Attack Surface Management Consulting Director

About The Position

Requirements

• In depth understanding of Vulnerability Management, Application Security, Cloud Security, Ethical Hacking, Threat Management, and Security Remediation programs and operations.
• Strong working knowledge of AI/ML, GenAI, LLM, and agentic AI security concepts, common attack/defense techniques, and use to solve application security, vulnerability management, and ethical hacking domain problems.
• Demonstrated experience developing and maturing service, tooling, and process automation.
• Demonstrated experience in software development and/or scripting.
• Strong understanding of security vulnerabilities and threats and industry standard methodologies of risk managing exposures effectively.
• Superior analytical and problem-solving skills and the ability to effectively communicate highly technical information to all audiences.
• Proven ability to interact effectively with senior business leadership to effectively address vulnerabilities and threats in a priority manner.
• Working knowledge of regulations (e.g., SOX, privacy, etc.) and internal controls as they apply to IT.
• Routinely stays up to date on current best practices / trends to identify, document, and drive resolution of security exposures through independent and collaborative industry research.
• Proven ability to influence change and drive the adoption of automation, AI, and agentic AI to applicable domain programs and teams.
• Ability to work extremely well under pressure while maintaining a professional image and approach.
• Bachelor’s Degree required or equivalent work experience.
• Typically, a minimum of ten years of information security or related work experience in one or more of the following: application security, vulnerability management or exposure management, ethical hacking, penetration testing, attack surface management, security engineering, or security architecture.

Nice To Haves

• Master’s Degree in Computer Science or technical field preferred.
• Relevant certifications preferred.

Responsibilities

• Aid in defining and implementing strategy for applying automation, AI, and agentic AI to application security, vulnerability management, ethical hacking, and attack surface management use cases.
• Evaluate, deploy, manage, and govern best-in-class new and existing AI-centric solutions, services, and capabilities relevant to the application security, ethical hacking, and vulnerability management domains.
• Identify, prioritize, and drive high-value outcomes where automation and AI can improve operational effectiveness, speed, scale, and efficiency.
• Develop and contribute to audit-defensible governance, standards, processes, procedures, methodologies, practices, playbooks, etc. for secure AI adoption and use across application security, vulnerability management, and ethical hacking domains.
• Lead identification and risk analysis of the external attack surface through development and continuous improvement of automation to drive effective risk exposure response across the business.
• Create secure AI, including agentic, development practices by establishing and continuously improving reusable skills, prompts, workflows, and guardrails for AI-based tools such that AI generated code adheres to secure coding expectations, including proper input validation, authentication, authorization, secrets handling, logging, error handling, dependency use, and secure design.
• Drive the use of AI to improve threat modeling, code review, and application security testing; vulnerability analysis, prioritization, and remediation; penetration testing and red teaming; and attack surface discovery, risk analysis, and remediation.
• Partner with peer domain leaders and practitioners to understand, align, integrate, collaborate, etc. on AI initiatives that realize value to Cyber Defense, Global Enterprise Security, and the business at large.
• Provides proactive, frequent and consistent communication to key IT and business stakeholders on applicable measures, metrics, KRIs, KPIs, threats, risks, etc.
• Ensures application security, vulnerability management, ethical hacking outputs, and other attack surface management activities result in proper action, risk management, etc.
• May perform additional duties as assigned.

Benefits

• CNA offers a comprehensive and competitive benefits package to help our employees – and their family members – achieve their physical, financial, emotional and social wellbeing goals.