Location: Remote - TX Department: Enterprise Systems Shift: First Shift (United States of America) Standard Weekly Hours: 40 Summary: NOTE: This role carries 24/7 on-call rotation responsibilities and active incident command expectations during major and critical events. The Incident Response Lead works with IT stakeholders across Cook Children's Health Care System to develop policies, procedures, and risk management activities that efficiently contain and minimize the impact of business interruption due to disasters or information system unavailability. This role performs risk and triage analysis to develop incident response plans and runbooks for the most likely and highest-impact events affecting the organization. The Lead also assists IT and business stakeholders in testing response plans through downtime scenarios, tabletop exercises, and other readiness activities. Qualifications: - BS/BA degree in Information Technology, Business Administration, Risk Management or a related field required. In lieu of the BS/BA degree, may accept a high school diploma and 7 years of experience. - 4+ years' experience in incident response management or a related field required. - Strong knowledge of industry standards and frameworks such as ISO 22301 or NIST SP 800-34. - Strong understanding of project management principles and data technologies, expert level knowledge of IT Service Management principles, best practices and frameworks such as ITIL. - Expert-level knowledge of IT Service Management principles, frameworks, and best practices (ITIL) preferred - Expert-level ServiceNow experience — incident workflows, ticket quality, auditing, and reporting preferred - Proven ability to lead live incident response under pressure - On-call availability; experience in 24/7 rotation environments - Strong understanding of project management principles and data technologies preferred Additional Preferred Qualifications: - Experience in healthcare IT environments - ITIL 4 Foundation certification or higher - Hands-on experience building or facilitating DR tabletop exercises - Experience building or auditing runbook libraries - Familiarity with clinical system availability requirements - Strong executive communication and reporting skills ON-CALL & ACTIVE INCIDENT RESPONSIBILITIES This position participates in a 24/7 on-call rotation for major and critical incidents. When a Priority 1 event occurs, this role assumes incident command — coordinating cross-functional bridge calls, driving toward resolution, and maintaining stakeholder communication from onset through post-incident review. Responsibilities during active incidents include: - Assume incident command for major and critical events - Coordinate IS leadership, business stakeholders, and technical resolvers in real time - Draft impact statements and maintain incident timelines - Manage communication cadence through resolution - Enforce ticket discipline during incidents — accuracy, work note quality, and - Post Incident Review resolution documentation standards within ServiceNow SERVICENOW PLATFORM EXPECTATIONS Expert-level ServiceNow experience is highly preferred. This role uses the platform as both an operational tool and a quality assurance mechanism. Key expectations include: - Evaluate incident ticket integrity: classification accuracy, impact/urgency, scoring, resolution notes, and root cause documentation - Build and maintain auditing processes to ensure data quality across the incident lifecycle - Monitor SLA compliance and workflow adherence - Extract trend data and produce dashboards and reports for leadership - Enforce incident workflow standards and drive corrective action where gaps exist Platform competency areas: Incident Management, Ticket Quality Evaluation, Audit & Compliance Workflows, Trend Analysis, SLA Monitoring, platform analytics, Problem Management, Reporting, CMDB Awareness. About Us: Cook Children's Health Care System Cook Children's Health Care System offers a unique approach to caring for children because we are one of the country's leading integrated pediatric health care delivery organizations. Patients benefit from the integrated system because it allows Cook Children's to use all of its resources to treat a patient and allows for easy communication between the various companies by physicians with a focus on caring for children and adolescents. Cook Children’s is an equal opportunity employer. As such, Cook Children’s offers equal employment opportunities without regard to race, color, religion, sex, age, national origin, physical or mental disability, pregnancy, protected veteran status, genetic information, or any other protected class in accordance with applicable federal laws. These opportunities include terms, conditions and privileges of employment, including but not limited to hiring, job placement, training, compensation, discipline, advancement and termination.

Lead comprehensive incident response engagements, conduct digital forensics to analyze cyber incidents, and produce detailed forensic reports while collaborating with clients and teams to guide effective remediation strategies.

Role Description The Law Enforcement Response (LERT) Associate is pivotal in maintaining coordination between client teams, key law enforcement officials, and government agencies. This role drives strategic safety efforts for the client community and coordinates responses with other cross-functional teams. In this role, you will identify safety threats to the client community and take appropriate action by liaising with law enforcement agencies. Additionally, with your tenured experience, you will serve as a mentor to newer associates on the team and be responsible for engaging in highly sensitive case types and process improvement. Responsibilities - Respond to requests from law enforcement and government authorities globally. - Review and assess requests related to critical safety incidents, emergency and emergency-in-progress situations that require timely and accurate response and engagement with Law Enforcement in order to keep the client community safe. - Identify and flag potentially high-risk requests for internal escalation and review to LE Ops management. - Investigate, track, analyze, and accurately respond to a variety of legal requests for user data, working directly with law enforcement authorities, government agencies, and court officials. - Comprehensively document investigation results and decisions. - Maintain high levels of confidentiality and accuracy while performing investigations. - Ability to demonstrate excellent judgment and provide recommendations on the best course of action for responding to requests. - Work with CS, Safety, and Trust teams to develop and refer relevant criminal matters to law enforcement authorities. - Demonstrate great judgment and be open to sharing best practices with your LE Ops colleagues. - Provide guidance and mentorship to other LE Ops associates; participate in the training of new associates. - Ensure that urgent cases are identified, actioned effectively, and handled in accordance with applicable laws and internal community standards and policies. Qualifications - Must be able to legally work in the country where this position is located without visa sponsorship. - 4+ years of relevant experience in legal operations, investigative, or analytical roles. - Skilled in various computer systems, internet technology, and software (MS Office, etc.). - Strong interpersonal and communication skills, both written and verbal. - Analytically minded with strong attention to detail and accuracy. - Advanced knowledge of SQL, Salesforce, and/or an interest in learning more. - Ability to manage and prioritize large ticket volumes. - Confidence in corresponding with law enforcement at all levels in a tactful and considerate manner, ensuring a positive stakeholder experience. - Uses knowledge of how different teams across their function impact the achievement of objectives. - A self-starter who enjoys working in a rapidly changing environment. - Good sense of humor and a love for fun and adventure. - Manages time efficiently and prioritizes deliverables effectively. - Acts as a specialist, providing subject matter expertise and/or guidance to more junior team members. - Works with a high degree of independence and initiative to resolve issues. - A critical thinker with the ability to understand the implications of a given scenario within the business/operational context. - Provides a high level of administrative support and works with highly sensitive and confidential material. - Exchanges complex information and ideas effectively, adapting to a range of audiences. - Contributes to and possibly leads to some process improvement. Requirements - This is a full-time position. The team operates 24 hours per day, seven days per week, and requires regular shift work, including some holidays and weekends. - This position requires up to 10% travel. Benefits - The HSA medical plan covers 100% of the premium for employee-only coverage. - The PPO medical plan requires an employee contribution for employee-only coverage. For both plans, Concentric covers a substantial portion of the premium for dependents. - Concentric also offers an HSA employer contribution. - Medical FSA. - Employer-paid insurance: life, STD, LTD, and AD&D. - 401 (k) including employer match. - 11 paid holidays. - Paid leave (vacation, sick, parental). - Annual Health & Wellness Benefit. - Pet Insurance. - National discount employee program. - Employee Assistance Program for personal needs. - Credentity Protection - Eclipse Digital Protection by Concentric. - Free access to our Risk Intelligence Dashboard and GEAR App. - Dedicated Security and Intelligence Training Programs for Professional Development. - Coaching and Mentoring Opportunities.

About us Coalition is the world's first Active Insurance provider designed to help prevent digital risk before it strikes. Founded in 2017, Coalition combines comprehensive insurance coverage and innovative cybersecurity tools to help businesses manage and mitigate potential cyberattacks. Opportunities to make an impact with bold thinking are real—and happening daily at Coalition. About the role Coalition Incident Response (CIR) Australia is hiring a Senior Incident Response Analyst to lead high-impact digital forensics and incident response investigations for our insureds. You will guide organisations through business email compromise, ransomware, data theft, and other cyber incidents, from initial scoping through recovery and reporting. In this role, you will partner closely with the local IR Lead, external breach counsel, Coalition Claims, MDR, and our security engineering teams to help organisations navigate some of their worst days with confidence and clarity. Responsibilities - Lead end-to-end incident response engagements, from intake and scoping through evidence collection, analysis, containment, remediation guidance, and closure. - Perform digital forensics across endpoints, email platforms, networks, websites, and cloud services to reconstruct attacker activity and determine scope and impact. - Investigate Microsoft 365 and other cloud environments for account compromise, data access, mail flow abuse, and configuration weaknesses. - Produce clear, defensible forensic reports and executive-ready summaries that describe what happened, how it happened, and what to do next. - Facilitate client and counsel calls, including findings briefings, remediation recommendations, and post-incident lessons-learned discussions. - Contribute to Australia-specific IR processes, playbooks, and active services (such as tabletop exercises), and participate in our global follow-the-sun coverage model. Skills and Qualifications - Substantial hands-on DFIR experience, including leading complex investigations as the primary analyst and client point of contact. - Strong technical foundation in Windows and Linux forensics, including acquisition, timeline analysis, and investigation of common attacker techniques (macOS experience a plus). - Proven experience with Microsoft 365 email and cloud forensics, including mailbox and audit log review, OAuth and mailbox rule abuse, and common phishing/BEC scenarios. - Ability to investigate web and application compromises, with particular familiarity with WordPress or similar CMS platforms. - Experience working with network, perimeter, and authentication logs, as well as EDR and related security tooling, to identify and track malicious activity. - Excellent written and verbal communication skills, with a track record of translating complex technical findings into clear guidance for non-technical stakeholders, including executives and legal counsel. - Comfort operating in a fast-paced environment with multiple concurrent cases, balancing urgency with thoughtful, high-quality analysis and documentation. - Familiarity with Australian privacy and regulatory requirements, and how they influence breach assessment, notification, and documentation in incident response, is strongly preferred. - Programming or scripting experience (e.g., Python, PowerShell) to automate analysis, evidence collection, or reporting is a plus. Bonus Points - Experience handling incidents in an insurance, MSSP, or DFIR consulting context, particularly in the Australian market. - Prior experience working in a globally distributed or follow-the-sun IR team. - Exposure to forensics and log analysis in AWS, Google Cloud, and other major SaaS platforms. - Experience designing or delivering proactive IR offerings such as tabletop exercises, readiness assessments, or playbook development. - Demonstrated contributions to improving DFIR processes, tooling, or automation within a prior team. Perks - 100% medical coverage, including outpatient and emergency care - 20+ paid holidays - 12% employer pension contribution - Annual home office stipend - Mental & physical health wellness programs - Competitive compensation and opportunity for advancement Why Coalition? Work at Coalition is centered on the joint mission to Protect the Unprotected. We have built a remote-first, highly inclusive culture that welcomes people from diverse backgrounds. We trust each other to take responsibility, share ownership of outcomes, and put in the work together to protect businesses from digital risk. Coalition’s exceptional growth stems from its ability to address real-world problems for organizations of all sizes while remaining true to our founding values of character, humility, responsibility, purpose, authenticity, and inclusion. We’re always looking for collaborative, inquisitive individuals to join #OurCoalition. Visit our Newsroom > Privacy Notice Coalition is committed to protecting your privacy and handling your personal information responsibly. We collect, use, and store personal information as necessary for the recruitment process and in compliance with applicable privacy laws and regulations in all regions where we operate. We want you to understand what personal information we collect, how we use it, and your rights regarding access, correction, and deletion of your data where applicable. Information submitted, collected, and processed as part of your application is subject to Coalition's Privacy Policy. For further details, please review our full Privacy Policy or contact us with any questions regarding how your information is handled. Our Privacy Policy > Safe Hiring Notice All legitimate communication from Coalition comes from @coalitioninc.com emails, and open roles are listed only on our Careers page. We never ask for payment, banking details, or personal identification before an offer is accepted through our secure systems. If you believe you’ve been a victim of fraudulent recruiting, follow guidance from the Federal Trade Commission (FTC). Anti-Discrimination Notice Coalition is proud to be an Equal Opportunity employer. Our policy is to provide equal employment opportunities to all individuals, without discrimination or harassment on the basis of any characteristic protected by applicable laws in each country where we operate. This commitment includes, but is not limited to, ensuring equal treatment in recruitment, selection, training, promotion, transfer, compensation, and all other aspects of employment. Coalition does not tolerate discrimination or harassment of any kind, and we are dedicated to fostering an inclusive and supportive workplace. Accommodations Coalition is committed to providing reasonable accommodations to qualified individuals with disabilities, including applicants and employees, in accordance with applicable laws and regulations in each country where we operate. Our policy is to support equal opportunity in the hiring process by considering qualified applicants regardless of disability or other protected characteristics, unless providing accommodation would impose an undue hardship or disproportionate burden. If you require accommodation to complete an application, interview, pre-employment testing, or participate in the selection process, please contact us at candidateaccommodations@coalitioninc.com. We also consider all qualified applicants, including those with criminal histories, in line with applicable laws and regulations in each jurisdiction. To all recruitment agencies: Coalition does not accept unsolicited agency resumes. Do not forward resumes to our email alias, employees, or other physical or virtual organization locations. Coalition is not responsible for any fees related to unsolicited resumes.