Lead Analyst, Attack Surface Management (ASM)

About The Position

Requirements

• 5 years in attack surface and vulnerability management.
• A bachelor’s degree or combined experience/education as substitute for minimum education.
• Knowledge of the following frameworks: NIST Cybersecurity Framework (NIST CSF), ISO/IEC 27001, MITRE ATT&CK Framework, OWASP Top Ten, CIS Controls, COBIT, SANS Critical Security Controls, PCI DSS, NIST SP 800-53, and ITIL.
• Strong understanding of ASM/vulnerability management, security testing practices, and methodologies.
• Understanding and technical knowledge of Cyber Defense concepts, (e.g., incident response, security monitoring, cyber threat intelligence, attack surface and vulnerability management).
• Understanding of Operational Technology environments and security requirements needed to manage the broader attack landscape across the university.
• Experience in building infrastructure and application vulnerability management programs.
• Experience in deploying and operating vulnerability scanning infrastructure and services and deep understanding of vulnerability scanning platforms.
• Comprehensive knowledge of cloud-native vulnerability practices in AWS, Azure, and SaaS platforms and associated security challenges.
• Ability to assess business risks and recommend suitable cybersecurity measures.
• Experience in managing vulnerability assessment tools.
• Knowledge of system, application, and database hardening techniques.
• Strong communication and interpersonal skills, enabling effective interaction across all organizational levels, along with proven analytical and problem-solving abilities, and exceptional attention to detail.
• Project management experience with a track record of leading complex security initiatives, coupled with the ability to teach and train others effectively.
• Ability to work with teams across the cybersecurity function, with managed service providers, and with IT teams across the university.
• Ability to work evenings, weekends and holidays as the schedule dictates.

Nice To Haves

• 7 years of related experience.
• A bachelor's degree or combined experience/education as substitute for minimum education.
• Experience working in higher education or complex, decentralized environments.
• CISSP, GCIH, GPEN, Security+, or similar.
• In addition, the successful candidate must also demonstrate, through ideas, words and actions, a strong commitment to USC’s Unifying Values of integrity, excellence, community, well-being, open communication, and accountability.

Responsibilities

• Oversees the vulnerability lifecycle management process (e.g., detection, monitoring, reporting, and assessing the impact of vulnerabilities).
• Supports regular vulnerability assessments and scans to identify security weaknesses in systems, applications, networks, and OT/IoT environment.
• Develops and implements remediation strategies to address vulnerabilities and minimize the university's attack surface.
• Implements remediation required by audits.
• Engages with DSUs to advise on remediation strategies of vulnerabilities.
• Collaborates with IT teams and stakeholders to validate effective end-to-end vulnerability remediation and maintain a consistent customer experience.
• Collaborates with VM managed service teams and manages daily operations and communications.
• Evaluates vulnerability trends in third-party applications and services and collaborates with managed service providers as needed.
• Serves as an ASM subject matter expert, formulating and prioritizing intelligence requirements according to established risk management framework.
• Participates in and influences the roadmap for the university’s vulnerability management program.
• Collaborates on detailed reports on vulnerabilities, their impact, and the status of remediation efforts and communicates findings to stakeholders.
• Provides expertise to help develop and maintain vulnerability and attack surface management policies, procedures, and best practices for the university.
• Maintains awareness and knowledge of current changes within legal, regulatory, and technology environments which may affect operations.
• Maintains awareness of current university threat intelligence feeds and reports to stay informed about emerging threats and vulnerabilities that may affect the organization's attack surface.
• Maintains knowledge of emerging vulnerabilities, exploits, and remediation techniques.
• Encourages a workplace culture where all employees are valued, value others and have the opportunity to contribute through their ideas, words and actions, in accordance with the USC Code of Ethics.

Benefits

• To support the well-being of our faculty and staff, USC provides benefits-eligible employees with a broad range of perks to help protect their and their dependents’ health, wealth, and future. These benefits are available as part of the overall compensation and total rewards package. You can learn more about USC’s comprehensive benefits here .