Senior Director, Cyber Security

The Role

This role owns the strategy and execution of a modern contextual vulnerability management program that moves beyond scan-and-patch to a risk-based decision grade model. You will build an operating model that continuously identifies prioritizes and drives remediation of exposures based on business criticality exploitability threat intelligence control effectiveness and real-world attack pathsacross a large complex and fragmented enterprise environment. You will partner deeply with infrastructure cloud application engineering IAM SOC GRC third-party risk and business leaders to measurably reduce enterprise risk while maintaining pace with delivery.

What success looks like

A vulnerability management program that produces actionable priorities (not noise) aligned to business risk and threat reality. Clear governance accountability and service-level outcomes that scale across distributed teams and varied technology stacks. Measurable risk reduction (attack-path closure critical exposure burn-down reduced time-to-fix where it matters most) not just compliance metrics. A sustainable model: automation-first integrated into engineering workflows and resilient to tooling changes reorganizations and growth. Board-level metrics and trend reporting that demonstrate program maturity and enterprise risk reduction over time

The Responsibilities

1) Build the future-state vulnerability management operating model Define the enterprise vulnerability management strategy vision and roadmap centered on contextual prioritization and continuous exposure management. Establish a risk-scoring/prioritization approach that combines: asset criticality internet exposure identity privilege exploitability/KEV compensating controls lateral movement potential and business process impact. Evolve from point-in-time reporting to continuous near-real-time visibility and prioritization

2) Drive outcomes across a complex federated environment Lead cross-functional execution across infrastructure endpoints cloud platforms and application teams. Build a scalable hub-and-spoke model: central standards analytics governance and reporting; distributed remediation ownership and execution. Establish clear RACI operational rhythms (triage remediation planning exception handling) and escalation paths tied to business risk.

3) Modernize tooling data quality and automation Optimize and integrate vulnerability and exposure tooling including (examples): Tenable Wiz third-party risk/external posture sources such as Black Kite and Security Scorecard plus CMDB/asset inventories SIEM/SOAR ticketing (e.g. ServiceNow/Jira) and CI/CD security signals. Create a unified vulnerability/exposure source of truth that normalizes data reduces duplicates and improves attribution to true owners. Automate workflows: enrichment deduplication prioritization ticket creation exception approvals and verification of remediation.

4) Deliver executive-ready reporting and measurable risk reduction Produce board- and executive-level reporting that explains risk in business terms: top exposure themes critical attack paths remediation progress and residual risk. Build forward-looking metrics and dashboards that reflect reality in a large enterprise: coverage confidence/accuracy time-to-remediate by risk tier exception trends and risk acceptance discipline. Create an evidence-based narrative demonstrating how vulnerability decisions reduce likelihood and impact of material incidents.

5) Embed vulnerability management into engineering and cloud delivery Shift left: partner with engineering leadership to integrate vulnerability findings into developer workflows and release gates where appropriate. Establish practical standards for vulnerability remediation in cloud and applications (e.g. images containers IaC SaaS configs) balancing security with delivery velocity. Enable teams with playbooks patterns and self-service dashboards to improve fix rates without constant central chasing.

6) Govern exceptions and ensure realism at enterprise scale Design an exception process that is disciplined time-bound transparent and tied to compensating controls and risk acceptance. Differentiate must-fix from monitor/mitigate ensuring the program remains credible and relevant rather than flooding teams with unprioritized queues.

The Qualifications

10 years in cybersecurity with deep experience leading vulnerability management or exposure/risk reduction programs in large complex organizations. Demonstrated success transforming programs from traditional CVSS-driven patching to contextual threat-informed prioritization. Strong stakeholder leadership across engineering infrastructure cloud product/application teams and governance groups. Experience driving operational change at scale: governance process design automation and measurable outcomes. Comfort with ambiguity fragmented data and complex ownership modelsable to create clarity and momentum.

Technical requirements

Vulnerability management domains: infrastructure endpoints cloud applications identity exposures and third-party/external attack surface. Familiarity with tools such as Tenable (or equivalents) Wiz (or cloud CNAPP/CSPM equivalents) external posture/third-party sources like Black Kite and SecurityScorecard and integrating signals into ticketing and reporting systems. Understanding of exploitability signals (e.g. KEV in-the-wild exploitation) attack path concepts and control validation/compensating controls.

Preferred qualifications

Experience building a unified exposure model (asset identity vulnerability misconfiguration external posture). Experience with security data engineering/analytics approaches (normalization scoring BI dashboards automation). Familiarity with regulated environments and audit-ready evidence (SOX HIPAA etc. as applicable).

Leadership competencies

Outcome orientation: prioritizes real risk reduction over activity metrics. Influence at scale: builds coalitions and drives execution without relying on direct authority. Pragmatism: designs a program that remains achievable and relevant in a large enterprise with competing priorities. Communication: converts complex technical risk into simple credible narratives for executives and boards.

Note: Employment-based non-immigrant visa sponsorship and/or assistance is not offered for this specific job opportunity.

This position will remain posted for a minimum of three business days from the date posted or until a sufficient/appropriate candidate slate has been identified.