Associate Director, Vulnerability Management

Associate Director, Vulnerability Management

Location: NY-New York

Job Description: Job Description

An international law firm is looking for an Associate Director, Vulnerability Management to join their security team. The Firm has more than 1,300 lawyers and has offices that span the globe from Boston, New York, Beijing, Brussels, Hong Kong, Houston, London, Los Angeles, Palo Alto, Sao Paulo, Tokyo and Washington, D.C. The Firm consistently ranks among the world's leading law firms. The Firm has the following practice areas: Corporate, Litigation, Banking & Credit, Capital Markets, Mergers & Acquisitions, Real Estate, Restructuring and Private Funds. They support clients in a variety of industries such as Energy (Oil & Gas, Power & Renewables), Financial Services, Healthcare & Life Sciences, Infrastructure, Technology, Insurance & Reinsurance, and Data Centers. This role will be 3 days onsite in NYC and the remaining remote, with the exception of the first two weeks of training which will be 4 days onsite.

The Associate Director, Vulnerability Management is an executive presence within the security organization and will be helping to mold the Vulnerability Management team at the firm. This role is 50% people management and 50% hands-on technically. Right now they will be managing one Vulnerability Engineer, but this team is expected to grow in the future. They will be responsible for performance reviews and growing folks underneath them to reach their full potential.

They will be responsible for developing and managing a risk based cyber threat and vulnerability management program and will lead a team that provides continuous vulnerability scanning, configuration monitoring, testing, patch management, and reporting. They will collaborate with IT teams and business process owners to ensure gaps are quickly remediated.

The ideal candidate is a technical, hands-on leader with the ability to drive consensus and collaboration among many diverse teams, individuals, and business stakeholders to achieve desired results. They can explain technical concepts in non-technical terms and have excellent interpersonal, leadership, presentation, and collaborative skills. For example, if a vulnerability is found they need to determine what it is, how it's affecting the system, where do we need to fix it (CVE, XXS, Cloud-based posture management, SAAS, etc); they must be able to go into the tools themselves to configure and deploy, and have a strong background in networking and overall infrastructure.

Responsibilities

* Establish, update, and maintain a vulnerability management program based on industry standards & best practices that includes asset discovery, vulnerability scanning, secure configuration monitoring, and remediation or mitigation activity

* Deliver continuous scanning, identification, and reporting of internal and external attack surface throughout on-prem and cloud-based environments across Firm products, technologies, and networks

* Recommend, socialize, and gain consensus on minimum patching and vulnerability management standards and policies across Firm IT teams and business stakeholders

* Lead vulnerability response efforts to address imminent threats and zero-day vulnerabilities

* Monitor vulnerability remediation progress and partner with IT teams to provide recommendations for efficient risk remediation or mitigation

* Provide regular reporting on the current state of vulnerabilities and configurations throughout the entire environment including acquisitions

* Monitor, mitigate, and report on additional threats, including supply chain attacks, vulnerabilities in code, unencrypted protocols, digital footprint issues, and other cybersecurity control gaps

* Manage internal and external penetration testing, red team activities, active port audits, and software audits to identify EOL hardware and software, insecure legacy applications, and otherwise unsafe or unauthorized software

* Manage a portfolio of scanning, vulnerability management, breach simulation, and reporting tools and ensure that security agents and vulnerability monitoring tools are deployed correctly and operating properly

* Develop cyber health scoring algorithms and measurement criteria, and build consumable reporting for technical and non-technical stakeholders, Firm leadership, and external clients

Responsible for staying informed of industry leading vulnerability and software security vendors, latest threats & risks, and continuously updating program based on business priorities and available cyber threat intelligence.

Salary Information

NY Only: The estimated base salary range for this position is $220,000 to $260,000 at the time of posting.

The actual salary offered will depend on a variety of factors, including without limitation, the qualifications of the individual applicant for the position, years of relevant experience, level of education attained, certifications or other professional licenses held, and if applicable, the location in which the applicant lives and/or from which they will be performing the job. This role is exempt meaning it is not overtime pay eligible.

We are a company committed to creating inclusive environments where people can bring their full, authentic selves to work every day. We are an equal opportunity employer that believes everyone matters. Qualified candidates will receive consideration for employment opportunities without regard to race, religion, sex, age, marital status, national origin, sexual orientation, citizenship status, disability, or any other status or characteristic protected by applicable laws, regulations, and ordinances. If you need assistance and/or a reasonable accommodation due to a disability during the application or recruiting process, please send a request to HR@insightglobal.com . The EEOC "Know Your Rights" Poster is available here (https://www.eeoc.gov/sites/default/files/2023-06/22-088\_EEOC\_KnowYourRights6.12ScreenRdr.pdf) .

To learn more about how we collect, keep, and process your private information, please review Insight Global's Workforce Privacy Policy: https://insightglobal.com/workforce-privacy-policy/ .

Skills and Requirements

- 15+ years of experience in an IT or Information Security role, with at least - 2-5+ years managing or leading an Information Security vulnerability management function with direct reports

- Expertise in vulnerability assessment, risk management, and cybersecurity frameworks such as NIST, CIS, and OWASP

- Expert familiarity with the Mitre attack framework & CVE/CVSS scoring system

- Strong technical knowledge of vulnerability scanning and attack surface management tools (e.g., Qualys, Nexpose, Metasploit, AttackIQ, Shodan, etc.)

- knowledge of cloud computing systems (SaaS, PaaS, and IaaS), containers, cloud orchestration

- Experience working in a global organization and broad knowledge of security domains, technology risk management concepts, and a working knowledge of security and risk frameworks

- networking concepts including TCP/IP, firewalls, and network security products

- Knowledge of common application architectures, design, protocols, and agile deployment methodology and best practices - security certifications: CISSP, CCSP, CISM, or similar null

We are a company committed to creating diverse and inclusive environments where people can bring their full, authentic selves to work every day. We are an equal employment opportunity/affirmative action employer that believes everyone matters. Qualified candidates will receive consideration for employment without regard to race, color, ethnicity, religion,sex (including pregnancy), sexual orientation, gender identity and expression, marital status, national origin, ancestry, genetic factors, age, disability, protected veteran status, military oruniformed service member status, or any other status or characteristic protected by applicable laws, regulations, andordinances. If you need assistance and/or a reasonable accommodation due to a disability during the application or the recruiting process, please send a request to HR@insightglobal.com.