Expert Vulnerability Analyst

Responsibilities

• Acts as advisor to upper management in Cybersecurity matters. Provides guidance to Cybersecurity architects in the design and development of security solutions
• Directs security solutions and technical assurance in alignment with business risk and regulatory requirements
• Works closely with management to define and promote the strategic direction of the team. Develops cyber solutions, internal processes and standards for threat intelligence workflow
• Articulates defensive security measures, define new security requirements and develop mitigation techniques to maximize protection and preservation of the Brand
• Advises leadership on the entire range of risk matters facing the department and ensures the mitigation of operational risk. Ensures compliance to audit, regulatory and legal requirements
• Designs metrics models and develops advanced capabilities to ensure confidentiality, integrity, availability, authentication and non-repudiation. Develops unique cybersecurity performance and risk indicators to maintain constant awareness of status of the highly dynamic operating environment
• Mentor and provide leadership to the team ensuring assessments products are risk-based, accurate and meet the enterprise governance / service level agreement requirements.
• Provide expert level guidance and coaching for complex vendor assessments managing the risk appropriately.
• Demonstrate strong understanding of Third Party Risk Management (TPRM) program and associated governance oversight including Issues management.
• Continuously partner to enhance the TPRM Subject Matter Expert (SME) program to perform comprehensive security assessments of third-party vendors to identify risks and vulnerabilities.
• Report the SME program Key Risk Indicator metrics to senior management.
• Demonstrate ability to analyze ISO 27001, SOC 2, SIG, and familiarity with security frameworks such as NIST 800-53, CSF, financial services related regulatory guidance / laws such as GLBA, FFIEC and international regulations such as GDPR.
• Collaborate closely with key stakeholders including internal business partners, second line, auditors, risk officers and vendors as the lead subject matter expert.
• Manage the life cycle of cyber findings / Issues and liaison with stakeholders for permanent remediation.
• Assist in the review and maintenance of TPRM governance Standard documentation related to the program.
• Liaison with Business Information Security Office (BISO) team to optimize workload delivery.
• Actively monitor and escalate risk and customer-impacting issues within the day-to-day role of management.
• Demonstrate excellent value-added communication and technical writing skills.
• Advance knowledge / seek training in the field of information security management including the emerging threat actors’ techniques, tactics, and procedures (TTP).
• Be a frequent value-added in forums and achieve team commitments (and influence the team do the same leading by example) by using informal leadership & advanced communication skills.
• Communicate effectively and promptly every day and lead vendor risk discussions at Discover. Conduct oversight on program impacting decisions. Guide team to achieve key results for the assigned security assessment tasks.
  

Minimum Qualifications

At a minimum, here’s what we need from you:

• Bachelors – Computer Science, Information Security, Business or Analytics or related
• 8+ Years – Information Security, Cybersecurity, Computer Science, Data Analytics or related
• In lieu of a degree, a minimum of 10+ Years of experience in Information Security, Cybersecurity, Computer Science, Data Analytics or related
  

Internal applicants only: technical proficiency rating of expert on the Dreyfus cybersecurity scale

Qualifications

If we had our say, we’d also look for:

• 6+ years in core third party vendor risk management focused on assessment of information security controls, at least 2 years in a leadership role.
• Principles of enterprise risk management lifecycle.
• Familiarity with Incident Response, penetration testing principles, Common Vulnerability Scoring System (CVSS), and MITRE
• GIAC, CISSP or CISM certifications.
• Knowledge of Business Continuity Planning (BCP) / Resiliency principles.
• Familiarity with industry cybersecurity frameworks / standards such as NIST 800-53, PCI-DSS and CSA.
• Notable experience in assessment of technological information security threats and controls and risk tiering based on a risk management framework.
• Understanding of Agile methodology.