Director, Security Operations

Cipher Digital

About Cipher Mining

We are an industrial-scale data center construction and operations company. We allocate data center opportunities between bitcoin mining and other high performance computing services, such as AI. We continue to develop our pipeline of power capacity at high quality data center sites, either for bitcoin mining or HPC. Our best-in-class management team leverages expertise from the technology, fintech, energy, and finance domains, as well as deep experience related to cryptocurrencies and blockchain.

Position Overview

Cipher Digital (NASDAQ: CIFR) is building the physical infrastructure the AI era runs on. In little over a year, we have gone from one of the largest Bitcoin miners in the US to a hyperscale HPC and AI data center developer, with a multi-gigawatt pipeline across Texas and Ohio powering the compute behind the world's leading AI platforms.

It is one of the fastest pivots the data center industry has seen, and everyone building it has a stake in what comes next. Securing that infrastructure is a founding opportunity, and this is a greenfield role. You will stand up Security Operations as a function, build out managed detection and response, and own how Cipher detects, responds to, and recovers from security incidents across IT, OT, cloud, and tenant environments.

Security at Cipher is organized around clear ownership: security governance sets the policy and standards, security engineering builds the controls and the platform, and security operations runs and defends them. You own that third part: you maintain the posture, coordinate the managed detection and response function, and make sure the whole business is ready to respond. We own these functions; how we deliver them, whether by hiring, contracting, or subcontracting, is a deliberate choice we make in line with our regulatory and contractual requirements.

This is a leadership role for someone who has been in the room for major incidents and knows how to command them: you run a multi-party response across regions and time zones and get the right people in the right room when it matters. When an incident hits, you are the quarterback: you coordinate the whole business into one response, hold the line on Cipher's security policy, and drive an outcome that meets or beats our contractual and regulatory obligations.

Key Responsibilities

Security Operations and 24x7 Monitoring

  • Stand up and own security monitoring and detection across IT, OT, cloud, and tenant-boundary traffic. Cipher owns the function and controls its own detection content.
  • Maintain the security posture the organization defines, operating the security tooling the engineering team builds.
  • Own the metrics that prove coverage (time to acknowledge, time to respond) and the detection coverage map against recognized adversary frameworks for both IT and ICS.
  • Partner with security engineering on the detection handoff: they build detection-as-code, you operationalize and run it.

Incident Response Leadership & Automation

  • Build the incident response plan into a tested, audit-defensible capability and own it end to end. Define the response operating model, escalation paths, and the responsibility map across Cipher, tenants, and vendors.
  • Coordinate the response across peer functions, Data Center Operations, Physical Security,GRC, Security Engineering, IT, and Networking. Set the interface and handoff with each ahead of an incident, so a live response runs to plan and meets or exceeds Cipher's notification timelines.
  • Leverage modern Security Orchestration, Automation, and Response (SOAR) capabilities to automate containment, enrich alerts, and reduce manual analyst fatigue. Empower the SOC to continuously build and refine visual playbooks to streamline response.
  • Lead live incident response, including multi-party incidents that cross regions, tenants, and time zones.
  • Author and sign joint incident-response run books with tenants and partners ahead of go-live, meeting or exceeding contractual notification timelines.
  • Run regular security drills across IT and OT and feed the lessons back into the plan.

Detection and Response Delivery

  • Own detection and response delivery end to end. Where we contract or subcontract, select and manage the providers, enforce SLAs with financial credits on miss, and hold them accountable to delivery and transparency.
  • Drive consolidation and reduce concentration risk so detection and response do not rest on a single provider.
  • Coordinate the function so it operates as an extension of Cipher, not a black box, regardless of who delivers it.

Vulnerability and Posture Management

  • Run the vulnerability management program as a shared lifecycle: GRC defines the policy, risk tolerance, and severity model; security engineering implements the scanning and remediation tooling; operations maintains the program and responds. You own the cadence, the enforced remediation SLAs, and the reporting, with risk-based prioritization rather than raw scores.
  • Keep the three functions feeding each other: surface what you see in operation back to GRC and engineering so the policy and the tooling sharpen, rather than each working in isolation.
  • Maintain continuous awareness of the attack surface as the footprint scales across sites and tenants.

Team Leadership and Reporting

  • Build and lead the Security Operations function, growing capability as the footprint scales.
  • Communicate operational posture, incident readiness, and response outcomes clearly to theCISO and executive leadership.
  • Make security a capability the whole business shares: educate teams, run exercises, and help them respond well. Be a partner, not a blocker.

Qualifications And Experience

  • Deep experience leading security operations or incident response, including time spent running major incidents under real pressure. Operations as a lived discipline, not a recent addition to a broader role.
  • Demonstrated command of multi-party, multi-region incident response, with strong stakeholder communication under pressure.
  • Experience standing up and running detection and response, including managing providers and subcontracted services with SLA negotiation and enforcement.
  • Strong knowledge of SOC operations, SIEM, EDR, SOAR, and detection engineering, and how they combine into effective detection and response.
  • OT/ICS incident response or critical-infrastructure operational exposure is a strong plus.
  • Familiarity with SOC 2, ISO 27001, NIST 800-53, SOX, and partner notification obligations as they shape operational evidence and timelines.
  • Relevant certifications (CISSP, GIAC such as GCIH or GCIA, CISM) strongly preferred.

Key Skills And Competencies

  • Incident Response Leadership
  • Security Operations & SOAR
  • Detection and Response Delivery
  • Vulnerability Management
  • Cross-functional Command
  • Ownership and Bias for Action

Benefits*

  • 401K Retirement Plan with match
  • Medical, Dental and Vision Insurance
  • Life and Disability Insurance
  • And other perks!
  • Full Time Employees

How to apply

To apply for this job you need to authorize on our website. If you don't have an account yet, please register.

See more jobs in Charleston, SC, jobs in the United States