Cox Automotive is seeking to hire a Director, Vulnerability Management to join the ERS team in either North Hills, NY or Atlanta, GA. This position will report to the AVP, Cybersecurity and will directly manage a team of Vulnerability Management and offensive security specialists. The Director of Vulnerability Management will be responsible for developing and maintaining a Vulnerability Management Program that spans across the entire global Cox Automotive enterprise and will be responsible for managing policies associated with the identification and remediation of infrastructure vulnerabilities.

Key Responsibilities

• Leads team to build highly scalable and api-integrated solutions for vulnerability management to provide services across the enterprise that are frictionless and easily adopted by delivery teams.
• Responsible for maintaining and modifying policies associated with the identification and remediation of infrastructure vulnerabilities and will deliver metrics to Management to demonstrate vulnerability management improvement across the organization.
• Ensure company-wide Vulnerability Mgmt security initiatives/policies are understood, implemented and monitored by Cox Automotive stakeholders in the various business units.
• Work in close partnership with senior business and technology management, network and infrastructure administrators on implementing vulnerability and risk remediation and/or mitigation plans.
• Review, coordinate remediation and response of vulnerabilities identified during external audits, assessments, and penetration tests.
• Retain approval and acceptance authority over vulnerability exceptions and remediation timeline extensions.
• Monitor the risk and vulnerability landscape to identify and prioritize new (zero-day) exploits, as well as existing vulnerabilities, which could cause harm to the organization. They will work collaboratively with various teams to remediate or mitigate risks in a timely manner.
• Build an offensive security program with in-house penetration testers. Develop and maintain tools and scripts used in penetration-testing and red team processes. Mature the Bug Bounty program.
• Collaborate with IT and Engineering teams across the organization to improve vulnerability discovery capabilities, asset management, and IT hygiene.
• Lead team in maturing automation capabilities across VM tool sets and building bi-directional feeds of asset information into CMDB systems to keep inventory always current.
• Work closely with the Cybersecurity - Threat Intel and Response team to leverage threat intelligence sources, identify new threats in the wild and verify the organization's security posture against them.
• Regularly research and learn new TTPs in public and closed forums, and work with teammates to assess risk and implement and validate controls as necessary.
• Understand breach and attack simulation (BAS) solutions and work with the team to validate controls effectiveness.
• Liaise with the Cyber Defense, Intel and Response teams to improve tool usage and workflow, as well as with the advanced threats and assessment team to mature monitoring and response capabilities.
• Train offensive and defensive colleagues on new TTPs and mentor junior teammates.
• Perform other duties as assigned.

Knowledge, Experience & Qualifications

• BA/BS Degree, preferably formal studies in Computer Science or Information Systems or equivalent + 10 or more years of relevant work experience required in related field
• OR MS degree + 8 years of experience
• OR Ph.D. degree + 5 years of experience
• OR 14+ years of experience with no degree
• Well versed in cloud native technologies running in AWS, Azure, GCP, OCI
• Strong domain knowledge on containers, CI/CD, and all types of cloud infrastructure
• Ability to work in a fast-paced and dynamic environment
• Excellent organizational, project management and follow-up skills
• Ability to build effective working relationships at all levels of the organization
• Proven experience running an Technology Vulnerability Management Program as either a manager or lead analyst/engineer
• Strong analytical skills; ability to evaluate information, rapidly break it down and arrive at meaningful conclusions
• Experience with external attack surface mgmt systems and/or CMDB solutions
• Experience with application and system vulnerability management solutions such as Qualys, Nessus, Veracode, BurpSuite, HP Fortify (WebInspect), IBM AppScan, Kali Linux, w3af, Splunk
• Technical understanding of IP based networks, operating systems, wireless technologies, internet-facing applications
• Deep technical understanding of the OWASP Top 10 and App sec
• Strong communication skills; person in this role must be able to successfully communicate with management personnel, technical personnel and third parties and explain vulnerabilities and risk in both technical and business terms.
• CISA, CISSP, CISM, CCSP, OSCP, GSEC or other security certification(s).

About Cox Automotive

At Cox Automotive, people of every background are driven by their passion for mobility, innovation and community. We transform the way the world buys, sells, owns and uses cars, accelerating the industry with global powerhouse brands like Autotrader, Kelley Blue Book, Manheim and more. What's more, we do it all with an emphasis on employee growth and happiness. Drive your future forward and join Cox Automotive today!

About Cox

Cox empowers employees to build a better future and has been doing so for over 120 years. With exciting investments and innovations across transportation, communications, cleantech and healthcare, our family of businesses - which includes Cox Automotive and Cox Communications - is forging a better future for us all. Ready to make your mark? Join us today!

Benefits of working at Cox may include health care insurance (medical, dental, vision), retirement planning (401(k)), and paid days off (sick leave, parental leave, flexible vacation/wellness days, and/or PTO). For more details on what benefits you may be offered, visit our benefits page .

Cox is an Equal Employment Opportunity employer - All qualified applicants/employees will receive consideration for employment without regard to that individual's age, race, color, religion or creed, national origin or ancestry, sex (including pregnancy), sexual orientation, gender, gender identity, physical or mental disability, veteran status, genetic information, ethnicity, citizenship, or any other characteristic protected by law. Cox provides reasonable accommodations when requested by a qualified applicant or employee with disability, unless such accommodations would cause an undue hardship.

Statement to ALL Third-Party Agencies and Similar Organizations: Cox accepts resumes only from agencies with which we formally engage their services. Please do not forward resumes to our applicant tracking system, Cox employees, Cox hiring manager, or send to any Cox facility. Cox is not responsible for any fees or charges associated with unsolicited resumes.