CNA Insurance

Director of Vulnerability Management

CNA Insurance

full-time

Posted on:

Origin:  • 🇺🇸 United States

Visit company website
AI Apply
Manual Apply

Salary

💰 $97,000 - $189,000 per year

Job Level

Lead

Tech Stack

AWSAzureCloudGoogle Cloud PlatformLinuxPMPUnix

About the role

  • Lead and execute a comprehensive Vulnerability Management program throughout a global technology organization, on-premises and in the cloud.
  • Own and operate the enterprise vulnerability management program, including vulnerability scanning, reporting, and remediation tracking.
  • Build partnerships with asset owners and managed service providers to drive vulnerability remediation, mitigation, reduce exposure and potential business impact, and ensure secure asset configuration.
  • Oversee and technically validate the MSP’s delivery of vulnerability scanning and assessments using Tenable tools.
  • Accountable for the vulnerability remediation process within CNA, including vulnerabilities discovered through scanning, ethical hacking, threat intelligence, application security, responsible disclosure, etc.
  • Holistically own the secure configuration management process within CNA, developing secure technical specifications for technologies, assessing the environment against those specifications, and continuously improving the posture through governance and technical leadership.
  • Develop enterprise policy, standards, plans, strategy, and procedures with specific regard to vulnerability management and secure configuration in alignment with business, industry, and regulatory requirements ensuring adherence across the enterprise to avoid audit findings and compliance gaps.
  • Develops VM program metrics, KPIs, KRIs, and other applicable performance reporting measures to communicate risk and program effectiveness to governance and leadership.
  • Perform detailed analysis of vulnerability data to identify trends, recurring issues, and systemic weaknesses, and use this analysis to prioritize remediation efforts based on risk and business impact.
  • Identifies , recommends, and prioritizes appropriate measures to manage and remediate vulnerabilities and reduce potential impacts on information resources to acceptable risk tolerances.
  • Successfully partners with other teams to risk assess potential impact from vulnerabilities and recommends appropriate compensating security controls.
  • Mentor and develop a team of vulnerability management professionals, fostering a culture of continuous learning and operational excellence.
  • Be a champion for vulnerability management and information security including broadening awareness and use of the team's services, education of security best practices and integration with other business areas.
  • Lead, mentor, and develop an internal vulnerability management team (FTEs and contractors).
  • Serve as primary point of contact and escalation for the MSP, holding them accountable to SLAs, quality standards, and performance metrics.
  • Communicate vulnerability risks, trends, and remediation progress to senior leadership, including executives and the Board, in clear business terms.

Requirements

  • 6+ years in a vulnerability management program.
  • Expert-level understanding of vulnerability management and information security concepts, such as risk, severity, exploitability, CVE, CVSS, asset management, secure configuration management, etc.
  • Hands-on expertise with Tenable.sc, Tenable.io, or equivalent enterprise vulnerability scanning tools.
  • Experience managing MSP relationships, including SLA enforcement and technical oversight.
  • Experience interacting with auditors and regulators.
  • Strong written and verbal communication, interpersonal, analytical and project management skills.
  • Bachelor's degree in Computer Science or related discipline, or equivalent work experience.
  • CISSP, CISM, PMP, Tenable or equivalent certifications preferred.