Workplace Policy Hybrid Job ID 2025-5620 Date posted 08/18/2025 Overview:

The Vulnerability Management Specialist is an advanced, hands-on practitioner and representative of the cyber security defense team. The role is technical, and candidates must possess a solid understanding of information security and preferably have held positions in cyber security and systems administration. The role also requires an understanding of business and governance process. Vulnerability management analysts are responsible for the overall management lifecycle of the program. They must understand applications, operating systems, networking, cloud infrastructure and basic attacker tactics, techniques and procedures (TTPs). Additionally, analysts are expected to maintain a high level of rigor to stay up-to-date with advancements in technology, while also retaining knowledge of older systems and applications in use.

Vulnerability Management Specialists understand that legacy and present-day systems and applications may have weaknesses that can be exploited by external threat actors and potentially lead to a breach. Given that vulnerability management and risk exposure extend across all technical systems enterprise-wide, responsibilities of this position include identifying assets and vulnerabilities, reporting, remediation and continuous assessment. The position must collaborate with others on the team for remediation and additional validation, as well as contribute to other collaborative approaches driven by the security team strategy.

Vulnerability Management Specialists are expected to manage strategic initiatives for short- as well as long-term plans to identify and reduce the attack surface across applications and systems. Use of automated tools to identify, assess and report is expected, with emphasis placed on effective communication to constituents relying on applications and systems that support their business. Vulnerability management analysts take an active lead to inform, advise and partner with business units to help better secure their operations.

Principle Duties and Responsabilities:

• Manage and independently detect, prioritize, and remediate identified vulnerabilities across applications, endpoints, databases, networking devices, and mobile, cloud and third-party assets.
• Conduct continuous independent discovery and vulnerability scans/security assessments of enterprise-wide assets, and proactive control testing.
• Document, prioritize, and formally report asset and vulnerability state, along with remediation recommendations and validation.
• Formalizing a process for communicating vulnerability results and security patch releases in a manner understood by technical and non-technical business units based on risk tolerance and threat to the business.
• Procure and maintain tools and scripts used in asset discovery and vulnerability status.
• Leverage vulnerability database sources to understand each weakness, its probability and remediation options, including vendor-supplied fixes and workarounds.
• Work as a team to consistently learn and share advanced skills and foster team excellence.
• Actively collaborate with MSSP to develop, maintain, and enhance cyber security controls.
• Partner with senior leaders from lines of business organizations to triage security events and report on impacting security initiatives.
• Support and monitor patch management compliance across the infrastructure to align to audit requirements.
• Collaborate with security groups such as red teams, threat intelligence and risk management to form a holistic team dedicated to thwarting attackers and reducing attack surface.
• Work closely with infrastructure teams to advise and support remediation efforts to close vulnerability exposure to new threats in the wild and verify the organization’s security posture against them.
• Regularly research and learn new TTPs in public and closed forums, and work with colleagues to assess risk, implement/validate controls, and update procedures as necessary.
• Maintain an active database comprising third-party assets, their vulnerability state, remediation recommendations, overall security posture and potential threat to the business.
• Arrange and provide support to business units launching new technology applications and services to verify that new products/offerings are not at risk of misconfiguration, compromise or information leakage.
• Periodically attend and participate in change management policy discussions and meetings.
• Reporting on KRI/KPI status and compliance monitoring activities.
• Understand breach and attack simulation solutions for known vulnerabilities and work with the team to validate controls effectiveness.
• Liaise with the security engineering team to improve tool usage and workflow, as well as with the advanced threats and assessment team to mature monitoring and response capabilities.
• Possess a thorough understanding of CIS Controls and how it’s used to harden computers, databases, and network devices.
• Possess a thorough understanding of Group Policy Objects and how it’s implemented and used to harden computers.
• Assist multiple teams on the implementation of configuration management for security hardening.
• Report on computers and devices that deviate from preapproved configuration management security standards.
• Contribute to the development of security policy and procedures.
• Identifying vulnerabilities in the environment that must be addressed according to risk, age, and susceptibility. Provide best practice guidance on vulnerability assessments and remediation.
• Perform other duties as assigned.

Qualifications:

• 5-7 years experience in information security administration, vulnerability management or security operations. Required
• Proficient with vulnerability management solutions such as Qualys, Nexpose, Nessus, Kenna Security, Tanium and open source.
• Experience stabilizing systems to run minimal application requirements, least privilege and additional host hardening.
• Understanding of Windows and Unix/Linux operating systems, endpoint applications, networking protocols and devices.
• Preferably some experience with vulnerability management across Amazon Web Services (AWS), Microsoft Azure or Google Cloud Platform (GCP).
• Experience conducting organization-wide vulnerability scanning and remediation processes.
• Ability to obtain and maintain technical team and business support to influence a collaborative effort to reduce attack surface.
• Knowledge of one or more compliance standards, including Payment Card Industry (PCI), Health Information Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), National Institute of Standards (NIST) or International Standards Organization (ISO).
• Capable of scripting in Python, Bash, Perl or PowerShell.
• Understanding of OWASP, CVSS, the MITRE ATT&CK framework and the software development lifecycle.

Licenses & Certifications

The following credentials, licenses, and/or degrees are desired but not required if appropriate experience exists:

• GIAC Critical Controls Certification (GCCC)

• GIAC Certified Enterprise Defender (GCED)

• GIAC Penetration Tester (GPEN)

• GIAC Certified Incident Handler (GCIH)

• Certified Information Systems Security Professional (CISSP)

• Certified in Risk and Information Systems Control (CRISC)

• Technical certifications for industry recognized vulnerability management solutions (i.e., Qualys, Nexpose, Nessus, Kenna, Tanium, etc.)

Education:

• Bachelor's Degree in Computer Science, or related discipline. Preferred

Special information to candidates:

• Equal Opportunity Employer/Protected Veterans/Individuals with Disabilities.
• Please view Equal Employment Opportunity Posters provided by OFCCPhere.
• The contractor will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the contractor's legal duty to furnish information. 41 CFR 60-1.35(c)
• Reasonable accommodation may be made to assist individuals with disabilities to complete the online application process. Please contact our Human Resources Department at 305-577-7680 or by e-mail at employment@citynational.com.