Senior Director, Cyber Security

The Role

This role owns the strategy and execution of a modern, contextual vulnerability management program that moves beyond “scan-and-patch” to a risk-based, decision grade model. You will build an operating model that continuously identifies, prioritizes, and drives remediation of exposures based on business criticality, exploitability, threat intelligence, control effectiveness, and real-world attack paths—across a large, complex, and fragmented enterprise environment. You will partner deeply with infrastructure, cloud, application engineering, IAM, SOC, GRC, third-party risk, and business leaders to measurably reduce enterprise risk while maintaining pace with delivery.

What success looks like

A vulnerability management program that produces actionable priorities (not noise), aligned to business risk and threat reality. • Clear governance, accountability, and service-level outcomes that scale across distributed teams and varied technology stacks. • Measurable risk reduction (attack-path closure, critical exposure burn-down, reduced time-to-fix where it matters most), not just compliance metrics. • A sustainable model: automation-first, integrated into engineering workflows, and resilient to tooling changes, reorganizations, and growth. • Board-level metrics and trend reporting that demonstrate program maturity and enterprise risk reduction over time

The Responsibilities

1) Build the future-state vulnerability management operating model • Define the enterprise vulnerability management strategy, vision, and roadmap, centered on contextual prioritization and continuous exposure management. • Establish a risk-scoring/prioritization approach that combines: asset criticality, internet exposure, identity privilege, exploitability/KEV, compensating controls, lateral movement potential, and business process impact. • Evolve from point-in-time reporting to continuous, near-real-time visibility and prioritization

2) Drive outcomes across a complex, federated environment • Lead cross-functional execution across infrastructure, endpoints, cloud platforms, and application teams. • Build a scalable “hub-and-spoke” model: central standards, analytics, governance, and reporting; distributed remediation ownership and execution. • Establish clear RACI, operational rhythms (triage, remediation planning, exception handling), and escalation paths tied to business risk.

3) Modernize tooling, data quality, and automation • Optimize and integrate vulnerability and exposure tooling, including (examples): Tenable, Wiz, third-party risk/external posture sources such as Black Kite and Security Scorecard, plus CMDB/asset inventories, SIEM/SOAR, ticketing (e.g., ServiceNow/Jira), and CI/CD security signals. • Create a unified vulnerability/exposure “source of truth” that normalizes data, reduces duplicates, and improves attribution to true owners. • Automate workflows: enrichment, deduplication, prioritization, ticket creation, exception approvals, and verification of remediation.

4) Deliver executive-ready reporting and measurable risk reduction • Produce board- and executive-level reporting that explains risk in business terms: top exposure themes, critical attack paths, remediation progress, and residual risk. • Build forward-looking metrics and dashboards that reflect reality in a large enterprise: coverage, confidence/accuracy, time-to-remediate by risk tier, exception trends, and risk acceptance discipline. • Create an evidence-based narrative demonstrating how vulnerability decisions reduce likelihood and impact of material incidents.

5) Embed vulnerability management into engineering and cloud delivery • Shift left: partner with engineering leadership to integrate vulnerability findings into developer workflows and release gates where appropriate. • Establish practical standards for vulnerability remediation in cloud and applications (e.g., images, containers, IaC, SaaS configs), balancing security with delivery velocity. • Enable teams with playbooks, patterns, and self-service dashboards to improve fix rates without constant central chasing.

6) Govern exceptions and ensure realism at enterprise scale • Design an exception process that is disciplined, time-bound, transparent, and tied to compensating controls and risk acceptance. • Differentiate “must-fix” from “monitor/mitigate,” ensuring the program remains credible and relevant rather than flooding teams with unprioritized queues.

The Qualifications

• 10+ years in cybersecurity, with deep experience leading vulnerability management or exposure/risk reduction programs in large, complex organizations. • Demonstrated success transforming programs from traditional CVSS-driven patching to contextual, threat-informed prioritization. • Strong stakeholder leadership across engineering, infrastructure, cloud, product/application teams, and governance groups. • Experience driving operational change at scale: governance, process design, automation, and measurable outcomes. • Comfort with ambiguity, fragmented data, and complex ownership models—able to create clarity and momentum.

Technical requirements

• Vulnerability management domains: infrastructure, endpoints, cloud, applications, identity exposures, and third-party/external attack surface. • Familiarity with tools such as Tenable (or equivalents), Wiz (or cloud CNAPP/CSPM equivalents), external posture/third-party sources like Black Kite and SecurityScorecard, and integrating signals into ticketing and reporting systems. • Understanding of exploitability signals (e.g., KEV, in-the-wild exploitation), attack path concepts, and control validation/compensating controls.

Preferred qualifications

• Experience building a unified exposure model (asset + identity + vulnerability + misconfiguration + external posture). • Experience with security data engineering/analytics approaches (normalization, scoring, BI dashboards, automation). • Familiarity with regulated environments and audit-ready evidence (SOX, HIPAA, etc., as applicable).

Leadership competencies

• Outcome orientation: prioritizes real risk reduction over activity metrics. • Influence at scale: builds coalitions and drives execution without relying on direct authority. • Pragmatism: designs a program that remains achievable and relevant in a large enterprise with competing priorities. • Communication: converts complex technical risk into simple, credible narratives for executives and boards.

Note: Employment-based non-immigrant visa sponsorship and/or assistance is not offered for this specific job opportunity.

This position will remain posted for a minimum of three business days from the date posted or until a sufficient/appropriate candidate slate has been identified.