Director, Cyber Threat Intelligence (CTI)

Director, Cyber Threat Intelligence (CTI)

Role summary

The Director, Cyber Threat Intelligence (CTI) leads an adversary-focused intelligence capability that enables proactive defense of BNY's global platforms, clients, and critical financial operations. This leader builds an all-source intelligence program that produces timely, decision-grade assessments; sets and manages intelligence requirements; and integrates CTI into detection engineering, incident response, vulnerability management, fraud, and executive risk decisions. The role operates with a high degree of discretion, rigor, and ethical judgment, and partners across internal teams and external intelligence communities.

Mission & outcomes

• Shift security from reactive to anticipatory defense by maintaining an accurate, current picture of the actors targeting BNY, their intent, capabilities, and evolving tactics.
• Improve resilience and risk prioritization by translating technical intelligence into business-relevant insights that influence controls, investment decisions, and operational readiness.
• Integrate intelligence into operational workflows so CTI measurably improves detection coverage, incident outcomes, patch/vulnerability prioritization, and fraud/abuse disruption.
• Provide credible executive and regulatory engagement through clear, defensible assessments and briefings aligned to enterprise risk appetite.

Key responsibilities

• Build and lead the CTI program: define the operating model (strategic, operational, tactical intelligence), establish analytic standards and tradecraft, and develop a high-performing team.
• Intelligence requirements & collection management: set Priority Intelligence Requirements (PIRs) aligned to BNY's highest-risk assets and business services; manage collection plans across internal telemetry and trusted external sources; ensure legal/ethical sourcing and handling.
• All-source analysis and production: produce actor profiles, campaign assessments, early-warning reporting, estimative intelligence, and post-incident intelligence that informs prevention and recovery.
• Operational integration: embed CTI into the SOC, detection engineering, threat hunting, incident response, vulnerability management, identity/access, and fraud teams; drive clear handoffs from intelligence to action.
• Executive communications: brief senior leaders with concise, decision-grade intelligence; communicate uncertainty, confidence levels, and recommended actions; maintain a clear linkage to business impact and operational risk.
• Cross-functional and global coordination: operate effectively across regions, time zones, and lines of business; coordinate in joint, interagency, and multinational-style environments with appropriate discretion.
• External intelligence partnerships: build and maintain trusted relationships with peer institutions, government and law-enforcement partners, and intelligence-sharing communities; represent BNY professionally and responsibly.
• Governance, metrics, and continuous improvement: establish KPIs that demonstrate CTI impact (detection improvements, time-to-triage, disruption outcomes, prioritization effectiveness); run after-action reviews and update requirements based on changing threats.
• Talent development: mentor analysts and leaders; build training paths, rotations, and tradecraft review; foster a culture of integrity, curiosity, and mission focus.

Operating model & key interfaces

This role partners closely with the CISO organization, SOC/IR leadership, detection engineering, vulnerability management, fraud/financial crime, technology risk, and business continuity teams. Outputs are designed to be actionable-mapped to controls, detections, mitigations, and executive decisions. The leader is expected to operate with high discretion and strong information-handling discipline.

Qualifications (required)

• 12+ years of progressive experience in cyber threat intelligence, all-source intelligence, counterintelligence, national security, or closely related threat analysis roles, including leadership of analysts and/or intelligence programs.
• Demonstrated ability to define intelligence requirements, manage collection, and produce high-quality assessments that drive operational action (not just reporting).
• Strong analytic tradecraft: structured thinking, bias awareness, evidentiary rigor, and clear communication of confidence/uncertainty.
• Proven track record integrating CTI with security operations (SOC, threat hunting, incident response), detection engineering, and vulnerability management.
• Experience briefing senior executives and influencing risk decisions with concise, business-relevant intelligence.
• High integrity, sound judgment, and consistent discretion in handling sensitive information.

Qualifications (preferred)

• Experience in financial services, critical infrastructure, or other highly regulated environments with high availability and systemic risk considerations.
• Prior work in joint/interagency settings or with intelligence-sharing communities; experience building trusted external partnerships.
• Background spanning cyber and traditional intelligence disciplines (e.g., CI, SIGINT/HUMINT-driven analysis, strategic warning, collection management).
• Familiarity with common CTI frameworks and operationalization practices (e.g., ATT&CK mapping, intelligence requirements/PIRs, estimative language, analytic standards).
• Relevant certifications (examples): GIAC (GCTI, GCIA), CISSP, or equivalent; advanced degree in intelligence studies, cybersecurity, international relations, or related field.
• Ability to obtain and maintain a security clearance, if required for external partnership engagements.

Success profile

• Adversary-centric: thinks in terms of actors, intent, capability, access, and pathways to business impact.
• Action-oriented: turns intelligence into prioritized decisions, measurable control improvements, and operational outcomes.
• Calm under pressure: leads through incidents and ambiguous, fast-moving situations with disciplined judgment.
• Enterprise connector: builds alignment across security, technology, fraud/financial crime, and business stakeholders globally.
• Ethical and trusted: models discretion, integrity, and responsible intelligence handling in every interaction.