Senior Director Vulnerability Management

Newrez LLC•Coppell, TX

5d•Onsite

About The Position

Exceed the expectations of our residential mortgage borrowers & business partners through superior service, simple processes, and effective communications. We deliver on this mission by empowering our employees by encouraging and recognizing superior performance and innovative solutions, by promoting teamwork and divisional cooperation. POSITION SUMMARY The Sr Director Vulnerability Management (VM) owns the enterprise VM program across endpoints, servers, network devices, cloud platforms, containers, and applications. This role sets strategy and governance; drives risk-based prioritization; enforces remediation SLAs and exception handling; leads tool adoption and integration; and produces executive-ready metrics for internal governance and external obligations. Success requires deep collaboration with Infrastructure, End-User Computing, Network, Cloud/SRE, Application Engineering, Security Operations, and GRC, as well as selected service providers. The program operates under the Company’s Patch & Vulnerability Management Standard and supports regulatory, audit, and customer requirements. DESCRIPTION Duties and Responsibilities Program Strategy & Governance Define and continuously mature a risk-driven VM strategy, roadmap, and RACI. Establish policy-aligned remediation SLAs, exception criteria, escalation paths, and evidence requirements. Ensure customer/contract obligations related to scanning cadence and patch timelines are operationalized where applicable. Operations, Coverage & Tooling Lead enterprise scanning and assessment coverage across on-prem, cloud, containers, and applications using core platforms (e.g., Qualys VMDR/TotalAppSec, Veracode, Microsoft Defender for Endpoint). Expand and maintain authenticated/agent-based coverage; manage discovery for shadow/EOL assets. Oversee web app/API scanning in partnership with AppSec; ensure rescans validate remediation. Lead enterprise hardening efforts across systems, software, networks, cloud applications, and cloud environments. Integration & Automation Drive CMDB and ITSM integrations to automate ownership mapping, ticket creation, routing, and SLA tracking. Improve data quality (asset/owner criticality) to enable risk-based prioritization and reporting. Remediation Enablement & Outcomes Partner with Infra, Desktop, Cloud, and App Owners to remove blockers (e.g., maintenance windows, change control constraints, EOL/EOS platforms). Track and resolve exceptions with compensating controls; publish actionable playbooks/runbooks. Zero-Day / Major Event Response Orchestrate assessment, prioritization, patch/mitigation guidance, rescans, stakeholder communications, and executive updates for critical vulnerabilities. Metrics, Reporting & Audit Readiness Produce executive-ready dashboards (coverage, SLA attainment, risk burn-down, exception inventory, business impact). Maintain audit artifacts and evidence for internal/external assessments; support GLBA and customer reviews. Ability to effectively and accurately convey information to others. Performs related duties as assigned by management.

Requirements

Bachelor’s degree in Information Security, Information Systems, Computer Science, or equivalent experience.
10+ years in Information Security with 5+ years leading Vulnerability Management for a multi-platform enterprise (hybrid cloud).
Demonstrated results improving enterprise VM metrics and SLA performance.
Technical: Depth with Qualys (VMDR, WAS/TotalAppSec), Veracode, Microsoft Defender for Endpoint; familiarity with network device scanning, container registries, and cloud workload coverage.
Frameworks/Regulatory: Working knowledge of NIST CSF/ISO 27001; audit evidence management (e.g., GLBA); experience satisfying customer security requirements.
Leadership & Influence: Leads cross-functional remediation at enterprise scale; strong executive presence and communication.
Risk-Based Decisioning: Translates technical findings to business risk; prioritizes by asset criticality and exposure.
Tooling Expertise: Hands-on with Qualys (VMDR and WAS/TotalAppSec), Veracode, Microsoft Defender for Endpoint; data/automation integrations with CMDB/ITSM.
Process Design: Scalable workflows, exception governance, and evidence management aligned to standards and audits.
Partnering & Change Management: Drives outcomes with Infra/App/Cloud teams and third parties; removes operational friction.
Communication: Converts complex risk and technical data into concise, outcome-oriented narratives for executives and non-security stakeholders.

Nice To Haves

Certifications: CISSP, CISM, CCSP, or comparable.

Responsibilities

Define and continuously mature a risk-driven VM strategy, roadmap, and RACI.
Establish policy-aligned remediation SLAs, exception criteria, escalation paths, and evidence requirements.
Ensure customer/contract obligations related to scanning cadence and patch timelines are operationalized where applicable.
Lead enterprise scanning and assessment coverage across on-prem, cloud, containers, and applications using core platforms (e.g., Qualys VMDR/TotalAppSec, Veracode, Microsoft Defender for Endpoint).
Expand and maintain authenticated/agent-based coverage; manage discovery for shadow/EOL assets.
Oversee web app/API scanning in partnership with AppSec; ensure rescans validate remediation.
Lead enterprise hardening efforts across systems, software, networks, cloud applications, and cloud environments.
Drive CMDB and ITSM integrations to automate ownership mapping, ticket creation, routing, and SLA tracking.
Improve data quality (asset/owner criticality) to enable risk-based prioritization and reporting.
Partner with Infra, Desktop, Cloud, and App Owners to remove blockers (e.g., maintenance windows, change control constraints, EOL/EOS platforms).
Track and resolve exceptions with compensating controls; publish actionable playbooks/runbooks.
Orchestrate assessment, prioritization, patch/mitigation guidance, rescans, stakeholder communications, and executive updates for critical vulnerabilities.
Produce executive-ready dashboards (coverage, SLA attainment, risk burn-down, exception inventory, business impact).
Maintain audit artifacts and evidence for internal/external assessments; support GLBA and customer reviews.

Benefits

Medical, dental, and vision insurance
Health Savings Account with employer contribution
401(k) Retirement plan with employer match
Paid Maternity Leave/Parental Bonding Leave
Pet insurance
Adoption Assistance
Tuition reimbursement
Employee Loan Program
The Newrez Employee Emergency and Disaster Fund is a new program to support our team members
Newrez NOW: Our Corporate Social Responsibility program, Newrez NOW, empowers employees to become leaders in their communities through a robust program that includes volunteering, philanthropy, nonprofit grants, and more
1 Volunteer Time Off (VTO) day, company-paid volunteer day where all eligible employees may participate in a volunteer event with a nonprofit of their choice
Employee Matching Gifts Program: We will match monetary employee donations to eligible non-profit organizations, dollar-for-dollar, up to $1,000 per employee
Newrez Grants Program: Newrez hosts a giving portal where we provide employees an abundance of resources to search for an opportunity to donate their time or monetary contributions