Security Engineer Exposure Management

Role Summary

The Security Engineer Exposure Management is responsible for building and maturing the attack surface management capability with a focus on answering where the organization is most exposed and what the actual risk is. This role owns external visibility correlates external exposure to internal systems and accountable owners and provides clear actionable risk insight to stakeholders. The role operates in an advisory capacity and drives informed remediation through visibility analysis and communication not direct system changes.

Primary Objectives

• Establish and maintain authoritative visibility of externally exposed assets across domains IP space applications and services.

• Correlate external exposure to internal systems and accountable owners including complex non-1:1 relationships.

• Answer where risk exists and what exposure means in practical terms to the business.

• Build workflows to manage external findings with minimal manual effort using integration and automation.

• Improve coverage mapping accuracy and data quality to reduce unknown external exposure.

Responsibilities

• Build and operate the attack surface management capability including processes integrations and workflows.

• Maintain visibility into externally exposed assets including domains IPs web applications APIs certificates load balancers and DMZ services.

• Correlate external findings to internal systems and ownership across complex indirect relationships.

• Coordinate with threat intelligence network firewall DNS and load balancing teams to validate exposure and ownership.

• Develop and maintain integrations to support discovery enrichment and correlation of external assets.

• Drive routing accuracy by ensuring findings map to the correct owners and identifying ownership gaps.

• Identify and resolve data quality issues impacting visibility coverage and correlation.

• Integrate findings into ServiceNow workflows where applicable to support routing and tracking.

• Reduce manual effort by standardizing and automating repeatable processes.

• Analyze exposure and vulnerability data in context to determine actual risk beyond tool-based severity.

• Communicate complex technical risk clearly to non-technical stakeholders with actionable recommendations.

• Document processes playbooks and operational standards to sustain the capability.

Required Qualifications

• Minimum 5 years of experience in information security.

• Minimum 3 years of hands-on experience in enterprise vulnerability management exposure management or network security.

• Strong understanding of networking fundamentals including firewalls ACLs routing load balancing and externally exposed architectures.

• Strong understanding of DNS web infrastructure certificates and DMZ environments.

• Understanding of infrastructure vulnerability assessment and discovery scanning concepts.

• Basic understanding of cloud-hosted and externally exposed services.

• Basic understanding of web applications and externally facing service risk.

• Strong experience correlating external data to internal systems and ownership across inconsistent datasets.

• Strong analytical and complex technical problem-solving skills.

• Ability to assess and communicate risk beyond tool-generated severity using context.

• Experience working with CMDB or similar systems for asset and ownership tracking.

• Ability to operate independently in a greenfield program environment.

Preferred Qualifications

• Experience integrating external exposure data into ServiceNow workflows for routing and tracking.

• Experience improving data quality deduplication and correlation across multiple data sources.

• Experience working with externally exposed enterprise environments and perimeter infrastructure.

• Experience automating data collection normalization or correlation using scripting or APIs.

Certifications

• Sec required.

• Higher-level security or risk-related certifications preferred.

Work Location

Hybrid role requiring three days per week in the office. Must be located within Xcel Energy territory and reasonably close to an Xcel Energy facility. Denver Colorado and Minnesota areas preferred.