Senior Manager, Vulnerability Management and Application Security
About The Position
As a Senior Manager, Vulnerability Management and Application Security, you will lead CarMax’s enterprise vulnerability management and application security programs and serve as a trusted subject matter expert responsible for strengthening the organization’s security posture. You will mentor and guide a high-performing team, streamline processes, optimize program operations, and deliver actionable insights that influence decision-making across all levels, including executive leadership. This role is ideal for a collaborative, results-driven leader with a passion for building effective programs and improving the security, resilience, and reliability of technology environments and software delivery practices.
Requirements
- 8+ years of cybersecurity experience with emphasis on vulnerability management, application security, risk analysis, and security assessment practices.
- 5+ years of experience designing, implementing, or supporting secure information systems and application security practices.
- 3+ years in a security leadership or management role guiding teams or programs.
- One or more certifications such as CISA, CISM, CEH, CISSP, or SANS.
- Experience with enterprise security technologies and application security tooling such as vulnerability scanners, SAST, DAST, software composition analysis, SIEM platforms, and network devices - firewalls, IDS/IPS, routers, and switches.
- Strong ability to analyze complex security findings, communicate risk clearly to diverse audiences, and drive remediation across infrastructure, engineering, and business teams or partners.
- Bachelor’s Degree in a technology-related field or equivalent experience in Cybersecurity and Risk Management, preferred.
Responsibilities
- Oversee and continuously improve the enterprise vulnerability management and application security programs, ensuring effective alignment of processes, tools, and assessments.
- Develop and manage program roadmaps, budgets, and priorities for security assessments across infrastructure, networks, cloud services, and applications.
- Create and deliver executive-ready reporting with clear documentation, risk insights, program metrics, and prioritized mitigation recommendations.
- Define and maintain vulnerability management and application security standards, SLAs, and governance practices in partnership with cybersecurity and technology leaders.
- Lead risk-based remediation prioritization and ensure consistent progress across infrastructure, engineering, and product teams and partners.
- Coordinate and communicate responses to emerging threats, zero-day vulnerabilities, and critical application security findings to drive timely remediation.
- Lead the application security program, including secure development lifecycle practices, application security testing, and risk-based remediation strategies.
- Partner with engineering, architecture, and product teams to embed security requirements, threat modeling, code scanning, and security reviews into the software development lifecycle – foster a culture of security.
- Mature application security capabilities such as SAST, DAST, software composition analysis, secrets detection, and security testing for internally developed and third-party applications.
- Provide guidance on secure coding practices, common vulnerabilities, and remediation approaches.
- Adapt to and apply technology innovation, including AI, to the role and program overall.
- Adapt the team and programs to ever-changing threat and regulatory landscape.
Stand Out From the Crowd
Upload your resume and get instant feedback on how well it matches this job.
What This Job Offers
Job Type
Full-time
Career Level
Senior
