Reference #: R2689 Job Type: Regular

Cybersecurity Engineer - Vulnerability Management Lead - Information Security

Summary: Information Security is seeking a skilled Vulnerability Management Lead to manage the development, implementation, and operations of RAND'S vulnerability management program. This role involves identifying, analyzing, and mitigating vulnerabilities, coordinating with stakeholders, and ensuring compliance with industry standards and best practices. The ideal candidate will have a strong background in cybersecurity, project management, and a deep understanding of vulnerability management processes.

Responsibilities: Vulnerability Management Program Oversight Develop, implement, and maintain the vulnerability management program, including policies, procedures, and standards. Ensure continuous identification, analysis, and assessment of vulnerabilities across the organization's IT infrastructure, servers, endpoints, applications, cloud and systems. Conduct vulnerability scanning and penetration testing of networks, endpoint systems, and web applications using industry standard tools (e.g., Tenable Nessus, ISS, Foundstone, NMAP). Perform risk assessments for vulnerabilities and protocols in networks, endpoint systems, and web applications. Monitor and report on the status of vulnerability remediation efforts, ensuring timely and effective resolution. Maintain up-to-date knowledge of emerging threats, vulnerabilities, and attack vectors. Recommend network security standards to leadership. Propose architectural improvements, design and integration solutions. Deliver training and awareness programs to educate staff on vulnerability management processes and the importance of maintaining a secure IT environment. Stay current with industry trends, best practices, and new technologies in cybersecurity and vulnerability management.

Communication and Collaboration: Serve as the primary point of contact for vulnerability management-related communications, including coordination of vulnerability scanning, reporting, and remediation activities. Collaborate with technology and research teams across the organization to prioritize and remediate identified vulnerabilities. Work closely with third-party vendors, auditors, and regulatory bodies to ensure compliance with relevant cybersecurity standards and regulations.

Risk Assessment and Mitigation: Ensure that all identified vulnerabilities are documented, tracked, and remediated in accordance with organizational policies. Provide expert advice on the implementation of security controls and countermeasures to mitigate identified risks. Conduct regular risk assessments to identify and quantify vulnerabilities and develop risk mitigation strategies.

Reporting and Metrics: Develop and maintain metrics to measure the effectiveness of the vulnerability management program. Generate and present reports for executive leadership highlighting key trends, risks, and the status of remediation efforts. Regularly review and update vulnerability management processes to ensure they are aligned with current industry standards and organizational needs. Identify opportunities for process improvements and implement changes to enhance the efficiency and effectiveness of the vulnerability management program.

Education

High School Diploma or GED required. Bachelor's degree in Information Technology, Computer Science, or a related field, is preferred.

Experience: 5+ years of experience in Information Security/Cybersecurity, with a focus on vulnerability management. Proven experience in managing complex projects and leading cross-functional teams. Experience with vulnerability management tools (e.g., Qualys, Nessus, Rapid7) and processes. In-depth knowledge of cybersecurity technologies, cloud technology, RMF, information assurance and risk management. Experience in project management with a focus on information technology and cybersecurity. Knowled e of cybersecurity regulations and standards, including NIST, PCI, or ISO 27001 security controls in complex enterprise environments. Relevant certifications (e.g., CISSP, Security +, CISM, GSEC, CISA, CRISC, CEH, PMP, ITIL) are desirable. Experience with cloud services, including AWS and Microsoft Azure platforms. Knowledge of tools used for scalability and elasticity of cloud environments. Expertise in DNS, CNAMES, VPN, and VoIP design, development, and operational support. Proficiency in troubleshooting UNIX and Windows environments.

Qualifications: Strong understanding of cybersecurity audit frameworks, standards, risk management and security controls (e.g., NIST, ISO 27001, CIS Controls). Experience with vulnerability scanning and remediation tools (e.g. Tenable, BigFix, etc.) Strong communication, leadership, and problem-solving skills. Self-starter, motivated strong desire when required drive prototypes Experience in cloud security, vulnerability management, and use of common security tools Strong attention to detail and a commitment to delivering high-quality work. Ability to manage multiple priorities.

Security Clearance: Ability to obtain and maintain a Security Clearance.

Location: Santa Monica, Washington or Pittsburgh, or may consider Remote

Salary Range: $117,700 to $179,700 RAND considers a variety of factors when formulating an offer, including but not limited to, the specific role and associated responsibilities; a candidate's work experience, education/training, skills, expertise; and internal equity.The salary range includes base pay plus RAND's sabbatic pay (which provides additional compensation above base pay when vacation is taken). In addition, RAND provides strong benefits including health insurance coverage, life and disability insurance, savings plan, paid time-off and more.

Equal Opportunity Employer: race/color/religion/sex/sexual orientation/gender identity/national origin/disability/vet

Equal Opportunity Employer-minorities/females/veterans/individuals with disabilities/sexual orientation/gender identity