CNA is seeking a Director of Vulnerability Management to lead the transformation and acceleration of our Vulnerability Management program into a core information security strength. This leadership role combines 70% deep technical expertise with 30% strategic leadership, ensuring vulnerabilities across our global, hybrid environment are identified, prioritized, and remediated effectively.

What You'll Do

Lead and execute a comprehensive Vulnerability Management program throughout a global technology organization leveraging legacy and modern assets and applications located on-premises and in the cloud.
Own and operate the enterprise vulnerability management program, including vulnerability scanning, reporting, and remediation tracking.
Build and nurture strong partnerships with asset owners and managed service providers to drive vulnerability remediation, mitigate risk, and ensure secure asset configurations.
Oversee and technically validate the MSP’s delivery of vulnerability scanning and assessments using Tenable tools.
Be accountable for the vulnerability remediation process within CNA, which may include vulnerabilities discovered through scanning, ethical hacking, threat intelligence, and other sources.
Holistically own the secure configuration management process, working with various teams to develop secure technical specifications and continuously improve posture.
Develop enterprise policy, standards, plans, and strategy for vulnerability management and secure configuration in alignment with business and regulatory requirements.
Develop and present VM program metrics, KPIs, KRIs, and performance reporting to communicate risk and program effectiveness to governance and leadership.
Perform detailed analysis of vulnerability data to identify trends, recurring issues, and systemic weaknesses, and use this analysis to prioritize remediation efforts.
Identify, recommend, and prioritize appropriate measures to manage and remediate vulnerabilities to acceptable risk tolerances.
Partner with other teams to risk assess potential impact from vulnerabilities and recommend compensating security controls.
Mentor and develop a team of vulnerability management professionals, fostering a culture of continuous learning and operational excellence.
Be a champion for vulnerability management and information security, broadening awareness and education of security best practices.
Serve as primary point of contact and escalation for the MSP, holding them accountable to SLAs, quality standards, and performance metrics.
Communicate vulnerability risks, trends, and remediation progress to senior leadership, including executives and the Board, in clear business terms.
Partner with application and infrastructure owners to ensure remediation activities are prioritized and executed effectively.

What We're Looking For

6+ years in a vulnerability management program, with expertise in assessing, prioritizing, and driving remediation activities.
Typically, a minimum of ten years’ related work experience in Information Technology.
Strong hands-on expertise with Tenable.sc, Tenable.io, or equivalent enterprise vulnerability scanning tools.
Proven track record of leading vulnerability management programs and teams with expert-level knowledge of security concepts and strategies.
Expert-level understanding of key vulnerability management and information security concepts, such as: risk, severity, exploitability, CVE, CVSS, asset management, and secure configuration management.
Hands-on experience with leading vulnerability management tools at enterprise scale and strong technical understanding assessing vulnerabilities in legacy and modern assets on-premises and in the cloud.
Solid understanding of operating systems (Windows, Linux, Unix), networking, cloud platforms (GCP, AWS, Azure), and common enterprise application stacks.
Strong understanding of enterprise, network, endpoint, and application-level security issues and risks.
Excellent written and verbal communications and interpersonal skills to work effectively with peers, leadership, and subordinates.
Strong analytical and project management skills.
Proven ability to effectively lead, manage, coach, and develop a team, including both direct leadership and cross-functional capabilities.
Proven experience managing MSP relationships, including SLA enforcement and technical oversight.
Experience interacting with auditors and regulators.
Experience and comfort working across evolving cloud and on-premises hybrid environments and technologies.
Self-starter with the ability to make independent data-driven decisions and the judgment to know when to seek guidance.
Ability to foster collaborative, open, working relationships with stakeholders.
Bachelor's degree in Computer Science, or related discipline, or equivalent work experience.

Nice to Have

CISSP, CISM, PMP, Tenable or equivalent certifications.

Technical Stack

Vulnerability Management: Tenable.sc, Tenable.io
Cloud Platforms: GCP, AWS, Azure
Operating Systems: Windows, Linux, Unix

Team & Environment

You will lead an internal vulnerability management team consisting of FTEs and contractors. This leadership position reports to a senior-level leader, typically an AVP or above.

Benefits & Compensation

CNA offers a comprehensive and competitive benefits package to help our employees – and their family members – achieve their physical, financial, emotional and social wellbeing goals.
Compensation: $97,000 to $189,000 annually (national base pay range for specified states/jurisdictions).