Manager, Cybersecurity - Protect

Motiva•Houston, TX

About The Position

The Cybersecurity Manager – Protect leads the team responsible for designing, implementing, and continuously improving the preventive security controls that safeguard the company's IT and OT systems, data, and identities. Aligned to the NIST Cybersecurity Framework Protect function, this role owns the programs and technologies that reduce attack surface and stop threats before they require a response — vulnerability and patch management, identity and access management, data protection, email and web security, network segmentation, endpoint hardening, and secure configuration baselines across cloud and on-premises environments. The leader partners closely with the Detect/Respond, OT Cybersecurity, GRC, and IT Infrastructure teams to ensure preventive controls are measurable, sustainable, and aligned with the company's risk appetite. A core focus is maturing the organization's protective posture, growing the technical depth of the team, and delivering measurable reductions in exploitable risk. The position reports to the Chief Information Security Officer and collaborates closely with senior leaders across the enterprise.

Requirements

Bachelor's or advanced degree in Computer Science, Information Technology, Cybersecurity, or a related field. Pertinent professional experience may substitute for the education requirement on a year-for-year basis.
11+ years of experience in IT security with significant depth in preventive/protective domains — vulnerability management, identity and access, network security, endpoint and email security, and cloud security — within a large-scale organization, including at least 8 years in a leadership or management role.
Relevant certifications (e.g., CISSP, CISM). Equivalent training and experience may be considered.
Strong knowledge of industry standards and frameworks including the NIST Cybersecurity Framework (with deep familiarity with the Protect function), NIST 800-53, and CIS Controls.
Hands-on familiarity with enterprise email security platforms, particularly Microsoft Defender for Office 365 and Abnormal Security.
Proven experience operating modern vulnerability management programs at scale, including risk-based prioritization, exploitability context (e.g., EPSS, CISA KEV), and SLA-driven remediation.
Strong understanding of firewall and network security technologies, zero-trust principles, segmentation strategies, and secure cloud network design.
Excellent communication and interpersonal skills, with a demonstrated customer-experience mindset when working with internal stakeholders.
Strong organizational and project management skills, with the ability to prioritize and run multiple workstreams simultaneously.
Strong analytical, problem-solving, and decision-making skills.

Nice To Haves

Experience with risk and control related to Operational Technology (OT) environments.
Strong data analytics and reporting skills

Responsibilities

Lead and mentor a team of security analysts responsible for protective controls across IT and OT environments, providing guidance, feedback, coaching, and career development.
Own the enterprise vulnerability management program end-to-end: discovery, prioritization (risk- and exploitability-based), remediation coordination with IT and OT asset owners, exception management, and reporting on SLA performance and risk reduction over time.
Direct the patch management strategy in partnership with IT Operations and OT Engineering, ensuring timely deployment of security updates while respecting operational constraints in refinery environments.
Manage the email security stack, including Microsoft Defender for Office 365 and Abnormal Security, tuning policies, evaluating efficacy, and reducing phishing and business email compromise exposure. Partner with the security awareness program to close the human layer of email risk.
Own firewall, network segmentation, and zero-trust architecture programs, including policy lifecycle management, rule review and recertification, micro-segmentation initiatives, and IT/OT boundary protections aligned to ISA/IEC 62443.
Oversee endpoint and server hardening programs, secure baseline configuration management, and protective controls within Microsoft Defender XDR and adjacent platforms.
Design, implement, and continuously improve cloud security protective controls in Azure, including secure landing zones, posture management.
Collaborate with the Detect/Respond function to establish protective control metrics and dashboards — vulnerability SLA performance, patch compliance, phishing simulation outcomes, firewall hygiene, privileged account coverage, configuration drift — and report posture and risk trends to senior leadership.
Research and evaluate emerging protective technologies and techniques, providing recommendations for adoption, pilot, and integration with existing toolsets.
Partner with the Detect/Respond function to translate threat intelligence and incident lessons learned into hardened controls, closed coverage gaps, and improved baselines.
Collaborate with GRC, Internal Audit, IT, OT Engineering, Legal, and external partners to ensure protective controls satisfy regulatory, contractual, and organizational governance requirements (e.g., NIST CSF, NIST 800-53, ISA/IEC 62443, MTSA).
Manage protective security projects and initiatives, ensuring timely delivery, quality outcomes, and measurable risk reduction.