Vulnerability Management Analyst

About The Position

Requirements

• Bachelor's degree in Information Security, Computer Science, Information Technology or commensurate experience is Required.
• 3+ years professional work experience in vulnerability management, security operations, or IT risk within a regulated environment is Required.
• Prior financial industry regulations and frameworks (FFIEC, NCUA, GLBA, NIST) is Required.
• Hands-on experience with vulnerability scanning tools, such as: Tenable (Nessus, Tenable.io), Qualys, Rapid7 or similar platforms is Required.
• Strong understanding of network, operating system, and application vulnerabilities, patch management processes, and secure configuration standards (CIS Benchmarks) is Required.
• Strong knowledge of vulnerability scanning technologies and methods, including scoring systems (CVSS, CMSS) and risk prioritization frameworks is Required.
• Experience delivering monthly or periodic vulnerability status reports and tracking remediation efforts with internal and external teams is Required.
• Remote employees must reside in one of the following states to be considered for any of our remote positions: FL, IL, IN, IA, MI, MN, MO, OH, TX, WI.

Nice To Haves

• The GIAC (GSEC or GEVA) certification is preferred upon hire although required to be completed within 6 months of hire.

Responsibilities

• Conduct regular vulnerability scanning of networks, servers, endpoints, cloud environments, and applications using approved tools.
• Analyze scan results to identify false positives, determine exploitability, and assess business and regulatory risk.
• Prioritize vulnerabilities based on CVSS scores, threat intelligence, asset criticality, and financial institution risk impact.
• Track vulnerabilities through remediation, validation, and closure using ticketing or governance platforms.
• Perform re-scans to validate remediation effectiveness.
• Ensure vulnerability management practices align with FFIEC Cybersecurity Assessment Tool (CAT), NCUA or banking regulatory guidance, GLBA Safeguards Rule, Internal Information Security and Risk Management policies.
• Prepare documentation, metrics, and evidence for internal audits, regulatory exams, and third-party assessments.
• Support risk acceptance decisions by documenting compensating controls and residual risk.
• Partner with IT infrastructure, application development, cloud, and network teams to remediate identified risks.
• Translate technical vulnerabilities into clear business risk language for leadership and non-technical stakeholders.
• Provide guidance on secure configuration, patching, and vulnerability mitigation strategies.
• Participate in security incident response activities when vulnerabilities are exploited or pose imminent risk.
• Monitor emerging threats, zero-day vulnerabilities, and industry advisories relevant to financial services.
• Contribute to vulnerability management policies, standards, and procedures.
• Assist with penetration testing coordination and result analysis.
• Collect, organize, and maintain security control evidence and artifacts for monthly continuous monitoring deliverables and assessment/authorization activities, ensuring alignment with required frameworks.
• Maintain accurate system inventory and authorization boundary documentation to ensure scanning scope aligns with approved system boundaries.
• Analyze scan results for false positives, document justifications, and prepare deviation requests with supporting risk assessments.
• Participate in change management processes to ensure continuous monitoring activities align with system changes and maintain compliance posture.
• Support and maintain enterprise vulnerability management tools (such as Tenable, Nessus, Burp, Qualys, Rapid7, Wiz, Prisma, Microsoft Defender), ensuring timely updates and patches.
• Run regular and on-demand scans across operating systems, databases, web applications, and containers, then work with technical teams to create tickets for remediation.
• Track and document vendor dependencies, operational requirements, and open vulnerabilities, producing clear monthly reports and updates.
• Contribute to improving internal standards and processes, including maintaining documentation, training materials, and standard operating procedures.
• Run the daily vulnerability management program operations, work closely with the patch management analyst in identifying and patching vulnerabilities, and actively participate in weekly vulnerability management team meetings.
• Comply with all Federal Regulations as they pertain to your job duties, including BSA.

Benefits

• 25 days of paid time off and 10 paid holidays
• 16 hours of paid Volunteer Time Off
• 401K Retirement with up to 6% employer match
• Excellent Health, Dental, Vision insurance, including multiple plan options
• Health Savings Account with generous employer contributions
• Employer paid Life insurance, Short-Term and Long-Term Disability
• Tuition Reimbursement from $4,000 - $7,000 per calendar year
• Robust Learning and Development program that includes an annual professional development stipend