Associate Director, Vulnerability Management

The Associate Director, Vulnerability Management is responsible for developing and managing a risk based cyber threat and vulnerability management program and will lead a team that provides continuous vulnerability scanning, configuration monitoring, testing, patch management, and reporting. They will collaborate with IT teams and business process owners to ensure gaps are quickly remediated.

The ideal candidate is a technical, hands-on leader with the ability to drive consensus and collaboration among many diverse teams, individuals, and business stakeholders to achieve desired results.  They can explain technical concepts in non-technical terms and have excellent interpersonal, leadership, presentation, and collaborative skills. The candidate must be detail-oriented with the ability to adapt rapidly to new challenges, think creatively and holistically, and quickly resolve unforeseen issues.

• Establish, update, and maintain a vulnerability management program based on industry standards & best practices that includes asset discovery, vulnerability scanning, secure configuration monitoring, and remediation or mitigation activity

• Deliver continuous scanning, identification, and reporting of internal and external attack surface throughout on-prem and cloud-based environments across Firm products, technologies, and networks

• Recommend, socialize, and gain consensus on minimum patching and vulnerability management standards and policies across Firm IT teams and business stakeholders

• Lead vulnerability response efforts to address imminent threats and zero-day vulnerabilities 

• Monitor vulnerability remediation progress and partner with IT teams to provide recommendations for efficient risk remediation or mitigation 

• Provide regular reporting on the current state of vulnerabilities and configurations throughout the entire environment including acquisitions

• Monitor, mitigate, and report on additional threats, including supply chain attacks, vulnerabilities in code, unencrypted protocols, digital footprint issues, and other cybersecurity control gaps

• Manage internal and external penetration testing, red team activities, active port audits, and software audits to identify EOL hardware and software, insecure legacy applications, and otherwise unsafe or unauthorized software

• Manage a portfolio of scanning, vulnerability management, breach simulation, and reporting tools and ensure that security agents and vulnerability monitoring tools are deployed correctly and operating properly

• Develop cyber health scoring algorithms and measurement criteria, and build consumable reporting for technical and non-technical stakeholders, Firm leadership, and external clients

• Responsible for staying informed of industry leading vulnerability and software security vendors, latest threats & risks, and continuously updating program based on business priorities and available cyber threat intelligence

• Bachelor’s degree in information security, IT, related discipline, or equivalent experience required

• Professional certifications such as CISSP, CCSP, CISM, or similar

• 15+ years of experience in an IT or Information Security role, with at least 5 years managing or leading an Information Security vulnerability management function

• Demonstrated success in program development, project execution, and operational delivery

• Demonstrated knowledge and expertise in vulnerability assessment, risk management, and cybersecurity frameworks such as NIST, CIS, and OWASP

• Expert familiarity with the Mitre attack framework & CVE/CVSS scoring system

• Strong technical knowledge of vulnerability scanning and attack surface management tools (e.g., Qualys, Nexpose, Metasploit, AttackIQ, Shodan, etc.)

• Working knowledge of cloud computing systems (SaaS, PaaS, and IaaS), containers, cloud orchestration

• Experience working in a global organization and broad knowledge of security domains, technology risk management concepts, and a working knowledge of security and risk frameworks

• Knowledge of core networking concepts including TCP/IP, firewalls, and network security products

• Knowledge of common application architectures, design, protocols, and agile deployment methodology and best practices

• Ability to create and execute a clear strategic vision for vulnerability management that supports and enables businesses functions

• Ability to manage multiple concurrent objectives and activities, and make effective judgments in prioritizing and time allocation

• Must be able to execute with limited information and ambiguity

• Must have a continuous learning mindset and a demonstrated aptitude for understanding new vulnerabilities, threats, and attack vectors

• Must be able to build collaborative relationships and is comfortable interacting frequently with leadership and internal/external stakeholders

Salary Information

Salary Information

NY Only: The estimated base salary range for this position is $220,000 to $260,000 at the time of posting.

The actual salary offered will depend on a variety of factors, including without limitation, the qualifications of the individual applicant for the position, years of relevant experience, level of education attained, certifications or other professional licenses held, and if applicable, the location in which the applicant lives and/or from which they will be performing the job. This role is exempt meaning it is not overtime pay eligible.

#LI-Hybrid

Privacy Notice

For information about how Simpson Thacher & Bartlett LLP collects and processes your personal information, please refer to our Privacy Notice available at https://www.stblaw.com/other/privacy-notice.

Simpson Thacher & Bartlett is committed to a collegial work environment in which all individuals are treated with respect and dignity. The Firm prohibits discrimination or harassment based upon race, color, religion, gender, age, national origin, citizenship status, disability, marital or partnership status, sexual orientation, protected veteran’s status or any other legally protected status. “Gender” includes actual or perceived sex, a person’s gender identity, self-image, appearance, behavior or expression, whether or not that gender identity, self-image, appearance, behavior or expression is different from that traditionally associated with the legal sex assigned to that person at birth. This Policy pertains to every aspect of an individual’s relationship with the Firm, including but not limited to recruitment, hiring, compensation, benefits, training and development, promotion, transfer, discipline, termination, and all other privileges, terms and conditions of employment.