Senior Director, Cyber Security

About The Position

Responsibilities

• Build the future-state vulnerability management operating model • Define the enterprise vulnerability management strategy, vision, and roadmap, centered on contextual prioritization and continuous exposure management. • Establish a risk-scoring/prioritization approach that combines: asset criticality, internet exposure, identity privilege, exploitability/KEV, compensating controls, lateral movement potential, and business process impact. • Evolve from point-in-time reporting to continuous, near-real-time visibility and prioritization
• Drive outcomes across a complex, federated environment • Lead cross-functional execution across infrastructure, endpoints, cloud platforms, and application teams. • Build a scalable “hub-and-spoke” model: central standards, analytics, governance, and reporting; distributed remediation ownership and execution. • Establish clear RACI, operational rhythms (triage, remediation planning, exception handling), and escalation paths tied to business risk.
• Modernize tooling, data quality, and automation • Optimize and integrate vulnerability and exposure tooling, including (examples): Tenable, Wiz, third-party risk/external posture sources such as Black Kite and Security Scorecard, plus CMDB/asset inventories, SIEM/SOAR, ticketing (e.g., ServiceNow/Jira), and CI/CD security signals. • Create a unified vulnerability/exposure “source of truth” that normalizes data, reduces duplicates, and improves attribution to true owners. • Automate workflows: enrichment, deduplication, prioritization, ticket creation, exception approvals, and verification of remediation.
• Deliver executive-ready reporting and measurable risk reduction • Produce board- and executive-level reporting that explains risk in business terms: top exposure themes, critical attack paths, remediation progress, and residual risk. • Build forward-looking metrics and dashboards that reflect reality in a large enterprise: coverage, confidence/accuracy, time-to-remediate by risk tier, exception trends, and risk acceptance discipline. • Create an evidence-based narrative demonstrating how vulnerability decisions reduce likelihood and impact of material incidents.
• Embed vulnerability management into engineering and cloud delivery • Shift left: partner with engineering leadership to integrate vulnerability findings into developer workflows and release gates where appropriate. • Establish practical standards for vulnerability remediation in cloud and applications (e.g., images, containers, IaC, SaaS configs), balancing security with delivery velocity. • Enable teams with playbooks, patterns, and self-service dashboards to improve fix rates without constant central chasing.
• Govern exceptions and ensure realism at enterprise scale • Design an exception process that is disciplined, time-bound, transparent, and tied to compensating controls and risk acceptance. • Differentiate “must-fix” from “monitor/mitigate,” ensuring the program remains credible and relevant rather than flooding teams with unprioritized queues.