Digital Forensics & Incident Response (DFIR) Manager

We are the leading provider of professional services to the middle market globally, our purpose is to instill confidence in a world of change, empowering our clients and people to realize their full potential. Our exceptional people are the key to our unrivaled, culture and talent experience and our ability to be compelling to our clients. You’ll find an environment that inspires and empowers you to thrive both personally and professionally. There’s no one like you and that’s why there’s nowhere like RSM.

The RSM Cyber Response team leads organizations through some of their most consequential cyber events. The DFIR Manager serves as both incident commander and engagement leader, overseeing multiple complex matters while aligning technical, legal, executive, and insurance workstreams.

This role requires strong incident command authority, deep ransomware experience, and the ability to guide cross-functional response efforts at the executive level. Managers maintain oversight across engagements, provide escalation guidance to Supervisors, and ensure investigative quality, consistency, and defensibility across the practice.

The DFIR Manager is accountable not only for technical excellence, but also for engagement delivery, stakeholder alignment, and operational leadership during crisis response.

Responsibilities:

• Serve as incident commander during high-severity events, particularly ransomware and enterprise-scale breaches.
• Oversee multiple concurrent engagements, ensuring quality, consistency, and appropriate resource allocation.
• Define investigative strategy and escalation thresholds for complex incidents.
• Align technical response with legal, regulatory, insurance, and executive considerations.
• Review and approve investigative findings, containment validation, and executive reporting.
• Act as senior advisor to client executives, legal counsel, and cyber insurers.
• Provide guidance to Supervisors on advanced investigative decisions and complex threat actor scenarios.
• Maintain executive-level communication cadence during incidents.
• Support development of standardized methodologies, playbooks, and quality controls across the practice.
• Mentor Supervisors and Consultants in both technical depth and client leadership.
• Participate in on-call rotation and provide oversight during critical incidents.

Preferred Qualifications:

Expertise in all areas is not required; however, candidates should demonstrate strong foundational knowledge and a willingness to continuously learn and expand their capabilities.

• Bachelor’s degree in Cybersecurity, Computer Science, Information Technology, or equivalent experience.
• Proven experience leading enterprise-scale ransomware and breach investigations.
• Deep understanding of:
  • Threat actor operations and ransomware tradecraft
  • Identity compromise and domain-level persistence
  • Cloud and hybrid environment incident response
  • Data exfiltration risk assessment and reporting
• Strong hands-on familiarity with EDR platforms, SIEM technologies, and forensic toolsets.
• Demonstrated ability to manage multiple high-pressure engagements simultaneously.
• Experience coordinating with legal counsel, cyber insurance carriers, and executive leadership.
• Strong executive presence and crisis communication ability.
• Experience mentoring and developing DFIR leaders.
• Certifications such as GCFA, GCIH, CISSP, OSCP, or equivalent preferred.
• Willingness to participate in on-call rotation.

At RSM, we offer a competitive benefits and compensation package for all our people. We offer flexibility in your schedule, empowering you to balance life’s demands, while also maintaining your ability to serve clients. Learn more about our total rewards at https://rsmus.com/careers/working-at-rsm/benefits.

All applicants will receive consideration for employment as RSM does not tolerate discrimination and/or harassment based on race; color; creed; sincerely held religious beliefs, practices or observances; sex (including pregnancy or disabilities related to nursing); gender; sexual orientation; HIV Status; national origin; ancestry; familial or marital status; age; physical or mental disability; citizenship; political affiliation; medical condition (including family and medical leave); domestic violence victim status; past, current or prospective service in the US uniformed service; US Military/Veteran status; pre-disposing genetic characteristics or any other characteristic protected under applicable federal, state or local law. 

Accommodation for applicants with disabilities is available upon request in connection with the recruitment process and/or employment/partnership. RSM is committed to providing equal opportunity and reasonable accommodation for people with disabilities. If you require a reasonable accommodation to complete an application, interview, or otherwise participate in the recruiting process, please call us at 800-274-3978 or send us an email at [email protected].

RSM does not intend to hire entry level candidates who will require sponsorship now OR in the future (i.e. F-1 visa holders). If you are a recent U.S. college / university graduate possessing 1-2 years of progressive and relevant work experience in a same or similar role to the one for which you are applying, excluding internships, you may be eligible for hire as an experienced associate.

RSM will consider for employment qualified applicants with arrest or conviction records. For those living in California or applying to a position in California, please click here for additional information.

At RSM, an employee’s pay at any point in their career is intended to reflect their experiences, performance, and skills for their current role. The salary range (or starting rate for interns and associates) for this role represents numerous factors considered in the hiring decisions including, but not limited to, education, skills, work experience, certifications, location, etc. As such, pay for the successful candidate(s) could fall anywhere within the stated range.