Description: Business Initiative/Purpose: (Goal, Business Impact, Accomplishments from the work) Need a resource to run all of our governance processes including Vulnerability Remediation Deferrals.
Role Responsibilities: (What they will be doing) Align with priorities that define 'our what' that may change based on business need. Own the end-to-end governance framework for the Vulnerability and Patch Management program, including routines, escalation paths, and decision forums. Design, document, and maintain governance processes, standards, SOPs, and control execution procedures. Lead control lifecycle management activities, including control design, effectiveness validation, issue identification, and remediation tracking. Provide risk-based oversight of vulnerability identification, prioritization, remediation timelines, and exception handling. Own issue management workflows, including root cause analysis, action plan approval, tracking, and formal closure. Facilitate recurring governance routines (weekly, monthly, ad-hoc), ensuring clear decisioning, documentation, and follow-through. Define, monitor, and report KPIs and KRIs related to vulnerability posture, control health, and remediation performance. Partner with operational security teams (Infrastructure, Application Security, Red Team, etc.) to align governance requirements with execution realities. Act as a primary interface for audit, risk, and compliance stakeholders on vulnerability governance topics. Drive continuous improvement by identifying systemic gaps, emerging risks, and opportunities to mature governance effectiveness. Integrate threat intelligence, exploit availability, and external advisories into vulnerability prioritization models to support dynamic risk response. Extend governance oversight to vulnerabilities impacting critical third-party providers and cloud hosted services. Drive patching and vulnerability requirements into the third-party risk management and contractual obligations and assessments. Leads complex and visible projects with moderate to high risk and complexity.
Bachelor Degree: (Required, Preferred or Not Required) Required.
Must Have Skills/Prior Experiences: (Vendor should not submit any candidate that does not have these skills/prior experience.) Skills and Qualifications: 10+ years of experience in cybersecurity, technology risk management, or vulnerability management governance. Demonstrated experience designing and operating governance routines and escalation frameworks. Strong understanding of vulnerability management tooling, patching methodologies, and remediation constraints across infrastructure, cloud, endpoints, and applications Experience with control frameworks and issue management processes. Ability to communicate technical risk clearly and credibly to executive, risk, and regulatory stakeholders. Strong facilitation and negotiation skills across technology, security, compliance, and business teams. Proven ability to drive disciplined governance while enabling business agility. Experience working with systems of record like GRC, ITSM related tools. Strong written communication skills for standards, procedures, and governance documentation. Analytical mindset with experience defining and interpreting metrics and trends. Comfort operating in regulated environments (financial services, or similar). Previous experience in leading complex IT projects.
Nice to Have Skills/Prior Experiences: (Hiring Manager DOES NOT require these skills/ prior experience. However, candidates with any of these will be looked at first.) Direct experience supporting regulatory frameworks (e.g., NYDFS, FFIEC, PCI, SOX, GLBA). Prior second line (oversight) or internal audit experience. Experience standing up new governance functions or maturing immature programs. Familiarity with Red Team, Penetration Testing, or Threat-Driven Risk models. Experience leading or mentoring governance or risk teams. Exposure to executive risk committees or board-level reporting. CISSP Certification.
For applications and inquiries, contact:
[email protected]