New York Hire Now

Job Information

Citigroup Global Cyber Forensics Investigative Team (CFIT) Coordinator in New York, New York

Related activities include but are not limited to:

  • Track the progress of the CFIT process during a security incident and ensure that is moving forward.

  • Provide direction, logistical support, and updates to all regional Incident Responders, managers, and the Cyber Security Fusion Center.

  • Represent regional CSIS interests exclusively to the Cyber Security Fusion Center as a central point of contact; manage seamless coordination across regional CFIT units

  • Collaborate with global internal and external resources to bring scoping and resolution to security incidents (e.g. Third / Fourth party breaches, risk assessments, etc.)

  • Coordinate with vendors, including external forensic parties, to manage, investigate, and provide insight into each incident.

  • Coordinate efforts with various SMEs of involved apps and infrastructure teams to identify key components and information sources such as environments (on-premises versus cloud), servers, workstations, middleware, applications, databases, logs, etc.

  • Create, manage, maintain, and support the evidence collection and analysis of each regional CFIT execution team.

  • Coordinate activities of multidisciplinary groups for defining remediation activities.

  • Spearhead the creation of common investigative work streams and coordinate across regions. Ensure seamless global execution tailored to each incident.

  • Oversee and coordinate the documentation, updates, and execution of high profile Cyber investigations.

  • Support efforts to design, plan, and execute tabletop exercises geared towards improving the readiness and analytical consistency/capability of cross border incident response elements.

  • Arrange and coordinate After Action Reports (AAR) as a result of exercises / named events.

  • Serve as the backup of the IR Execution Coordinator and support the execution of all related logistical responsibilities to the Fusion Center and the Incident Response teams

  • Act as a business partner/key advisor and create an effective interaction model with business and site stakeholders as well as functional partners.

  • Manage all staffing activities: hiring, establishing performance expectations/goal/objectives, managing staff performance, disciplinary actions, terminations, promotions, KPIs against targets and staff compensation decisions. This also may include, budget, year-end compensation pool and expense approvals for team.

  • Provide regular feedback, guidance and consultation to managers and staff, offering direction and expertise to further an investigation.

  • Ensure the appropriate utilization of cyber investigative resources to achieve optimum results. Conduct periodic audits of the CFIT process, to ensure it meets regional investigative standards.

  • Develop and maintain effective relationships with local regulatory bodies, law enforcement, intelligence agencies, sister bank network, and industry professional associations and keep abreast of the local and international environment.

  • Conduct professional briefings on specific investigations to senior leadership inside and outside the firm

Education and Experience Required:

  • Bachelor's degree in a technically rigorous domain such as Computer Science, Information Security, Engineering, etc.

  • 15+ years of professional experience in cybersecurity and/or information security, or demonstrated equivalent capability.

  • 5+ years managing a team professional staff, cyber program or resources.

  • 5+ years working in Cyber incidents analysis in large organizations including working in a Fusion Center environment.

  • Demonstrated experience in digital forensics (e.g. computer, network, mobile device forensics, and forensic data analysis, etc).

  • Activities include but not limited to:

  • e-Discovery process and procedures.

  • Memory collection and analysis from various platforms.

  • Evidence preservation.

  • Malware analysis.

  • File system knowledge and analysis.

  • Timeline analysis.

  • Registry, event, and other log file and artifact analysis.

  • Prior experience with a DFIR toolset (e.g. EnCase, FTK, Sleuth Kit) and related scripting (e.g. EnScripts, EnConditions)

  • Previous experience using SIEM tools such as Splunk.

  • Prior experience with some of the following tools: Splunk, Volatility, YARA, CrowdStrike Falcon, SIFT Workstation, Security Onion, Wireshark, Plaso, Nuix.

  • Previous experience with an EDR system (e.g. Tanium, Crowdstrike Falcon)

  • Previous Dev/Sec/Ops experience with cloud environments (e.g. AWS, GCP, Azure) and underlying storage, compute and monitoring services (e.g. AWS S3, EC2, CloudTrail, CloudWatch)

  • Excellent communication and presentation skills, analytical ability, strong judgment and leadership skills, and the ability to work effectively with clients and IT management and staffs.

  • Ability to communicate technical issues to technical and non-technical business representatives.

  • Ability to understand strategic objectives and vision, and work towards those goals.

  • Dedicated and self-driven desire to research current information security landscape.

  • Exhibit strong influencing / negotiation skills as well as written/verbal communication skills.

  • Ability to work without constant supervision.

  • Ability to share knowledge with teammates.

  • Must have flexibility to work outside of normal business hours when necessary.

  • Exceptional candidates who do not meet these criteria may be considered for the role provided they have the commensurate skills and experience from non-traditional backgrounds.

  • Demonstrated a clear understanding of cyber investigation techniques and shares those insights appropriately with others

  • Detailed understanding of all basic cyber investigative concepts including report writing, cyber threat analysis, strategic forecasting, conducting lessons learned and regional expertise

  • Experience with or understanding of potential global economic threats (e.g., cyber threats, global impact threats, foreign threats, etc.)

  • Understanding of levers (both controllable and uncontrollable) that may impact outcomes of cyber events

Education and Experience Preferred

• Graduate degree (US only)

  • Thorough understanding of compiled and interpreted programming languages (C, Powershell, Java, JavaScript, Ruby, Python, etc.).

  • Some knowledge of SDLC best practices, secure code practices, and agile methods.

  • Previous middleware experience including infrastructure related to web servers, authentication systems or messaging tools.

  • Previous experience with both relational and non-relational databases.

  • Previous experience with forensic investigations or large scale incident response in cloud environments (e.g. AWS, GCP, Azure)

  • Previous experience with containerization methods and tools (e.g. Docker, Kubernetes)

  • Previous experience with security in cloud infrastructure, including API security best practices

  • Working knowledge of networking protocols and infrastructure designs; including routing, firewall functionality, host and network intrusion detection/prevention systems, encryption, load balancing, and other network protocols.

  • Proficient in LINUX, AIX, Solaris, OS X, and Windows operating systems.

Job Family Group:

Corporate Services

Job Family:


Time Type:

Full time

Citi is an equal opportunity and affirmative action employer.

Qualified applicants will receive consideration without regard to their race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran.

Citigroup Inc. and its subsidiaries ("Citi”) invite all qualified interested applicants to apply for career opportunities. If you are a person with a disability and need a reasonable accommodation to use our search tools and/or apply for a career opportunity review Accessibility at Citi ( .

View the "EEO is the Law ( " poster. View the EEO is the Law Supplement ( .

View the EEO Policy Statement ( .

View the Pay Transparency Posting (

Citi is an equal opportunity and affirmative action employer. Minority/Female/Veteran/Individuals with Disabilities/Sexual Orientation/Gender Identity.