Director Vulnerability Management

The Director Vulnerability Management (VM) owns the enterprise VM program across endpoints, servers, network devices, cloud platforms, containers, and applications. This role sets strategy and governance; drives risk-based prioritization; enforces remediation SLAs and exception handling; leads tool adoption and integration; and produces executive-ready metrics for internal governance and external obligations. Success requires deep collaboration with Infrastructure, End-User Computing, Network, Cloud/SRE, Application Engineering, Security Operations, and GRC, as well as selected service providers. The program operates under the Company’s Patch & Vulnerability Management Standard and supports regulatory, audit, and customer requirements.

Duties and Responsibilities

• Program Strategy & Governance
• Define and continuously mature a risk-driven VM strategy, roadmap, and RACI.
• Establish policy-aligned remediation SLAs, exception criteria, escalation paths, and evidence requirements.
• Ensure customer/contract obligations related to scanning cadence and patch timelines are operationalized where applicable.
  • Operations, Coverage & Tooling
• Lead enterprise scanning and assessment coverage across on-prem, cloud, containers, and applications using core platforms (e.g., Qualys VMDR/TotalAppSec, Veracode, Microsoft Defender for Endpoint).
• Expand and maintain authenticated/agent-based coverage; manage discovery for shadow/EOL assets.
• Oversee web app/API scanning in partnership with AppSec; ensure rescans validate remediation.
• Lead enterprise hardening efforts across systems, software, networks, cloud applications, and cloud environments.
  • Integration & Automation
• Drive CMDB and ITSM integrations to automate ownership mapping, ticket creation, routing, and SLA tracking.
• Improve data quality (asset/owner criticality) to enable risk-based prioritization and reporting.
  • Remediation Enablement & Outcomes
• Partner with Infra, Desktop, Cloud, and App Owners to remove blockers (e.g., maintenance windows, change control constraints, EOL/EOS platforms).
• Track and resolve exceptions with compensating controls; publish actionable playbooks/runbooks.
  • Zero-Day / Major Event Response
• Orchestrate assessment, prioritization, patch/mitigation guidance, rescans, stakeholder communications, and executive updates for critical vulnerabilities.
  • Metrics, Reporting & Audit Readiness
• Produce executive-ready dashboards (coverage, SLA attainment, risk burn-down, exception inventory, business impact).
• Maintain audit artifacts and evidence for internal/external assessments; support GLBA and customer reviews.
  • Performs related duties as assigned by management.

Qualifications and Education Requirements

• Bachelor’s degree in Information Security, Information Systems, Computer Science, or equivalent experience.
• 10+ years in Information Security with 5+ years leading Vulnerability Management for a multi-platform enterprise (hybrid cloud). Demonstrated results improving enterprise VM metrics and SLA performance.
• Technical: Depth with Qualys (VMDR, WAS/TotalAppSec), Veracode, Microsoft Defender for Endpoint; familiarity with network device scanning, container registries, and cloud workload coverage.
• Frameworks/Regulatory: Working knowledge of NIST CSF/ISO 27001; audit evidence management (e.g., GLBA); experience satisfying customer security requirements.
• Preferred Certifications: CISSP, CISM, CCSP, or comparable.

Skills, Abilities, and Knowledge

• Leadership & Influence: Leads cross-functional remediation at enterprise scale; strong executive presence and communication.
• Risk-Based Decisioning: Translates technical findings to business risk; prioritizes by asset criticality and exposure.
• Tooling Expertise: Hands-on with Qualys (VMDR and WAS/TotalAppSec), Veracode, Microsoft Defender for Endpoint; data/automation integrations with CMDB/ITSM.
• Process Design: Scalable workflows, exception governance, and evidence management aligned to standards and audits.
• Partnering & Change Management: Drives outcomes with Infra/App/Cloud teams and third parties; removes operational friction.
• Communication: Converts complex risk and technical data into concise, outcome-oriented narratives for executives and non-security stakeholders.

Additional Information:

While this description is intended to be an accurate reflection of the position’s requirements, it in no way implies/states that these are the only job responsibilities. Management reserves the right to modify, add or remove duties and request other duties, as necessary.

All employees are required to have smart phones that meet Company security standards with the ability to install apps such as Okta Verify and Microsoft Authenticator. Employment will be contingent on this requirement.

Company Benefits:

Newrez is a great place to work but we are only as strong as our greatest asset, our employees, so we believe in rewarding them!

• Medical, dental, and vision insurance

• Health Savings Account with employer contribution

• 401(k) Retirement plan with employer match

• Paid Maternity Leave/Parental Bonding Leave

• Pet insurance

• Adoption Assistance

• Tuition reimbursement

• Employee Loan Program

• The Newrez Employee Emergency and Disaster Fund is a new program to support our team members

Newrez NOW:

• Our Corporate Social Responsibility program, Newrez NOW, empowers employees to become leaders in their communities through a robust program that includes volunteering, philanthropy, nonprofit grants, and more

• 1 Volunteer Time Off (VTO) day, company-paid volunteer day where all eligible employees may participate in a volunteer event with a nonprofit of their choice

• Employee Matching Gifts Program: We will match monetary employee donations to eligible non-profit organizations, dollar-for-dollar, up to $1,000 per employee

• Newrez Grants Program: Newrez hosts a giving portal where we provide employees an abundance of resources to search for an opportunity to donate their time or monetary contributions

Equal Employment Opportunity 
We're proud to be an equal opportunity employer- and celebrate our employees' differences, including race, color, religion, sex, sexual orientation, gender identity, national origin, age, disability, and Veteran status. Different makes us better.

CA Privacy Policy

CA Notice at Collection