Manager Vulnerability and Attack Surface Management

Overview:

Position: Manager Vulnerability and Attack Surface Management

Pay: $133,000 to $200,000 annually

Location:  Remote

Position Summary:

This position leads the Vulnerability and Attack Surface Management initiatives and program that is responsible for detection, assessment, and remediation to lower risk to the organization.  This position partners with stakeholders and cross functional teams where technical concepts, risks and deadlines must be clearly conveyed while achieving actionability through influencing.  Particular focus is enhancement of the application security program to eliminate risks early in the development lifecycle.  Strong leadership skills enable you to mentor and grow your team to keep pace with the growing threat landscape.  Collaboration with vendors is essential to ensure velocity of innovation as well as establishing metrics to measure accountability.

Responsibilities:

• Lead a vulnerability management program that ensures vulnerabilities are detected, assessed for severity, and remediated in accordance with company policies.
• Lead efforts to ensure application security is effectively incorporated into the SDLC. Drive efforts to incorporate threat intelligence into all information security processes, with a bias towards actionable intelligence.
• Drive actionable metrics which help ensure the team reduce the time and resources needed to detect, investigate, analyze and remediate vulnerabilities.
• Provide Subject Matter Expert support and guidance to system owners as needed through the risk management process and secure configuration baseline management, including regulatory and remediation compliance monitoring.
• Partner with engineering teams to ensure that secure coding practices are implemented in accordance with application security standards. Conduct regular security assessments of applications to identify vulnerabilities and work with development teams to address findings.
• Manage engagements with third-party penetration testing vendors to assess the security posture of New American Funding infrastructure and applications. Collaborate with security architects to ensure New American Funding systems align with company information security policies and standards.
• Keep abreast of new and evolving security threats to ensure the Company remains adequately protected.
• Consults with business partners on security matters to ensure security efforts are aligned across the enterprise.
• Accompany the business and engineering in reviewing Standard Operating Procedures (SOP) for security and compliance initiatives.  
• Responds to regulatory and audit requests to support compliance initiatives.
• Performs other duties as assigned.

Desired Competencies:

• 8+ years of experience in managing security risk and driving mitigation activities
• 2+ years' experience managing direct reports; includes employee selection, motivation, coaching, and providing timely defensible constructive feedback.
• Proven experience in information security domains of vulnerability management and application security.
• Track record of leading enterprise-level vulnerability management teams with a history of increasing responsibility
• Knowledge of common security frameworks (NIST CSF, ISO) and regulatory requirements (NYDFS, CCPA, GLBA)
• Technical expertise in application security tools and functions, including dynamic application security testing (DAST) and static application security testing (SAST)
• Hands-on experience with industry-leading vulnerability management tools such as Tanium, Nessus, or Rapid7, including configuration, tuning, and reporting.
• Deep understanding of common web application vulnerabilities (e.g., OWASP Top 10) and techniques for mitigating them.
• Familiarity with cloud security principles and best practices, particularly in assessing and securing cloud-based applications and infrastructure (e.g., AWS, Azure, GCP).
• Oversee manual and automated security assessments of web, mobile, and cloud-based applications.
• Implement and maintain application security testing tools (SAST, DAST, and IAST) and coordinate related vulnerability remediation activities.
• Conduct & coordinate both internal and 3rd party penetration testing engagements.
• Collaborate with development, DevOps, and infrastructure teams to integrate security practices into the Software Development Lifecycle (SDLC).
• Prepare and present security reports to management, highlighting key metrics, risks, and mitigation strategies.
• Ensure past due vulnerabilities are escalated to leadership and exception processes are executed in alignment with risk acceptance frameworks and policies
• Identify and prioritize potential application security threats through the use of modeling and risk assessments.
• Assist with the detection, triage, and response to security incidents, while conducting root cause analysis and post-incident reviews to improve security posture.
• Develop and deliver security training and awareness programs for developers, QA, and other relevant teams.
• Design, deploy, and maintain security solutions such as Endpoint Detection and Response (EDR), data-loss prevention (DLP), web application firewalls (WAF), zero-trust, and other security detection/prevention technologies.
• Stay updated with the latest security trends, threats, and technology developments.
• Evaluate new security tools and technologies to enhance the security posture of our applications.

Work Authorization: Must be able to verify identity and employment eligibility to work in the U.S.

Other Duties: This job profile is not intended to be an all-inclusive list of job duties and responsibilities, as one may perform additional related duties as assigned in order to meet the needs of the organization.

Physical Demands: The physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions. Must be able to lift up to ten pounds. Primary functions require sufficient physical ability and mobility to work in an office setting; to stand or sit for prolonged periods of time; to occasionally stoop, bend, kneel, crouch, reach, and twist; to lift, carry, push, and/or pull light to moderate amounts of weight; to operate office equipment requiring repetitive hand movement and fine coordination including use of a keyboard; and to verbally communicate to exchange information. VISION: See in the normal visual range with or without correction. HEARING: Hear in the normal audio range with or without correction.

[EOE/M/F/D/V. Drug-free workplace.]

#LI-KH1

#LI-REMOTE