Threat Hunting: Lead proactive threat hunting initiatives to identify indicators of compromise (IOCs) that evade automated detection tools.
• Adversary Analysis: Map threat actor TTPs (Tactics, Techniques, and Procedures) against the MITRE ATT&CK framework to identify gaps in coverage.
• Vulnerability Management: Collaborate with engineering teams to prioritize patching based on active threat intelligence rather than just CVSS scores.
• Strategy & Leadership: Develop and execute the Cybersecurity Operations and Threat Intelligence strategy. Lead a team of security professionals and foster a security-aware culture.
• Cloud Native Defenses: Lead the monitoring and defense of our AWS environment. Oversee the configuration of AWS Security Hub, GuardDuty, Shield, and container security tools (EKS/K8s).
• SaMD Monitoring: Establish post-market surveillance and monitoring for our Software as a Medical Device (SaMD) platforms, ensuring alignment with FDA pre- and post-market cybersecurity guidance.
• Data Integrity: Implement specific monitoring controls to detect unauthorized changes to genomic datasets (integrity attacks) and analysis pipelines.
• Lab Ops Defense: Secure the "physical" edge. Monitor and protect Laboratory Information Management Systems (LIMS), DNA sequencers, and liquid handling robots.
• Network Segmentation: Ensure the segmentation between corporate IT, the Cloud Product environment, and the high-sensitivity Lab OT network signal are feeding into SoC.
• Legacy Device Management: Develop "compensating controls" and monitoring strategies for lab equipment that cannot be patched or runs on legacy OS.
• Bio-Espionage Focus: Develop a Threat Intelligence program specifical

Apply tot his job Apply To this Job