Vulnerability Analyst

**Location: Anywhere in Mexico (WFH/Remote)**:** Applications from persons not living in Mexico will NOT be accepted.**

The successful Vulnerability Analyst takes an active lead to inform, advise, and partner with technology leadership and business units to secure the company.

The analyst will regularly report on the state of vulnerabilities including criticality, exploit probability, business impact and remediation to security and IT leadership. This includes all company digital assets that may have weaknesses to allow internal or external threat actors to potentially exploit, which may lead to a breach. The ability to collaborate with multiple teams and take a pragmatic approach, while at the same time possessing a sense of urgency when needed, is essential. The Vulnerability Analyst will support strategic initiatives driven from information security and IT leadership for short

**Essential Job Duties**
- services, cloud services, and third-party assets.
- Work closely with technical and non-technical system owners to advise and support remediation efforts to close vulnerability exposure to new threats in the wild and verify the organization's security posture against them.
- Provide vulnerability education and guidance to stakeholder to prevent new offerings from being at risk of misconfiguration, compromise, or information leakage.
- Supervise testing and validation vulnerability remediation and controls.
- Conduct continuous discovery, vulnerability assessment and remediation status of enterprisewide assets.
- Prioritize vulnerability remediation based on criticality, exploit probability, rating, and business
- risk exposure.
- Document, prioritize, recommend, validate, and report on the state of vulnerabilities.
- Automate asset inventory and vulnerability discovery and reporting.
- Communicate vulnerability results in a manner understood by technical and non-technical staff based on risk tolerance and threat to the business.
- Procure and maintain tools and scripts used in asset discovery and vulnerability status.
- Leverage vulnerability database sources to understand each weakness, its probability, and remediation options, including vendor-supplied fixes and workarounds.
- Collaborate with IT & security groups to form a holistic team dedicated to reducing attack
- surface.
- outcomes.
- Liaise with the security operations team to improve monitoring and response workflow.
- Assist with change management operations to ensure vulnerabilities are not introduced.
- Define key performance indicators and metrics to illustrate efficacy with vulnerability
- management.
- Understand breach and attack simulation solutions for known vulnerabilities and work with the team to validate controls effectiveness.
- Remain current with emerging threats and share knowledge with colleagues to improve security posture.
- Work as a team to consistently learn and share advanced skills and foster team excellence.
- Maintain documentation related to vulnerability policies and procedures.
- Serve as a point of contact for new and existing vulnerability-related issues.

**Skills and Experience**
- 5-7+ years information security administration, vulnerability management, security operations, or IT project/program management.
- Proficient with commercial and open source vulnerability management solutions.
- Understanding of networking protocols and devices.
- Preferably some experience with vulnerability management across cloud environments such as Microsoft Azure, Amazon Web Services, or Google Cloud Platform.
- Experience conducting organization-wide vulnerability scanning and remediation processes.
- Ability to influence technical and non-technical teams and collaborate to reduce attack surface.
- Capable of scripting in Python, Bash, Perl, or PowerShell preferred.
- Understanding of OWASP, CVSS, the MITRE ATT&CK framework and the software development lifecycle.
- Capacity to comprehend complex technical infrastructure, managed services, and third-party dependencies.
- Track record of acting with integrity, taking pride in work, seeking to excel, being curious and adaptable, and communicating effectively.
- Experience with one or more of the following frameworks a plus: NIST, ISO 27001, PCI DSS,
- HIPAA, HITECH, SOX, GDPR, CCPA, CIS, or SOC 2.
- Self-starter requiring mínimal supervision.
- Analytical and problem-solving mindset.
- Highly organized and efficient.
- Demonstrated strategic and tactical thinking, along with decision-making skills and business acumen.

**Education Requirements**
- Preferably higher education with a technical focus such as information security, IT, management information systems, or equivalent industry experience.

**Certification Requirement**
- CISSP, CRISC, GCED, GCCC, GPEN, GCIH, GCIA, GEVA, CND, ECIH, CSA, CEH, CySA+, or PMP preferred.