Director of Vulnerability Management

You have a clear vision of where your career can go. And we have the leadership to help you get there. At CNA, we strive to create a culture in which people know they matter and are part of something important, ensuring the abilities of all employees are used to their fullest potential.
Leadership position responsible for transforming and accelerating Vulnerability Management (VM) into a core information security strength. This position plays a pivotal role in safeguarding CNA's assets by leading an enterprise-wide VM program and team, developing strategy, driving priorities and initiatives with partners, and managing vulnerabilities per organizational risk tolerance across on-premises and cloud environments. This role blends deep technical expertise (70%) with strategic leadership (30%), ensuring vulnerabilities across our environment are identified, prioritized, and remediated in a timely manner. This role demands a strategic mindset, robust technical aptitude, and the ability to communicate risk and remediation status effectively throughout the business. The ideal candidate will thrive in a fast-paced environment, demonstrate exceptional technical depth, and possess strong leadership skills to influence across technical and business teams.
JOB DESCRIPTION:
Essential Duties & Responsibilities
Performs a combination of duties in accordance with departmental guidelines:
Technical (70%)

• Leads and executes a comprehensive Vulnerability Management program throughout a global technology organization leveraging legacy and modern assets and applications located on-premise s and in the cloud .

• Own and operate the enterprise vulnerability management program, including vulnerability scanning, reporting, and remediation tracking.

• Builds and nurtures strong partnerships with asset owners and managed service providers to drive vulnerability remediation, mitigation, reduce exposure and potential business impact, and ensure secure asset configuration s .

• Oversee and technically validate the MSP's delivery of vulnerability scanning and assessments using Tenable tools.

• Accountable for the vulnerability remediation process within CNA, which may include vulnerabilities discovered through, but not limited to, vulnerability scan ning , ethical hacking , threat intelligence, application security , responsible disclosure, e tc.

• Holistically owns the secure configuration management process within CNA, which may include working with various team s in developing secure technical specifications for technologies, assessing the environment against those specifications, and continuously improving the posture through governance and technical leadership.

• Develops enterprise policy, standards, plans, strategy, and procedures with specific regard to vulnerability management and secure configuration in alignment with business, industry, and regulatory requirements ensuring adherence across the enterprise to avoid audit findings and compliance gaps .

• Develops and presents VM program metrics, KPIs, KRIs , and other applicable performance reporting measures to communicate risk and program effectiveness to governance and leadership.

• Perform detailed analysis of vulnerability data to identify trends, recurring issues, and systemic weaknesses, and use this analysis to prioritize remediation efforts based on risk and business impact.

• Identifies , recommends, and prioritizes appropriate measures to manage and remediate vulnerabilities and reduce potential impacts on information resources to acceptable risk tolerances.

• Successfully partners with other teams to risk assess potential impact from vulnerabilities and recommend s appropriate compensating security controls.

• Mentor and develop a team of vulnerability management professionals, fostering a culture of continuous learning and operational excellence.

• Be a champion for vulnerability management and information security including broadening awareness and use of the team's services, education of security best practices and integration with other business areas.

Leadership (30%)

• Lead, mentor, and develop an internal vulnerability management team (FTEs and contractors).

• Serve as primary point of contact and escalation for the MSP, holding them accountable to SLAs, quality standards, and performance metrics.

• Communicate vulnerability risks, trends, and remediation progress to senior leadership, including executives and the Board, in clear business terms.

• Partner with application and infrastructure owners to ensure remediation activities are prioritized and executed effectively.

May perform additional duties as assigned.
Reporting Relationship
Typically AVP or above
Skills, Knowledge & Abilities

• Strong hands-on expertise withTenable.sc, Tenable.io, or equivalent enterprise vulnerability scanning tools.

• Proven track record of leading vulnerability management programs and teams with expert-level knowledge and competence in security concepts and strategies and the ability to successfully implement them.

• Hands-on experience with leading vulnerability management tools at enterprise scale and strong technical understanding and experience assessing vulnerabilities and identifying weaknesses in legacy and modern assets and applications located on-premises and in the cloud.

• Expertise in identifying , evaluating, and prioritizing vulnerabilities with in CNA's environment, pair e d with the capability to design and implement holistic remediation strategies that effectively address both immediate and long-term risks across CNA.

• Excellent written and verbal communication s and interpersonal skills to work effectively with peers, leadership, and subordinates. Must be able to clearly communicate complex technical and business concepts both to business partners, internal and external teams, and leadership.

• Strong analytical and project management skills.

• Proven ability to effectively lead, manage, coach, and develop a team. This includes both direct leadership but also cross-functional capabilities.

• Proven experience managing MSP relationships, including SLA enforcement and technical oversight.

• 6+ years in a vulnerability management program. Knowing not only how to assess vulnerabilities but also prioritize and drive remediation activities.

• Experience interacting with auditors and regulators.

• Experience and comfort working across evolving cloud and on-premises hybrid environments and technologies.

• Self-starter with the ability to make independent data-driven decisions and the judgment to know when to seek guidance.

• Expert-level understanding of key vulnerability management and information security concepts, such as: risk , severity , exploitability, CVE, CVSS, asset management, secure configuration management, etc .

• Ability to foster collaborative, open, working relationships with stakeholders.

• Strong understanding of enterprise, network, endpoint, and application-level security issues and risks.

• Solid understanding of operating systems (Windows, Linux, Unix), networking, cloud platforms ( GCP, AWS, Azure), and common enterprise application stacks.

Education & Experience

• Bachelor's degree in Computer Science , or related discipline, or equivalent work experience.

• Typically, a minimum of ten years' related work experience in Information Technolog y.

• CISSP, CISM, PMP, Tenable or equivalent certifications preferred.

#LI-ED1
#LI-REMOTE
I n certain jurisdictions, CNA is legally required to include a reasonable estimate of the compensation for this role. In District of Columbia , California, Colorado, Connecticut, Illinois , Maryland , Massachusetts , New York and Washington, the national base pay range for this job level is $97,000 to $189,000 annually.Salary determinations are based on various factors, including but not limited to, relevant work experience, skills, certifications and location. CNA offers a comprehensive and competitive benefits package to help our employees - and their family members - achieve their physical, financial, emotional and social wellbeing goals. For a detailed look at CNA's benefits, please visit cnabenefits.com .
CNA is committed to providing reasonable accommodations to qualified individuals with disabilities in the recruitment process. To request an accommodation, please contact [email protected] .