Director, Vulnerability Management
Job Summary
Leadership position responsible for spearheading the vision design and implementation of Vulnerability Management (VM) program for CNA. This position leads the VM team develops VM strategies and conducts data security readiness assessments for the selection development and implementation of enterprise data security standards. This position will focus on designing vulnerability risk assessment and remediation program for both infrastructure and WebApp vulnerabilities by updating strategy policies and procedures and maturing vulnerability risk classification process.
Essential Duties & Responsibilities
Performs a combination of duties in accordance with departmental guidelines:
- Leads the Vulnerability Management program as a vulnerability management SME throughout a global technology organization with various legacy and modern systems within data centers and the cloud.
- Develops enterprise policy and technical standards with specific regard to vulnerability management and secure configuration.
- Holistically owns the entire vulnerability remediation process within CNA which may include vulnerabilities discovered through various channels such as but not limited to vulnerability scans pentesting application scanning responsible vulnerability disclosure program and etc.
- Successfully partners with other Security and IT professionals to assess potential impact from vulnerabilities specific to the environment and recommend mitigating security controls.
- Identifies and recommends appropriate measures to manage and remediate vulnerabilities and reduce potential impacts on information resources to a level acceptable to the senior management of the company.
- Builds strong partnerships with technical teams to promote best practices for managing vulnerabilities in an agile manner and within cloud solutions.
- Fully understands business requirements and work with them to define appropriate solutions for security objectives while meeting the business need.
- Be a champion for vulnerability management and information security including broadening awareness and use of the team's services education of security best practices and integration with other business areas.
- Provides guidance technical expertise and support to team members regarding vulnerability assessment.
- Develops and improves KPIs and metrics for vulnerability management functions.
- Participate and lead new projects as needed.
May perform additional duties as assigned.
Reporting Relationship
Typically AVP or above
Skills Knowledge & Abilities
- Proven track record of leading vulnerability management teams with proven knowledge and competence in security concepts and strategies and the ability to successfully implement them.
- Hands-on experience with vulnerability management tools and strong technical understanding and experience assessing vulnerabilities and identifying weaknesses in multiple operating system platforms database and application servers.
- Strong written and verbal communication skills with the ability to collaborate through all parts of the business.
- High performance skillset which not only understands the threat spaces as it relates to risks but also able to meet the technical challenge of communicating this out to our teams.
- Leadership skills which bring out the best in the team. This includes both direct leadership but also cross-functional capabilities.
- 6+ years in a vulnerability management program. Knowing not only how to assess vulnerabilities but also prioritize and drive remediation activities.
- Excellent communication and interpersonal skills to work effectively with peers IT leadership and subordinates. Must be able to clearly communicate complex technical and business concepts both to business partners team members and IT Management.
- Reporting gaps in a meaningful way that addresses a business risk as well as providing technical solutions to the operations teams in remediation is key.
- Experience in interacting with auditors and regulators.
- Experience in working across public cloud and on-premises hybrid infrastructure.
- Experience in working with vulnerability scanning technologies at scale.
- Self-starter with the ability to make independent decisions and the judgment to know when to seek guidance.
- Fundamental understanding of risk vs severity.
- Comfort in a diverse technology environment spanning multiple operating systems and architectures.
- Ability to foster collaborative open working relationships with technology and other stakeholders.
- Strong understanding of enterprise network system/endpoint and application-level security issues and risks.
Education & Experience
- Bachelor's degree in Computer Science or related discipline or equivalent work experience.
- Typically a minimum of ten years' related work experience in Information Technology
*LI-KC1