Lead Analyst, Attack Surface Management (ASM)

About The Position

Requirements

• 5 years in attack surface and vulnerability management.
• A bachelor’s degree or combined experience/education as substitute for minimum education.
• Knowledge of the following frameworks: NIST Cybersecurity Framework (NIST CSF), ISO/IEC 27001, MITRE ATT&CK Framework, OWASP Top Ten, CIS Controls, COBIT, SANS Critical Security Controls, PCI DSS, NIST SP 800-53, and ITIL.
• Strong understanding of ASM/vulnerability management, security testing practices, and methodologies.
• Understanding and technical knowledge of Cyber Defense concepts, (e.g., incident response, security monitoring, cyber threat intelligence, attack surface and vulnerability management).
• Understanding of Operational Technology environments and security requirements needed to manage the broader attack landscape across the university.
• Experience in building infrastructure and application vulnerability management programs.
• Experience in deploying and operating vulnerability scanning infrastructure and services and deep understanding of vulnerability scanning platforms.
• Comprehensive knowledge of cloud-native vulnerability practices in AWS, Azure, and SaaS platforms and associated security challenges.
• Ability to assess business risks and recommend suitable cybersecurity measures.
• Experience in managing vulnerability assessment tools.
• Knowledge of system, application, and database hardening techniques.
• Strong communication and interpersonal skills, enabling effective interaction across all organizational levels, along with proven analytical and problem-solving abilities, and exceptional attention to detail.
• Project management experience with a track record of leading complex security initiatives, coupled with the ability to teach and train others effectively.
• Ability to work with teams across the cybersecurity function, with managed service providers, and with IT teams across the university.
• Ability to work evenings, weekends and holidays as the schedule dictates.

Nice To Haves

• 7 years of related experience.
• A bachelor's degree or combined experience/education as substitute for minimum education.
• Experience working in higher education or complex, decentralized environments.
• CISSP, GCIH, GPEN, Security+, or similar.

Responsibilities

• Oversees the vulnerability lifecycle management process (e.g., detection, monitoring, reporting, and assessing the impact of vulnerabilities).
• Supports regular vulnerability assessments and scans to identify security weaknesses in systems, applications, networks, and OT/IoT environment.
• Develops and implements remediation strategies to address vulnerabilities and minimize the university's attack surface.
• Implements remediation required by audits.
• Engages with DSUs to advise on remediation strategies of vulnerabilities.
• Collaborates with IT teams and stakeholders to validate effective end-to-end vulnerability remediation and maintain a consistent customer experience.
• Collaborates with VM managed service teams and manages daily operations and communications.
• Evaluates vulnerability trends in third-party applications and services and collaborates with managed service providers as needed.
• Serves as an ASM subject matter expert, formulating and prioritizing intelligence requirements according to established risk management framework.
• Participates in and influences the roadmap for the university’s vulnerability management program.
• Collaborates on detailed reports on vulnerabilities, their impact, and the status of remediation efforts and communicates findings to stakeholders.
• Provides expertise to help develop and maintain vulnerability and attack surface management policies, procedures, and best practices for the university.
• Maintains awareness and knowledge of current changes within legal, regulatory, and technology environments which may affect operations.
• Maintains awareness of current university threat intelligence feeds and reports to stay informed about emerging threats and vulnerabilities that may affect the organization's attack surface.
• Maintains knowledge of emerging vulnerabilities, exploits, and remediation techniques.
• Encourages a workplace culture where all employees are valued, value others and have the opportunity to contribute through their ideas, words and actions, in accordance with the USC Code of Ethics.

Benefits

• To support the well-being of our faculty and staff, USC provides benefits-eligible employees with a broad range of perks to help protect their and their dependents’ health, wealth, and future.
• These benefits are available as part of the overall compensation and total rewards package.
• You can learn more about USC’s comprehensive benefits here.