Sr. Information Security Analyst - Platform Security

McKesson is an impact-driven, Fortune 10 company that touches virtually every aspect of healthcare. We are known for delivering insights, products, and services that make quality care more accessible and affordable. Here, we focus on the health, happiness, and well-being of you and those we serve – we care.

What you do at McKesson matters. We foster a culture where you can grow, make an impact, and are empowered to bring new ideas. Together, we thrive as we shape the future of health for patients, our communities, and our people. If you want to be part of tomorrow’s health today, we want to hear from you.

McKesson is looking for a Senior Information Security Analyst, Threat & Vulnerability Management to help supporting McKesson information security capabilities and compliance across Business units and Enterprise IT organizations within McKesson.  As a Senior Information Security Analyst, you will be a key member of our Cybersecurity team.  The candidate will have a background in Threat & Vulnerability Management and will also help represent the Cybersecurity team on various projects and boards.  The Senior Information Security Analyst works with the Sr. Manager, Threat & Vulnerability playing a critical role in safeguarding the organization’s information and systems by identifying and addressing vulnerabilities. This position involves monitoring, analyzing, and advising on vulnerability-related risks.

Responsibilities:

Vulnerability Monitoring:

- Continuously monitor relevant sources (CVE databases, security bulletins, etc.) for newly identified vulnerabilities.

- Assess the impact and severity of vulnerabilities based on the organization’s assets and risk appetite.

Risk Evaluation:

- Evaluate the risks posed by identified vulnerabilities to the organization’s information and systems.

- Collaborate with cross-functional teams to prioritize vulnerabilities based on business impact.

Advisory Role:

- Provide actionable recommendations to management regarding vulnerability remediation.

- Advise on appropriate measures to eliminate or reduce the organization’s risk exposure.

Trend Analysis:

- Analyze vulnerability data to identify trends, patterns, and emerging threats.

- Stay informed about industry best practices and evolving attack vectors.

Stakeholder Communication:

- Regularly communicate vulnerability status, progress, and risk mitigation efforts to relevant stakeholders.

- Foster collaboration with IT teams, system owners, and security architects.

Key Results:

- Patch Compliance Rate:

- Achieve and maintain a high patch compliance rate across all systems and applications.

Vulnerability Reduction:

 - Continuously reduce the number of critical and high-risk vulnerabilities within the organization.

Response Time:

- Minimize the time taken to remediate vulnerabilities after discovery.

Risk Score Improvement:

- Work towards lowering the overall risk score associated with vulnerabilities.

Stakeholder Satisfaction:

- Gather feedback from stakeholders on vulnerability management effectiveness and adjust strategies accordingly.

Qualifications (Education, Experience, Skills/Competencies):

• Degree in IT Security, Information Systems, Computer Science, Engineering, Information Security, Education, Information Technology, Information Systems, Technical, Cyber Security, Technology, a related field or equivalent experience.
• 5+ years of experience in systems and/or applications security, including maintenance and use of security products in a distributed enterprise environment, Network and Infrastructure Security, Vulnerability Management, Cloud Security, Data Protection Controls (Cryptography, Data Loss Prevention, Access Controls, etc.).
• Knowledge of investigative methodologies and decomposing behavioral profiles to develop investigative plans.
• Ability to manage the security vulnerabilities and risks across the organization including identifying, supporting application/system owners to manage risks and remediate vulnerabilities.
• Ability to analyze site/enterprise Computer Network Defense policies and configurations and evaluate compliance with regulations and enterprise directives.
• Knowledge of Security and Control Frameworks such as NIST, ISO, Cloud Security Alliance, CMMC, etc.
• Knowledge of network protocols IDS/IPS, DNS, TCP/IP, network defense components.
• Security related qualification(s) such as CISSP, GPEN, GCIH, CEH, CISA, CRISC, IAT, CISM, or GIAC.

Additional Knowledge & Skills (Optional):

• Knowledge of healthcare, privacy, and financial compliance regulations.
• Knowledge and experience with secure deployment of applications within cloud environment.
• Experience with law enforcement, defense, or intelligence community.
• Strong analytical and troubleshooting skills with an understanding of IT business operations and information security.
• Experience with Vulnerability Management Tooling.

At McKesson, we care about the well-being of the patients and communities we serve, and that starts with caring for our people. That’s why we have a Total Rewards package that includes comprehensive benefits to support physical, mental, and financial well-being. Our Total Rewards offerings serve the different needs of our diverse employee population and ensure they are the healthiest versions of themselves.

As part of Total Rewards, we are proud to offer a competitive compensation package at McKesson. This is determined by several factors, including performance, experience and skills, equity, regular job market evaluations, and geographical markets. The pay range shown below is aligned with McKesson's pay philosophy, and pay will always be compliant with any applicable regulations.  In addition to base pay, other compensation, such as an annual bonus or long-term incentive opportunities may be offered. 

Our Base Pay Range for this position