Job Description
At Lilly, we unite caring with discovery to make life better for people around the world. We are a global healthcare leader headquartered in Indianapolis, Indiana. Our employees around the world work to discover and bring life-changing medicines to those who need them, improve the understanding and management of disease, and give back to our communities through philanthropy and volunteerism. We give our best effort to our work, and we put people first. We’re looking for people who are determined to make life better for people around the world. The Cyber Threat Intelligence (CTI) Lead Analyst leads one of the eight functional teams within Global Cyber Defense Operations (GCDO). The role directs the strategy, operations, and continued maturation of Lilly's Cyber Threat Intelligence function — covering threat actor tracking and attribution, brand and executive protection, intelligence sharing collaborators, and the integration of intelligence into detection, response, and proactive defense across GCDO. This is a player/coach role. The CTI Lead Analyst is expected to maintain personal technical depth in threat analysis and set the example of the standard on the hardest analytical work, while simultaneously shaping the strategy of the function, developing the analyst team, and representing GCDO across multi-functional and external forums. Candidates should expect to spend their time across both the technical and strategic dimensions of the role rather than choosing one. What You Will Do: Function Strategy and Maturation: Lead the continued development and maturation of the Cyber Threat Intelligence function, advancing it from intelligence consumer to intelligence producer and contributor across the pharmaceutical industry and the broader cyber community. Hands-on Technical Leadership (Player/Coach): Maintain personal technical proficiency in threat analysis, attribution, and intelligence tradecraft. Be the example on complex analytical work, set the technical bar for the team, and remain credible at the keyboard while developing analyst capability. Threat Actor Tracking and Attribution: Direct the threat actor tracking and attribution program as a multi-functional Cybersecurity capability — championing adoption across response, detection, architecture, platforms, threat mitigation, identity, and other defensive functions, while remaining accountable for the program's outputs, methodology, and long-term maturation. Maintain alignment between internally tracked activity clusters and industry-recognized threat actor designations to support shared understanding across the security community. Ensure the program produces actionable intelligence that informs detection, response, and strategic decisions across the enterprise. Brand and Executive Protection: Lead the cyber threat intelligence components of brand and executive protection, in close coordination with Corporate Security, Legal, the Brand Office, and other partners. Drive multi-functional governance to reduce duplication and improve coverage across protective monitoring services. Partner Collaboration: Develop and maintain strong working relationships with key partners across Cybersecurity, Corporate Security, HR, Legal, the Brand Office, Ethics & Compliance, and Tech@Lilly. Represent GCDO and the CTI function in multi-functional forums where intelligence drives prioritization. Intelligence Sharing and Industry Engagement: Strengthen Lilly's role as an active contributor in pharmaceutical-sector and cross-industry intelligence sharing communities. Direct analyst engagement in intelligence sharing collaborators and ensure Lilly contributes high-value research at a cadence consistent with peer organizations. Team Leadership and Development: Lead a team of cyber threat intelligence analysts. Provide direction, mentorship, and structured development. Build a high-performing team with clear succession depth across analyst tradecraft, brand protection, and strategic intelligence. Tooling and Capability Enhancement: Direct the evaluation, introduction, and integration of capabilities supporting the CTI mission. Ensure intelligence is operationalized into automated enrichment, detection, and response workflows across the GCDO toolchain. Incident Response Support: Provide intelligence-driven support to incident response investigations, particularly for sophisticated and targeted activity. Ensure CTI insights inform the full response lifecycle from triage through after-action review. Training, Awareness, and Communication: Develop and deliver training and awareness programs that improve the organization's understanding of the external threat landscape. Comm