Summary
The Head of Vulnerability Management will lead the enterprise-wide vulnerability detection, assessment, and remediation efforts to safeguard the bank’s infrastructure, applications, and data. This role will develop and execute a risk-based vulnerability management program that aligns with regulatory requirements and industry best practices. The ideal candidate will work cross-functionally to drive remediation efforts, enhance security posture, and provide executive-level reporting on vulnerabilities and risk exposure. This position requires a strong leader with deep technical expertise and experience in financial sector cybersecurity governance.

Key Responsibilities
Vulnerability Program Leadership
o    Develop and manage the enterprise vulnerability management strategy, ensuring alignment with security frameworks and regulatory requirements.
o    Establish policies, procedures, and standards for vulnerability identification, assessment, and remediation.
o    Maintain executive-level reporting on vulnerability trends, risk posture, and remediation effectiveness.
o    Continuously evaluate and enhance program maturity through automation and process improvements.
Vulnerability Scanning & Assessment
o    Manage enterprise-wide vulnerability scanning tools and processes to detect security weaknesses.
o    Perform regular scanning and testing across infrastructure, applications, and cloud environments.
o    Analyze scan results to prioritize vulnerabilities based on risk, exploitability, and regulatory impact.
o    Ensure comprehensive coverage of all assets through asset discovery and inventory validation.
Remediation & Risk Mitigation
o    Collaborate with IT, DevOps, and application teams to ensure timely remediation of identified vulnerabilities.
o    Develop and track key performance indicators (KPIs) to measure remediation effectiveness.
o    Provide guidance on compensating controls and risk acceptance when remediation is not immediately feasible.
o    Establish escalation processes for high-risk vulnerabilities requiring urgent action.
Threat Intelligence & Vulnerability Prioritization
o    Integrate threat intelligence feeds to correlate vulnerabilities with real-world threats and exploits.
o    Align vulnerability management efforts with emerging threats, zero-day vulnerabilities, and adversarial tactics.
o    Leverage frameworks such as MITRE ATT&CK to enhance risk-based prioritization.
o    Coordinate with incident response teams to analyze vulnerabilities exploited in security incidents.
Compliance & Regulatory Alignment
o    Ensure adherence to financial industry regulations, including FFIEC, and NYDFS.
o    Support internal and external audits by providing evidence of vulnerability management controls.
o    Maintain documentation of vulnerability management activities for compliance reporting.
o    Align remediation efforts with compliance deadlines and security control objectives.

·         Tooling & Automation

o    Manage and optimize vulnerability scanning tools such as Qualys, Tenable, or Rapid7.

o    Automate vulnerability detection and remediation workflows through scripting and integration with security orchestration tools.

o    Evaluate emerging technologies to enhance vulnerability management capabilities.

o    Work with IT teams to embed security into DevSecOps pipelines.

·         Stakeholder Communication & Training

o    Act as the primary point of contact for vulnerability management across business and IT units.

o    Deliver executive briefings on risk posture and remediation progress.

o    Conduct training sessions for developers, IT teams, and security personnel on secure coding and vulnerability remediation best practices.

Foster a culture of security awareness by promoting proactive risk management.

#LI-DNI

Salary Range: $150k - $180k

Bachelor’s degree in Cybersecurity, Information Technology, Business Administration, or a related field.

Advanced degree (MBA, MS) is strongly preferred.

Relevant industry certifications (CISSP, CISM, GIAC) are strongly preferred.

Minimum 10+ years of experience in information security or related field.

At least 3 years of experience in a senior leadership role within the banking or financial services industry.

Core Competencies

Experience & Expertise

o    7+ years of experience in cybersecurity, with at least 3 years in vulnerability management or related roles.

o    Strong knowledge of vulnerability assessment methodologies, risk frameworks (NIST, CIS, ISO 27001), and regulatory compliance in banking.

o    Hands-on experience with vulnerability scanning tools such as Qualys, Tenable, Rapid7, or similar.

o    Familiarity with penetration testing, threat intelligence, and exploit development concepts.

o    Experience working in highly regulated environments with strict security and compliance requirements.

Technical Skills

o    Proficiency in security automation using scripting languages (Python, PowerShell, Bash).

o    Strong understanding of network security, cloud security (AWS, Azure, GCP), and secure application development practices.

o    Knowledge of patch management processes and security hardening guidelines.

o    Ability to analyze vulnerabilities, assess risk, and communicate technical findings to business leaders.

Soft Skills & Leadership

Strong leadership and project management skills, with experience leading vulnerability remediation efforts.
Excellent communication and stakeholder management skills, with the ability to influence technical and non-technical teams.
Analytical mindset with a proactive approach to problem-solving and risk mitigation.
Ability to thrive in a fast-paced, high-stakes environment with competing priorities.

Incident Management: Ability to analyze, prioritize, and manage security incidents effectively.

Strategic Thinking: Ability to align cyber risk initiatives with business objectives

Communication and Documentation: Strong ensure thorough documentation and clear communications over security operations activities.

Leadership and Team Management: Proven track record of building and leading high performing teams

Regulatory Compliance: Expertise in navigating banking regulations

 
Technical Knowledge: Strong knowledge with information security technologies  such as vulnerability scanning tools, and threat intelligence tools, etc.

Investigations: Strong knowledge with leading security investigations.

Cybersecurity Frameworks: Deep understanding of frameworks such as NIST Cybersecurity Framework

Policy and Procedure Development: Proficiency in drafting and enforcing policies, procedures, and playbooks.

Industry Thought Leadership: Recognized as a subject matter expert in the cybersecurity or risk management space