Logo
CNA Insurance

Director of Vulnerability Management

CNA Insurance, Chicago, Illinois, United States, 60290

Save Job
Director of Vulnerability Management at CNA Insurance Overview Leadership position responsible for transforming and accelerating Vulnerability Management (VM) into a core information security strength. This role leads an enterprise-wide VM program and team, develops strategy, drives priorities and initiatives with partners, and manages vulnerabilities per organizational risk tolerance across on-premises and cloud environments. The role blends deep technical expertise with strategic leadership to ensure vulnerabilities are identified, prioritized, and remediated in a timely manner. The ideal candidate will thrive in a fast-paced environment, demonstrate exceptional technical depth, and possess strong leadership skills to influence across technical and business teams. Essential Duties & Responsibilities Performs a combination of duties in accordance with departmental guidelines: Technical (70%) Leads and executes a comprehensive Vulnerability Management program throughout a global technology organization leveraging legacy and modern assets and applications located on-premises and in the cloud. Owns and operates the enterprise vulnerability management program, including vulnerability scanning, reporting, and remediation tracking. Builds and nurtures strong partnerships with asset owners and managed service providers to drive vulnerability remediation, mitigate exposure, reduce potential business impact, and ensure secure asset configurations. Oversees and technically validates the MSP’s delivery of vulnerability scanning and assessments using Tenable tools. Accountable for the vulnerability remediation process within CNA, which may include vulnerabilities discovered through vulnerability scanning, ethical hacking, threat intelligence, application security, responsible disclosure, etc. Holistically owns the secure configuration management process within CNA, including developing secure technical specifications and continuously improving posture through governance and technical leadership. Develops enterprise policy, standards, plans, strategy, and procedures for vulnerability management and secure configuration, ensuring alignment with business, industry, and regulatory requirements and compliance across the enterprise. Develops and presents VM program metrics, KPIs, KRIs, and other performance reporting measures to communicate risk and program effectiveness to governance and leadership. Performs detailed analysis of vulnerability data to identify trends, recurring issues, and systemic weaknesses, and prioritizes remediation based on risk and business impact. Identifies, recommends, and prioritizes measures to manage and remediate vulnerabilities and reduce potential impacts on information resources to acceptable risk tolerances. Partners with other teams to risk-assess potential impact from vulnerabilities and recommends compensating security controls. Mentors and develops a team of vulnerability management professionals, fostering continuous learning and operational excellence. Champions vulnerability management and information security across the organization, increasing awareness and integration with other business areas. Leadership (30%) Leads, mentors, and develops an internal vulnerability management team (FTEs and contractors). Serves as primary point of contact for the MSP, ensuring accountability to SLAs, quality standards, and performance metrics. Communicates vulnerability risks, trends, and remediation progress to senior leadership, including executives and the Board, in clear business terms. Partners with application and infrastructure owners to ensure remediation activities are prioritized and executed effectively. May perform additional duties as assigned. Reporting Relationship Typically AVP or above Skills, Knowledge & Abilities Strong hands-on expertise with Tenable.sc, Tenable.io, or equivalent enterprise vulnerability scanning tools. Proven track record of leading vulnerability management programs and teams with expert-level security concepts and strategies and the ability to implement them. Hands-on experience with enterprise-scale vulnerability management tools across on-premises and cloud environments. Expertise in identifying, evaluating, and prioritizing vulnerabilities and designing holistic remediation strategies addressing immediate and long-term risks. Excellent written and verbal communications to work effectively with peers, leadership, and teams; able to convey complex technical and business concepts. Strong analytical and project management skills. Proven ability to lead, manage, coach, and develop a team; cross-functional capabilities. Experience managing MSP relationships, including SLA enforcement and technical oversight. 6+ years in a vulnerability management program with deep understanding of assessment and remediation. Experience interacting with auditors and regulators. Comfort working across evolving cloud and on-prem hybrid environments and technologies. Self-starter with data-driven decision-making and sound judgment to seek guidance when needed. Expert-level understanding of vulnerability management concepts: risk, severity, exploitability, CVE, CVSS, asset management, secure configuration. Ability to foster collaborative relationships with stakeholders. Strong understanding of enterprise, network, endpoint, and application-level security issues and risks. Solid understanding of operating systems, networking, cloud platforms (GCP, AWS, Azure), and common enterprise stacks. Education & Experience Bachelor's degree in Computer Science or related discipline, or equivalent work experience. Typically, a minimum of ten years’ related work experience in Information Technology. CISSP, CISM, PMP, Tenable or equivalent certifications preferred. Compensation In certain jurisdictions CNA is legally required to include a reasonable estimate of compensation for this role. In the District of Columbia, California, Colorado, Connecticut, Illinois, Maryland, Massachusetts, New York and Washington, the national base pay range for this job level is $97,000 to $189,000 annually. Salary determinations are based on factors including relevant work experience, skills, certifications and location. CNA offers a comprehensive benefits package. For details, please visit cnabenefits.com. CNA is committed to providing reasonable accommodations to qualified individuals with disabilities in the recruitment process. To request an accommodation, contact leaveadministration@cna.com. Additional Seniority level: Not Applicable Employment type: Full-time Job function: Information Technology Industries: Financial Services and Insurance We’re unlocking community knowledge in a new way. Experts add insights directly into each article, started with the help of AI.

#J-18808-Ljbffr