Macy's - Johns Creek, GA
posted 9 days ago
About the position
The Manager, Vulnerability Management provides strategic direction and collaborates across enterprise teams to develop, coordinate, elevate, and streamline the vulnerability management program. They draw on extensive experience in vulnerability management and penetration testing to ensure the program's continuous improvement. This role oversees the enhancement of vulnerability platforms, works closely with security and business teams to create innovative risk mitigation strategies, and ensures compliance with established policies. The Manager also communicates key metrics to senior leaders and remediation teams across the enterprise. They possess expertise in a variety of security testing tools, including BurpSuite, HP WebInspect, Core Impact, Tenable, MetaSploit, and Qualys. Additionally, they are well-versed in penetration testing, vulnerability scanning, and red teaming methodologies. The Manager is capable of explaining vulnerabilities and weaknesses in the CISA KEV, OWASP Top 10, and CWE 25 to diverse audiences and discussing effective defensive techniques.
Responsibilities
- Improve and enhance vulnerability reporting to key stakeholders, including business leaders, by clearly articulating and prioritizing risk and impact to drive remediation efforts.
- Manage vulnerability scanning schedules, oversee remediation tracking, coordinate penetration test scheduling, and organize purple team exercises.
- Lead the team in improving and automating processes wherever possible.
- Design and lead red team exercises, focusing on stealth, long-term campaigns, social engineering, and realistic threat scenarios.
- Develop and implement metrics, analytics, and reporting systems, while creating a roadmap for continuous program improvement.
- Design and conduct various testing and simulations-including penetration tests, technical control assessments, and blue team exercises-to ensure alignment with Macy's strategies.
- Provide support for incident response and architecture review processes when application or vulnerability security expertise is required.
Requirements
- Strong knowledge of regulatory compliance requirements, including PCI-DSS, SOX, and GLBA.
- Advanced knowledge in security infrastructure design and architecture for both new implementations and existing infrastructure.
- Experience in designing and implementing enterprise-wide security strategies, policies, and standards.
- Experience protecting large enterprise environments from internal and external attacks.
- Strong understanding of network, physical, application, and web security as it relates to vulnerability management.
- Advanced knowledge of common vulnerabilities, testing approaches, and remediation strategies.
- Expert understanding of current and emerging security technologies, defense strategies, and industry standards.
- Advanced leadership, facilitation, and interpersonal skills to work across functional lines and at various levels.
- Excellent written and verbal communication skills, with the ability to read, write, and interpret instructional documents.
- One or more certifications such as CISSP, CEH, Secure+, OCSP, GPEN, CISA, CISM, GWAPT, GXPN etc. preferred.
Nice-to-haves
- Candidates with a bachelor's degree or equivalent work experience in a related field are encouraged to apply.
- 8-10 years of experience in Information Security or an equivalent combination of education and experience.
Benefits
- An inclusive, challenging, and refreshingly fun work environment
- Competitive pay and benefits rooted in principles of equity
- Performance incentives and annual merit review
- Merchandise discounts
- Health and Wellness Benefits across medical, dental, vision, and additional insurance
- Retirement Savings Plan with 401k match opportunity
- Employee Assistance Program (mental health counseling and legal/financial advice)
- Resources for continuous learning, career growth, and leadership development
- 8 paid holidays
- Paid Time Off (first year prorated depending on start date)
- Tuition reimbursement program
- Guild education benefit funds 100% of tuition, books, and fees in designated programs
- Colleague Resource Groups (CRGs) and give-back/volunteer opportunities
- Empowerment and autonomy to perform impactful work with tangible results
