Director of Cyber Threat Intelligence (CTI)

AstraZeneca Plc

Gaithersburg, MD

JOB DETAILS
SALARY
$162.54–$243.80 Per Hour
SKILLS
Analysis Skills, Architectural Services, Automation, Biology, Biotech and Pharmaceutical, Brokerage, CISSP - Certified Information Systems Security Professional, CMOS, Career Counseling, Case Management, Clinical Data, Clinical Laboratory, Clinical Research, Clinical Trial, Communication Skills, Compensation and Benefits, Computer Security, Computer Telephony Integration (CTI), Conferences, Continuous Improvement, Contract Research Organization (CRO), Cross-Functional, Data Lake, Data Quality, Disease, Documentation, Ecosystems, Electronic Data Capture (EDC), Enterprise Emulators, Establish Priorities, GCIH - GIAC Certified Incident Handler, GMP (Good Manufacturing Practices), Government, Health Plan, Healthcare, IP (Internet Protocol), IR (Infrared), Incident Response, Intel Product Family, Internet Security, Laboratory Information Management System (LIMS), Leadership, Logistics, Machine Tool, Manufacturing, Medical Products, Metrics, Operational Strategy, Operations Research, Prescription Drugs, Process Improvement, Program Evaluation, Programmable Logic Controller (PLC), Regulations, Reporting Dashboards, Research & Development (R&D), Return on Investment (ROI), Risk, Risk Analysis, Risk Management, Risk Modeling, Sales Pipeline, Security Attacks, Security Information and Event Management (SIEM), Service Level Agreement (SLA), Software Patches, Software Reuse, Supervisory Control and Data Acquisition (SCADA), Tactical Operations, Team Lead/Manager, Technical Delivery, Technical Leadership, Telemetry, Threat Modeling, Web Site Monitoring
LOCATION
Gaithersburg, MD
POSTED
30+ days ago

About AstraZeneca

AstraZeneca is a global, science-led, patient-focused biopharmaceutical company dedicated to discovering, developing, and commercialising prescription medicines for serious disease. We're committed to being a Great Place to Work.

About the Role

The Director of Cyber Threat Intelligence will lead a highly technical CTI function within AstraZeneca's Cybersecurity Operations division, managing a team of analysts to deliver strategic, operational, and tactical intelligence that measurably reduces risk across the enterprise, including manufacturing, clinical trial platforms, and R&D environments. This role anchors CTI to "intel-to-action" outcomes, partnering closely with Vulnerability Management, Detection Engineering, and Incident Response to harden controls, prioritize patching, improve detections, and accelerate response.

Key Responsibilities

  • Program Leadership and Strategy: Define CTI vision, operating model, and roadmap aligned to AstraZeneca's cyber risk reduction strategy, with special emphasis on manufacturing continuity, clinical data integrity, and R&D IP protection.
  • Adversary Prioritization Framework: Design and operate a scoring rubric that ranks actors based on intent/capability/relevance, TTP emergence and prevalence, organization-specific exposure to known vulnerabilities/CVEs, and global "viral" events, maintaining dynamic watchlists and escalation triggers.
  • MTTI Metric and Analytics: Implement analytic methods to estimate mean time-to-impact per adversary (from initial access to material business impact) using internal telemetry, historical incidents, industry reporting, and confidence levels, performing comparisons with IR's MTTC to drive control improvements.
  • Attack Path Modeling: Build and maintain end-to-end attack path models from initial access to material impact across IT-to-OT pivots, clinical platforms, and R&D environments, mapping steps to MITRE ATT&CK (Enterprise/ICS), identify control gaps and choke points, derive detections-as-code and hunt hypotheses, and support validation efforts including purple-team exercises and adversary emulation to ensure enterprise hardening and measurable risk reduction.
  • Dark Web and Closed-Source Monitoring: Establish collection and monitoring across dark web forums, marketplaces, breach dumps, and closed channels to identify emerging TTPs, credential leaks, data exposure, access-broker listings, and targeting of manufacturing, clinical, or R&D assets, integrating validated findings into TIP/SIEM pipelines, trigger takedown requests where feasible, and deliver rapid advisories with confidence ratings and specific actions for Vulnerability Management, Detection Engineering, and IR.
  • Third-Party and Ecosystem Intelligence: Deliver risk insights for CROs/CMOs/logistics/technology vendors, monitor credential leakage and domain spoofing, and support/coordinate takedown operations when needed.
  • Structured Threat Actor Attribution (Diamond Model): Lead disciplined attribution using the Diamond Model (adversary, capability, infrastructure, victim) and complementary frameworks, correlating TTPs, tooling lineage, code-reuse, infrastructure overlaps, and victimology with confidence levels and analytic caveats, documenting hypotheses, alternative explanations, and disconfirming evidence, and producing reusable actor profiles and pivot paths that inform prioritization, detections, hunts, and incident response playbooks.

Minimum Qualifications

  • Leadership and Strategic Impact: 10+ years in cyber threat intelligence, detection engineering, incident response, or related domains; 5+ years leading technical CTI teams in global enterprises. Demonstrated ability to set vision, influence strategy, and deliver outcomes tied to enterprise risk reduction.
  • Decision Making and Accountability: Proven ownership of adversary-centric CTI programs that directly drive vulnerability prioritization, detections-as-code, hunts, and incident response. Comfortable making data-driven decisions with clear trade-offs and confidence levels.
  • Technical Depth (ATT&CK Enterprise/ICS): Deep expertise mapping TTPs to MITRE ATT&CK, defining coverage strategies, and translating gaps into high-fidelity detections and hunt hypotheses; skilled in industrial/OT contexts.
  • Attack Path Modeling and Risk Translation: Hands-on delivery of end-to-end attack paths across IT-to-OT pivots, clinical platforms, and R&D environments; validation via purple-team/adversary emulation; ability to convert findings into prioritized control roadmaps and measurable risk reduction.
  • Adversary Prioritization and Scoring: Designed and operated tailored actor scoring incorporating intent/capability, TTP emergence/prevalence, org exposure to CVEs, and global/viral events; maintained dynamic watchlists and escalation triggers.
  • Structured Attribution Tradecraft: Applied the Diamond Model and complementary frameworks with documented hypotheses, caveats, disconfirming evidence, and confidence statements; produced reusable actor profiles and pivot paths.
  • Metrication (MTTI vs. MTTC): Built mean time-to-impact metrics per actor and operationalized comparisons to IR's mean time-to-containment to guide control improvements and track program effectiveness.
  • Vulnerability Intelligence for Hardening: Delivered contextual CVE analysis (exploitability, weaponization, external scanning telemetry, compensating controls) and risk-based patch recommendations across IT, OT/ICS, clinical, and lab environments.
  • Detection Engineering Collaboration: Co-developed detections-as-code (e.g., Sigma, KQL, SPL), tuned content to reduce false positives, and closed ATT&CK coverage gaps with feedback loops from hunts/incidents.
  • Incident Intelligence Support: Provided real-time adversary context, kill-chain reconstruction, containment recommendations, and post-incident retrospectives that inform detection and architectural improvements.
  • Collection, Tooling, and Automation: Operated dark web/closed-source monitoring; integrated findings into TIP/SIEM/EDR pipelines; managed indicator lifecycle, automated enrichment, and measured source fidelity/bias.
  • Stakeholder Partnership and Communication: Clear, concise communication of complex technical intelligence to executives and cross-functional partners (Vulnerability Management, Detection Engineering, SOC/IR, OT Security, Clinical Ops, Research IT); ability to influence without authority.

Preferred Qualifications

  • Sector Experience and Regulatory Context: Experience in pharmaceuticals, life sciences, healthcare, or manufacturing; familiarity with GMP/CSV, clinical data obligations, and R&D IP protection.
  • OT/ICS and Critical Operations: Hands-on work with MES, SCADA, PLC ecosystems; ATT&CK for ICS usage; understanding of OT-safe response practices and production continuity implications.
  • Clinical/R&D Platforms: Exposure to CTMS, EDC, IRT, ELN, LIMS, HPC, and data lake environments; experience safeguarding data integrity and sensitive research/IP.
  • Program Metrics and Outcomes: Built dashboards tracking MTTI by actor, ATT&CK coverage indices, intel-informed patch SLAs, hunter ROI, and executive risk narratives; experience presenting to senior leadership and risk committees.
  • Advanced Tooling/Automation: TIP administration, SIEM/EDR content engineering, enrichment/orchestration pipelines, case management integration, and indicator lifecycle automation at enterprise scale.
  • Threat Modeling and Quantification: Ability to translate attack paths into quantified risk scenarios and prioritized control investments aligned to business objectives and crown jewels.
  • External Partnerships: Active engagement with H-ISAC/ISAOs and government/industry partners; track record of rapidly converting global/viral cyber events into enterprise defenses and executive guidance.
  • Certifications: One or more of GCTI, GREM, GRID, GCIH, CISSP, or equivalent demonstrated expertise.
  • People Leadership: Built diverse, high-performing teams; established career paths, coaching frameworks, and a culture of analytic rigor, technical excellence, and continuous improvement.

Location and Working Model

Location: Gaithersburg, Maryland.

Working Model: Hybrid-three days per week in office, two days remote. Occasional travel for key meetings, plant/partner engagements, conferences, or incident support may be required.

Why Join Us?

We're a network of high-reaching self-starters who contribute to something far bigger. We enable AstraZeneca to perform at its peak by delivering premier technology and data solutions. We're not afraid to take ownership and run with it. Empowered with unrivalled freedom. Put simply, it's because we make a significant impact. Everything we do matters. When we put unexpected teams in the same room, we unleash bold thinking with the power to encourage life-changing medicines. In-person working gives us the platform we need to connect, work at pace and challenge perceptions. That's why we work, on average, a minimum of three days per week from the office. But that doesn't mean we're not flexible. We balance the expectation of being in the office while respecting individual flexibility. Join us in our unique and ambitious world.

Annual Base Pay

The annual base pay for this position ranges from $162.536,00 - $243.804,00 USD Annual. Hourly and salaried non-exempt employees will also be paid overtime pay when working qualifying overtime hours. Base pay offered may vary depending on multiple individualized factors, including market location, job-related knowledge, skills, and experience. In addition, our positions offer a short-term incentive bonus opportunity; eligibility to participate in our equity-based long-term incentive program (salaried roles), to receive a retirement contribution (hourly roles), and commission payment eligibility (sales roles). Benefits offered included a qualified retirement program (401(k) plan); paid vacation and holidays; paid leaves; and, health benefits including medical, prescription drug, dental, and vision coverage in accordance with the terms and conditions of the applicable plans. Additional details of participation in these benefit plans will be provided if an employee receives an offer of employment. If hired, employee will be in an "at-will position" and the Company reserves the right to modify base pay (as well as any other discretionary payment or compensation program) at any time, including for reasons related to individual performance, Company or individual department/team performance, and market factors.

So, What's Next?

Are you already envisioning yourself joining our team? Good, because we'd love to hear from you! Click the link

About the Company

A

AstraZeneca Plc

AstraZeneca is one of the world’s most exciting bio-pharmaceutical companies. From scientists to sales, lab techs to legal, we’re on a mission to turn ideas into life-changing medicines that improve patients’ lives and benefit society. We need great people who share our passion for science and have the drive and determination to meet the unmet needs of patients around the world.
COMPANY SIZE
10,000 employees or more
INDUSTRY
Biotechnology/Pharmaceuticals
WEBSITE
https://www.astrazeneca.com/