Vulnerability and Exposure Management Program Manager

About The Position

Requirements

• Bachelor’s degree in information security, Computer Science, Information Technology, or a related field; advanced degree preferred
• Professional certifications such as CISSP, CISM, CISA, or equivalent strongly preferred
• 10+ years of progressive experience in information security, technology risk, or security operations, including ownership of enterprise-scale programs in large, complex organizations
• 5+ years of people leadership experience, including leading managers and multi-layer teams (leader of leaders)
• Demonstrated ability to influence senior executives, drive cross-functional alignment, and deliver results in complex, evolving environments
• Experience operating in highly regulated industries (e.g., banking, insurance, healthcare)

Nice To Haves

• Exceptional executive communication and stakeholder management skills, including regulator- and audit-facing interactions
• Strong negotiation skills to drive alignment, resolve conflict, and deliver outcomes with senior leaders
• Experience leading vulnerability management and/or exposure management programs at enterprise scale
• Expertise in risk-based prioritization, vulnerability lifecycle management, and exposure reduction strategies
• Deep understanding of attack surface management, EASM, and asset discovery across internal and external environments
• Strong data and analytics capability, including experience working with large datasets and translating insights into action
• Metrics-driven leadership (KPIs/KRIs, SLA performance, MTTR, risk posture) with a focus on measurable outcomes
• Experience modernizing security programs through automation, tooling, and AI-enabled capabilities
• Proven ability to operate at enterprise scale, balancing risk reduction with business enablement in a regulated environment

Responsibilities

• Define and execute the enterprise vulnerability and exposure management strategy and multi-year roadmap, including transforming program effectiveness and stakeholder outcomes.
• Build, scale, and lead a largely new exposure management capability, expanding beyond current-state maturity into a comprehensive, enterprise-wide program.
• Establish and operate a scalable model across infrastructure, applications, cloud, containers, third-party technology, and external attack surface, including governance, decision rights, and escalation paths.
• Drive risk-based prioritization and remediation by integrating severity, exploitability, threat intelligence, asset criticality, and business context; lead zero-day response and decision-making.
• Set and enforce remediation SLAs aligned to a faster, AI-influenced threat environment, with strong governance for exceptions and compensating controls.
• Partner across CIO/CTO organizations, security, engineering, and business lines to embed vulnerability reduction into delivery practices (e.g., CI/CD), platform guardrails, and operational processes.
• Modernize tooling, processes, and automation (including AI) to improve speed, accuracy, and efficiency of detection and remediation.
• Deliver executive reporting and insights (KPIs/KRIs), translating technical risk into clear business impact, trends, and actions.
• Leverage large-scale data analysis (millions of vulnerabilities) to identify themes, root causes, and opportunities for targeted risk reduction.
• Ensure regulatory and audit readiness through strong documentation, controls, and issue management practices.
• Lead and develop a multi-layer organization (25–35+ employees), including 5–8 direct reports who are people leaders, focusing on strategy and outcomes rather than hands-on technical execution.
• Manage budget, vendors, and strategic partnerships, including evaluation and implementation of capabilities to improve coverage and remediation effectiveness.
• Establish and enhance External Attack Surface Management (EASM) and enterprise asset intelligence, identifying unmanaged or unknown assets and bringing them into governance.
• Incorporate adversary-informed perspectives into prioritization, aligning efforts with real-world threat behavior and attack paths.
• Evolve the program toward a continuous, global operating model to support enterprise-scale responsiveness.

Benefits

• Healthcare (medical, dental, vision)
• Basic term and optional term life insurance
• Short-term and long-term disability
• Pregnancy disability and parental leave
• 401(k) and employer-funded retirement plan
• Paid vacation (from two to five weeks depending on salary grade and tenure)
• Up to 11 paid holiday opportunities
• Adoption assistance
• Sick and Safe Leave accruals of one hour for every 30 worked, up to 80 hours per calendar year unless otherwise provided by law
• Incentive and recognition programs
• Equity stock purchase
• 401(k) contribution and pension