University of Southern California
Lead Analyst, Attack Surface Management (ASM)
University of Southern California, Glendale, California, us, 91222
Lead Analyst, Attack Surface Management (ASM)
Information Technology Services (ITS), Los Angeles, California. Remote. ABOUT THE DEPARTMENT
The University of Southern California (USC) is advancing its cybersecurity posture with a renewed focus on resilience, cyber risk management, and threat?informed defense. As a world?class research institution, USC is building a culture of security that supports its academic and research mission in a rapidly evolving threat landscape. This role sits within a newly restructured cybersecurity organization that is leading this transformation. Youll join a team focused on scalable, proactive defense strategies, incident preparedness, and operational excellence working alongside experts who are deeply committed to service, innovation, and impact. If youre driven by purpose, thrive in complexity, and want to help shape the future of cybersecurity at a leading university, we invite you to bring your leadership to the table. POSITION SUMMARY
As the
Lead Analyst, Attack Surface Management (ASM)
you will be an integral member of the cybersecurity department while also collaborating with stakeholders across the university ecosystem and reporting to the ASM Manager. This is a full?time exempt position, eligible for all of USCs fantastic benefits and perks. This opportunity is remote. The Lead Analyst, Attack Surface Management (ASM) will be responsible for identifying, assessing, and mitigating security vulnerabilities across the organizations systems, networks, and applications, supporting attack surface management operations. Conducting vulnerability assessments, penetration testing, compliance, and risk?management activities. Overseeing the universitys attack surface and vulnerability lifecycle management process, focusing on continuous improvement to mitigate risks associated with vulnerabilities, application security, and cyber?threat intelligence. Developing and implementing remediation strategies to address vulnerabilities and minimize the universitys attack surface. Directly supporting program maturity efforts and playing a key role in integrating threat intelligence into the broader university environment. RESPONSIBILITIES Oversee the vulnerability lifecycle management process (e.g., detection, monitoring, reporting, and assessing the impact of vulnerabilities). Support regular vulnerability assessments and scans to identify security weaknesses in systems, applications, networks, and OT/IoT environments. Develop and implement remediation strategies to address vulnerabilities and minimize the universitys attack surface. Implement remediation required by audits and engage with DSUs to advise on remediation strategies of vulnerabilities. Collaborate with IT teams and stakeholders to validate effective end?to?end vulnerability remediation and maintain a consistent customer experience. Work with VM managed service teams, manage daily operations and communications, evaluate vulnerability trends in third?party applications and services, and collaborate with managed service providers as needed. Serve as an ASM subject matter expert, formulating and prioritizing intelligence requirements according to an established risk?management framework. Participate in and influence the roadmap for the universitys vulnerability management program. Collaborate on detailed reports on vulnerabilities, their impact, and the status of remediation efforts, communicating findings to stakeholders. Provide expertise to help develop and maintain vulnerability and attack surface management policies, procedures, and best practices for the university. Maintain awareness of current changes within legal, regulatory, and technology environments that may affect operations. Stay informed about emerging threats and vulnerabilities that impact the organizations attack surface. Keep knowledge of emerging vulnerabilities, exploits, and remediation techniques. Encourage a workplace culture where all employees are valued, respect others, and have the opportunity to contribute through ideas, words, and actions, in accordance with the USC Code of Ethics.
MINIMUM QUALIFICATIONS
5 years in attack surface and vulnerability management. Bachelors degree or combined experience/education as a substitute for minimum education. Knowledge of frameworks: NIST Cybersecurity Framework (NIST CSF), ISO/IEC 27001, MITRE ATT?CK, OWASP Top Ten, CIS Controls, COBIT, SANS Critical Security Controls, PCI DSS, NIST SP 800?53, and ITIL. Strong understanding of ASM/vulnerability management, security testing practices, and methodologies. Understanding and technical knowledge of cyber defense concepts, e.g., incident response, security monitoring, cyber?threat intelligence, attack surface and vulnerability management. Understanding of operational technology environments and security requirements needed to manage the broader attack landscape across the university. Experience building infrastructure and application vulnerability management programs. Experience deploying and operating vulnerability scanning infrastructure and services and deep understanding of vulnerability scanning platforms. Comprehensive knowledge of cloud?native vulnerability practices in AWS, Azure, and SaaS platforms and associated security challenges. Ability to assess business risks and recommend suitable cybersecurity measures. Experience managing vulnerability assessment tools. Knowledge of system, application, and database hardening techniques. Strong communication and interpersonal skills, enabling effective interaction across all organizational levels, along with proven analytical and problem?solving abilities, and exceptional attention to detail. Project management experience with a track record of leading complex security initiatives, coupled with the ability to teach and train others effectively. Ability to work with teams across the cybersecurity function, with managed service providers, and with IT teams across the university. Ability to work evenings, weekends, and holidays as the schedule dictates.
PREFERRED QUALIFICATIONS
7 years of related experience. Bachelors degree or combined experience/education as a substitute for minimum education. Experience working in higher education or complex, decentralized environments. CISSP, GCIH, GPEN, Security+, or similar certifications.
SALARY AND BENEFITS
The annual base salary range for this position is $162,315.11$201,452.98. When extending an offer of employment, the University of Southern California considers factors such as (but not limited to) the scope and responsibilities of the position, the candidates work experience, education/training, key skills, internal peer alignment, federal, state, and local laws, contractual stipulations, grant funding, as well as external market and organizational considerations. USC provides benefits?eligible employees with a broad range of perks to help protect the health, wealth, and future of our faculty and staff. For more information on USCs comprehensive benefits, visit the university website. Join the USC cybersecurity team within an environment of innovation and excellence. #J-18808-Ljbffr
Information Technology Services (ITS), Los Angeles, California. Remote. ABOUT THE DEPARTMENT
The University of Southern California (USC) is advancing its cybersecurity posture with a renewed focus on resilience, cyber risk management, and threat?informed defense. As a world?class research institution, USC is building a culture of security that supports its academic and research mission in a rapidly evolving threat landscape. This role sits within a newly restructured cybersecurity organization that is leading this transformation. Youll join a team focused on scalable, proactive defense strategies, incident preparedness, and operational excellence working alongside experts who are deeply committed to service, innovation, and impact. If youre driven by purpose, thrive in complexity, and want to help shape the future of cybersecurity at a leading university, we invite you to bring your leadership to the table. POSITION SUMMARY
As the
Lead Analyst, Attack Surface Management (ASM)
you will be an integral member of the cybersecurity department while also collaborating with stakeholders across the university ecosystem and reporting to the ASM Manager. This is a full?time exempt position, eligible for all of USCs fantastic benefits and perks. This opportunity is remote. The Lead Analyst, Attack Surface Management (ASM) will be responsible for identifying, assessing, and mitigating security vulnerabilities across the organizations systems, networks, and applications, supporting attack surface management operations. Conducting vulnerability assessments, penetration testing, compliance, and risk?management activities. Overseeing the universitys attack surface and vulnerability lifecycle management process, focusing on continuous improvement to mitigate risks associated with vulnerabilities, application security, and cyber?threat intelligence. Developing and implementing remediation strategies to address vulnerabilities and minimize the universitys attack surface. Directly supporting program maturity efforts and playing a key role in integrating threat intelligence into the broader university environment. RESPONSIBILITIES Oversee the vulnerability lifecycle management process (e.g., detection, monitoring, reporting, and assessing the impact of vulnerabilities). Support regular vulnerability assessments and scans to identify security weaknesses in systems, applications, networks, and OT/IoT environments. Develop and implement remediation strategies to address vulnerabilities and minimize the universitys attack surface. Implement remediation required by audits and engage with DSUs to advise on remediation strategies of vulnerabilities. Collaborate with IT teams and stakeholders to validate effective end?to?end vulnerability remediation and maintain a consistent customer experience. Work with VM managed service teams, manage daily operations and communications, evaluate vulnerability trends in third?party applications and services, and collaborate with managed service providers as needed. Serve as an ASM subject matter expert, formulating and prioritizing intelligence requirements according to an established risk?management framework. Participate in and influence the roadmap for the universitys vulnerability management program. Collaborate on detailed reports on vulnerabilities, their impact, and the status of remediation efforts, communicating findings to stakeholders. Provide expertise to help develop and maintain vulnerability and attack surface management policies, procedures, and best practices for the university. Maintain awareness of current changes within legal, regulatory, and technology environments that may affect operations. Stay informed about emerging threats and vulnerabilities that impact the organizations attack surface. Keep knowledge of emerging vulnerabilities, exploits, and remediation techniques. Encourage a workplace culture where all employees are valued, respect others, and have the opportunity to contribute through ideas, words, and actions, in accordance with the USC Code of Ethics.
MINIMUM QUALIFICATIONS
5 years in attack surface and vulnerability management. Bachelors degree or combined experience/education as a substitute for minimum education. Knowledge of frameworks: NIST Cybersecurity Framework (NIST CSF), ISO/IEC 27001, MITRE ATT?CK, OWASP Top Ten, CIS Controls, COBIT, SANS Critical Security Controls, PCI DSS, NIST SP 800?53, and ITIL. Strong understanding of ASM/vulnerability management, security testing practices, and methodologies. Understanding and technical knowledge of cyber defense concepts, e.g., incident response, security monitoring, cyber?threat intelligence, attack surface and vulnerability management. Understanding of operational technology environments and security requirements needed to manage the broader attack landscape across the university. Experience building infrastructure and application vulnerability management programs. Experience deploying and operating vulnerability scanning infrastructure and services and deep understanding of vulnerability scanning platforms. Comprehensive knowledge of cloud?native vulnerability practices in AWS, Azure, and SaaS platforms and associated security challenges. Ability to assess business risks and recommend suitable cybersecurity measures. Experience managing vulnerability assessment tools. Knowledge of system, application, and database hardening techniques. Strong communication and interpersonal skills, enabling effective interaction across all organizational levels, along with proven analytical and problem?solving abilities, and exceptional attention to detail. Project management experience with a track record of leading complex security initiatives, coupled with the ability to teach and train others effectively. Ability to work with teams across the cybersecurity function, with managed service providers, and with IT teams across the university. Ability to work evenings, weekends, and holidays as the schedule dictates.
PREFERRED QUALIFICATIONS
7 years of related experience. Bachelors degree or combined experience/education as a substitute for minimum education. Experience working in higher education or complex, decentralized environments. CISSP, GCIH, GPEN, Security+, or similar certifications.
SALARY AND BENEFITS
The annual base salary range for this position is $162,315.11$201,452.98. When extending an offer of employment, the University of Southern California considers factors such as (but not limited to) the scope and responsibilities of the position, the candidates work experience, education/training, key skills, internal peer alignment, federal, state, and local laws, contractual stipulations, grant funding, as well as external market and organizational considerations. USC provides benefits?eligible employees with a broad range of perks to help protect the health, wealth, and future of our faculty and staff. For more information on USCs comprehensive benefits, visit the university website. Join the USC cybersecurity team within an environment of innovation and excellence. #J-18808-Ljbffr