Senior Principal, Vulnerability Management

About The Position

Requirements

• 17+ years of progressive IT experience, with strong grounding in infrastructure, networking, and enterprise operations.
• 3+ years of leadership experience in complex, mission-critical environments (healthcare, public sector, and/or military strongly preferred).
• 4–7+ years of hands-on cybersecurity experience, with significant time spent building, leading, or owning vulnerability management programs.
• Proven experience designing and operating enterprise VM at scale using: Tenable.sc / Tenable.io / Tenable One (5+ years strongly preferred).

Nice To Haves

• Preferred Completion of SANS MGT516 / SANS 516 – Building and Leading Vulnerability Management Programs or equivalent leadership training in vulnerability management.
• Professional security certifications such as CISSP, GIAC (e.g., GCLD, GMON, GVAC), or equivalent are preferred.

Responsibilities

• Own the end-to-end enterprise Vulnerability Management (VM) program, including strategy, roadmap, operating model, and metrics.
• Define and maintain a risk-based vulnerability management framework aligned to NIST CSF, CIS Controls, and industry best practices.
• Establish and maintain policies, standards, and procedures for vulnerability identification, assessment, prioritization, remediation, and exception handling.
• Develop multi-year maturity plans for VM capabilities across server, endpoint, network, application, cloud, and third-party domains.
• Serve as product owner and technical authority for the Tenable platform (Tenable.sc, Tenable.io, Tenable One) across the enterprise.
• Design and maintain Tenable architecture.
• Lead design and operation of scanning strategies across Tenable.sc, Tenable.io, and Tenable One, including asset tagging, scoping, credential management, and scan frequency.
• Oversee the full lifecycle from detection → triage → assignment → remediation → validation, ensuring timely closure of high and critical vulnerabilities.
• Operationalize risk-based prioritization using Tenable risk scores (e.g., VPR/CES) combined with business impact, exploitability, and threat intelligence.
• Partner with infrastructure, application, and cloud teams to align remediation timelines with SLAs and change management processes.
• Ensure vulnerability and configuration coverage across: Network devices (e.g., Palo Alto firewalls, Panorama, F5, Citrix/NetScaler, Riverbed), Endpoints and servers (via Tanium and SCCM), Virtualized and remote access environments (Citrix, NS).
• Integrate threat intelligence and MITRE ATT&CK mappings into vulnerability prioritization and reporting.
• Correlate vulnerabilities with active exploitation trends, threat actor TTPs, and sector-specific threats (especially healthcare/public sector).
• Inform executive and technical stakeholders on emerging vulnerabilities (e.g., zero-days, high-profile CVEs) and coordinate rapid response efforts.
• Define and track key VM metrics and KPIs (e.g., mean time to remediate by severity, SLA adherence, exception volumes, exposure trends, coverage levels).
• Produce executive-ready dashboards and reports for senior leadership, auditors, and clients.
• Support internal and external audits, regulatory assessments, and customer security due diligence as the authoritative owner of VM processes and data.
• Chair or participate in governance forums to drive accountability for remediation across infrastructure, application, and product teams.
• Provide senior technical and leadership guidance to vulnerability analysts, security engineers, and partner IT teams.
• Mentor junior leaders and technical staff on VM best practices, risk-based thinking, and program management.

Benefits

• generous, flexible vacation policy
• educational assistance
• 401(k) employer match
• comprehensive health benefits
• leadership and technical development academies