Job Description:
Description of Work:

Support the development and advancement of the Vulnerability Management Improvement project, primarily this will involve assessing the Vulnerability Management practice end-2-end, developing a gap/duplication of the process in-use today and working with leadership to develop a future practice and path to realizing that end state.

Requirements
Required skills & experience:

• Experience with building out vulnerability management programs and if possible with exposure management capabilities.
• Experience in the identification, assessment, and mitigation of vulnerabilities in various systems, networks, and applications. Responsibilities include developing recommendations, presenting to leaders and implementing effective vulnerability management strategies to ensure the infrastructure remains secure against current and emerging threats.
• Deep experience in tuning vulnerability scan policies across multiple tools (see types below).
• Experience developing a consolidated vulnerability ranking and prioritization methodology across multiple tools (see list below) that includes the following contextual data: threat intelligence (internal/external), network/attack path, data/asset sensitivity, exploitability, and patch availability.
• Experience building a security configuration management capability to support the discovery, assessment, instrumentation and updates of security configuration for various configuration item types (workstations, service, devices, appliances, and cloud) using known industry standards (CIS Benchmarks or DISA STIGs).
• Experience creating a Risk based Vulnerability management program with appropriate guidance & process for supporting teams.

Additional "nice to have" skills:

General Skills/ Knowledge
 

• Analytical thinking
• Strong communicator, interviewer and elicitation of “as-is” practices and future requirements
• Capability approach to design (tools, process, people)
• Requirements synthesis (functional and non-functional)
• Capability test planning and reporting

Supporting Skills

• Asset Management system and methodology experience with asset discovery and audit, CMDB, SBOM, and service mapping
• Broad knowledge of aligning organization’s practice to align with frameworks such as NIST’s Cybersecurity Framework (CSF), MITRE ATT&CK and ISO 27001.
• Analysis and modeling involving examination, analysis, documentation, and assessment of internal and external threats, electronic crime activity and information security risks to systems.

If possible the candidate should have experience with the tools below. Experience with similar types of capabilities

• Qualys - enhancements to configurations and technical elements including; vulnerability scanning, security configuration management
• GITLAB - SAST, DAST, Container Scanning, IaC and Software Composition Analysis
• Onapsis - SAP infrastructure and code scanning
• GCP SCC - multi-cloud vulnerability and security configuration scanners (CSPM)
• Attack Surface Management tools
• Reporting tools
• CMDB (ServiceNow)