Director - Vulnerability Management

You have a clear vision of where your career can go. And we have the leadership to help you get there. At CNA, we strive to create a culture in which people know they matter and are part of something important, ensuring the abilities of all employees are used to their fullest potential. 

CNA seeks to offer a comprehensive and competitive benefits package to our employees that helps them — and their family members — achieve their physical, financial, emotional and social wellbeing goals.

For a detailed look at CNA’s benefits, check out our Candidate Guide.

Leadership position responsible for transforming and accelerating Vulnerability Management (VM) into a core information security strength. This position plays a pivotal role in safeguarding CNA’s assets by leading an enterprise-wide VM program and team, developing strategy, driving priorities and initiatives with partners, and managing vulnerabilities per organizational risk tolerance across on-premises and cloud environments. This role demands a strategic mindset, robust technical aptitude, and the ability to communicate risk and remediation status effectively throughout the business.

JOB DESCRIPTION:

Essential Duties & Responsibilities

Performs a combination of duties in accordance with departmental guidelines:

• Leads and executes a comprehensive Vulnerability Management program throughout a global technology organization leveraging legacy and modern assets and applications located on-premises and in the cloud.
• Builds and nurtures strong partnerships with asset owners and managed service providers to drive vulnerability remediation, mitigation, reduce exposure and potential business impact, and ensure secure asset configurations.
• Accountable for the vulnerability remediation process within CNA, which may include vulnerabilities discovered through, but not limited to, vulnerability scanning, ethical hacking, threat intelligence, application security, responsible disclosure, etc.
• Holistically owns the secure configuration management process within CNA, which may include working with various teams in developing secure technical specifications for technologies, assessing the environment against those specifications, and continuously improving the posture through governance and technical leadership.
• Develops enterprise policy, standards, plans, strategy, and procedures with specific regard to vulnerability management and secure configuration in alignment with business, industry, and regulatory requirements.
• Develops and presents VM program metrics, KPIs, KRIs, and other applicable performance reporting measures to communicate risk and program effectiveness to governance and leadership.
• Identifies, recommends, and prioritizes appropriate measures to manage and remediate vulnerabilities and reduce potential impacts on information resources to acceptable risk tolerances.
• Successfully partners with other teams to risk assess potential impact from vulnerabilities and recommends appropriate compensating security controls.
• Mentor and develop a team of vulnerability management professionals, fostering a culture of continuous learning and operational excellence.
• Be a champion for vulnerability management and information security including broadening awareness and use of the team's services, education of security best practices and integration with other business areas.

May perform additional duties as assigned.

Reporting Relationship

Typically AVP or above

Skills, Knowledge & Abilities

• Proven track record of leading vulnerability management programs and teams with expert-level knowledge and competence in security concepts and strategies and the ability to successfully implement them.
• Hands-on experience with leading vulnerability management tools at enterprise scale and strong technical understanding and experience assessing vulnerabilities and identifying weaknesses in legacy and modern assets and applications located on-premises and in the cloud.
• Expertise in identifying, evaluating, and prioritizing vulnerabilities within CNA's environment, paired with the capability to design and implement holistic remediation strategies that effectively address both immediate and long-term risks across CNA.
• Excellent written and verbal communications and interpersonal skills to work effectively with peers, leadership, and subordinates. Must be able to clearly communicate complex technical and business concepts both to business partners, internal and external teams, and leadership.
• Strong analytical and project management skills.
• Proven ability to effectively lead, manage, coach, and develop a team. This includes both direct leadership but also cross-functional capabilities.
• 6+ years in a vulnerability management program. Knowing not only how to assess vulnerabilities but also prioritize and drive remediation activities.
• Experience interacting with auditors and regulators.
• Experience and comfort working across evolving cloud and on-premises hybrid environments and technologies.
• Self-starter with the ability to make independent data-driven decisions and the judgment to know when to seek guidance.
• Expert-level understanding of key vulnerability management and information security concepts, such as: risk, severity, exploitability, CVE, CVSS, asset management, secure configuration management, etc.
• Ability to foster collaborative, open, working relationships with stakeholders.
• Strong understanding of enterprise, network, endpoint, and application-level security issues and risks.

Education & Experience

• Bachelor’s degree in computer science, or related discipline, or equivalent work experience.   
• Typically, a minimum of ten years’ related work experience in Information Technology.
• CISSP, CISM, PMP, or equivalent certifications preferred

#LI-JB1

#Remote

CNA is committed to providing reasonable accommodations to qualified individuals with disabilities in the recruitment process. To request an accommodation, please contact leaveadministration@cna.com.