Director, Ethical Hacking (Red Team/Mitre Attack)

You have a clear vision of where your career can go. And we have the leadership to help you get there. At CNA, we strive to create a culture in which people know they matter and are part of something important, ensuring the abilities of all employees are used to their fullest potential.
CNA seeks to offer a comprehensive and competitive benefits package to our employees that helps them - and their family members - achieve their physical, financial, emotional and social wellbeing goals.
For a detailed look at CNA's benefits, check out our Candidate Guide .
Leadership position responsible for advising security and technology leadership on ways to reduce CNA's threat landscape. This position develops strategy for the following areas: Ethical Hacking, Red Team and Purple Team, cyber threat assessments, and social engineering campaigns. This function oversees all penetration testing related operations work. This position also serves as the subject matter expert for leveraging various TTPs utilized by various threat actors to help CNA understand whether an actual threat actor using similar techniques would be able to accomplish specific objective(s).
JOB DESCRIPTION:
Essential Duties & Responsibilities
Performs a combination of duties in accordance with departmental guidelines:

• Accelerate maturation of Ethical Hacking program services and capabilities in alignment with industry trends and organizational priorities.
• Develop and deliver Ethical Hacking strategy, initiatives, roadmaps, automation, and continuous improvements.
• Lead and manage the performance and development of the Ethical Hacking team.
• Collaborate with stakeholders to define security assessments by analyzing information requirements, determining system architecture components and technologies, studying business capabilities, developing points of views on emerging technologies, and evaluating their applicability to business goals and operational requirements.
• Collaborate with stakeholders to aid defensive prevention, detection, and response capability improvements and attack surface management activities.
• Provide coaching, guidance, and direction on Ethical Hacking activities ensuring overall fit within Global Enterprise Security and the organization.
• Participate in technical testing of assets, resources, and services from operational planning initiation through reporting and risk management activities.
• Communicate findings, attack paths, and risk recommendations to technical and non-technical stakeholders and senior leadership through written reports and verbal presentations.
• Oversee the development of tooling, techniques, methodologies, and processes to improve team capabilities to deliver high-quality assessments.
• Responsible for continued contributions to the Ethical Hacking team knowledge base.
• Demonstrate expert understanding of penetration testing and red teaming tooling, techniques, and methodologies.
• Develop and customize payloads specific to the environment to circumvent defensive prevention, detection, and response capabilities.
• Establish performance and program metrics and KPIs to leverage in reporting and driving continuous control, process, team, and program improvements.
• Other duties as assigned.

Reporting Relationship
Typically AVP or Above
Skills, Knowledge & Abilities

• Senior-level knowledge of tools associated with penetration testing and red teaming (Cobalt Strike, Burp Suite, etc.).
• Ability to effectively code in one or more programming languages (Python, Go, Rust, etc.).
• Expert level knowledge of Ethical Hacking, red team, purple team, penetration testing, and social engineering security concepts.
• Proven ability to effectively lead, manage, coach, and develop a team.
• Senior-level knowledge of security technical solutions (to properly assess compensating controls and their affect).
• Senior-level knowledge of modern security architectures (e.g., zero trust).
• Demonstrated success in establishing strategic objectives and driving tactical execution of initiatives aligned with company goals and objectives.
• Subject matter expertise across all facets of Ethical Hacking.

Education & Experience

• Bachelor's degree in Computer Science, or related discipline, or equivalent work experience.
• Typically a minimum of ten years in Information Technology, preferably with Penetration testing and Red Team experience.
• Applicable certifications preferred (e.g., CRTO, CRTL, OSCP, OSEP, GPEN, PMP, CISSP).

#LI-JB1
#Remote
CNA is committed to providing reasonable accommodations to qualified individuals with disabilities in the recruitment process. To request an accommodation, please contact [email protected] .