Senior Information Security Engineer, Vulnerability Management

Job Summary & Objectives

The Senior Information Security Engineer, Vulnerability Management is responsible for leading the identification, assessment, and mitigations of security vulnerabilities across enterprise systems and applications. This role plays a critical part in proactively managing cyber risks by discovering and addressing weaknesses before they can be exploited.  The senior engineer will perform regular scanning and monitoring of global networks, assets and systems for vulnerabilities and misconfigurations, including cloud-based and on-prem systems. They will collaborate with IT teams and business process owners to ensure timely remediation of identified issues and drive continuous improvement of the organization’s security posture.

The ideal candidate is highly technical with expertise in vulnerability management tools and methodologies, combined with a strong understanding of enterprise IT environments, including cloud infrastructure, networks, and applications. They should demonstrate proven experience in managing large-scale vulnerability assessments, interpreting scan results, prioritizing remediation efforts based on risk, and driving resolution in partnership with cross-functional teams. The candidate will possess strong analytical and communication skills and the ability influence and collaborate effectively with both technical and non-technical stakeholders. They must be detail-oriented with the ability to adapt rapidly to new challenges, think creatively and holistically, and quickly resolve unforeseen issues. 

Essential Job Duties & Responsibilities

• Lead enterprise vulnerability management activities, including asset discovery, vulnerability scanning, secure configuration monitoring, remediation and mitigation activity, and metrics reporting
• Deliver continuous scanning, identification, and reporting of internal and external attack surface, vulnerabilities, and security related misconfigurations throughout on-prem and cloud-based environments across Firm systems, technologies, networks, and applications
• Collaborate with business process owners and IT teams, including DevOps and application teams, to drive timely remediation and risk reduction
• Manage a portfolio of scanning, vulnerability management, breach simulation, and reporting tools and ensure that security agents and vulnerability monitoring tools are deployed correctly and operating properly
• Manage cloud posture and SaaS application posture management tools
• Maintain and optimize vulnerability scanning tools, including network, infrastructure, and application scanning tools
• Optimize vulnerability management processes and integrations with other security and IT systems
• Lead vulnerability response efforts to address imminent threats and zero-day vulnerabilities
• Monitor vulnerability remediation progress and partner with IT teams to provide recommendations for efficient risk remediation or mitigation
• Monitor, mitigate, and report on additional threats, including supply chain attacks, vulnerabilities in code, unencrypted protocols, digital footprint issues, and other cybersecurity control gaps
• Manage internal and external penetration testing, red team activities, active port audits, and software audits to identify EOL hardware and software, insecure legacy applications, and otherwise unsafe or unauthorized software
• Provide regular reporting on the current state of vulnerabilities and develop and maintain metrics and dashboards to communicate vulnerability trends and remediation progress to stakeholders
• Develop cyber health scoring algorithms and measurement criteria, and build consumable reporting for technical and non-technical stakeholders, Firm leadership, and external clients
• Responsible for staying informed of industry leading vulnerability and software security vendors, latest threats & risks, and continuously updating program based on business priorities and available cyber threat intelligence
• Stay current with emerging threats, vulnerability intelligence, and industry best practices to enhance the program’s effectiveness
• Support security audits, assessments, and compliance initiatives by providing accurate and timely vulnerability data
• Contribute to the development of policies, standards, and playbooks related to vulnerability management
• Must be able to participate in and occasional off-hours work and on-call rotation

Education

Required

• Bachelor’s degree in information security, IT, related discipline, or equivalent experience

Preferred

• Professional certifications such as CISSP, CCSP, CEH, or similar

Skills and Experience

• 8+ years of experience in an IT or Information Security role, with at least 4 years in a vulnerability / attack surface management function
• Proven history of successfully deploying and managing common vulnerability scanning and attack surface management tools (e.g., Qualys, Tenable, Rapid7, Nessus, Metasploit, AttackIQ, etc.)
• Experience interpreting CVSS scores, threat intelligence, and business impact to prioritize remediation, with demonstrated knowledge and expertise in vulnerability assessment, risk management, and cybersecurity frameworks such as NIST, CIS, and OWASP
• Working knowledge of cloud computing systems (SaaS, PaaS, and IaaS), containers, cloud orchestration, and common cloud platforms (e.g., AWS, Azure, GCP) and associated security controls and configurations
• Solid understanding of networking, system administration (Windows/Linux), and application security principles
• Experience working in a global organization and broad knowledge of security domains, technology risk management concepts, and a working knowledge of security and risk frameworks
• Knowledge of core networking concepts including TCP/IP, firewalls, and network security products
• Knowledge of common application architectures, design, protocols, and agile deployment methodology and best practices
• Ability to manage multiple concurrent objectives and activities, and make effective judgments in prioritizing and time allocation

• Must have a continuous learning mindset and a demonstrated aptitude for understanding new vulnerabilities, threats, and attack vectors

Salary Information

NY Only: The estimated base salary range for this position is $160,000 to $190,000 at the time of posting.

The actual salary offered will depend on a variety of factors, including without limitation, the qualifications of the individual applicant for the position, years of relevant experience, level of education attained, certifications or other professional licenses held, and if applicable, the location in which the applicant lives and/or from which they will be performing the job. This role is exempt meaning it is not overtime pay eligible.

Privacy Notice

For information about how Simpson Thacher & Bartlett LLP collects and processes your personal information, please refer to our Privacy Notice available at https://www.stblaw.com/other/privacy-notice.

Simpson Thacher & Bartlett is committed to a collegial work environment in which all individuals are treated with respect and dignity. The Firm prohibits discrimination or harassment based upon race, color, religion, gender, gender identity or expression, age, national origin, citizenship status, disability, marital or partnership status, sexual orientation, veteran’s status or any other legally protected status. This Policy pertains to every aspect of an individual’s relationship with the Firm, including but not limited to recruitment, hiring, compensation, benefits, training and development, promotion, transfer, discipline, termination, and all other privileges, terms and conditions of employment.