You have a clear vision of where your career can go. And we have the leadership to help you get there. At CNA, we strive to create a culture in which people know they matter and are part of something important, ensuring the abilities of all employees are used to their fullest potential.
Leadership position responsible for transforming and accelerating Vulnerability Management (VM) into a core information security strength. This position plays a pivotal role in safeguarding CNA’s assets by leading an enterprise-wide VM program and team, developing strategy, driving priorities and initiatives with partners, and managing vulnerabilities per organizational risk tolerance across on-premises and cloud environments. This role blends deep technical expertise (70%) with strategic leadership (30%), ensuring vulnerabilities across our environment are identified, prioritized, and remediated in a timely manner. This role demands a strategic mindset, robust technical aptitude, and the ability to communicate risk and remediation status effectively throughout the business. The ideal candidate will thrive in a fast-paced environment, demonstrate exceptional technical depth, and possess strong leadership skills to influence across technical and business teams.
JOB DESCRIPTION:
Essential Duties & Responsibilities
Performs a combination of duties in accordance with departmental guidelines:
Own and operate the enterprise vulnerability management program, including vulnerability scanning, reporting, and remediation tracking.
Builds and nurtures strong partnerships with asset owners and managed service providers to drive vulnerability remediation, mitigation, reduce exposure and potential business impact, and ensure secure asset configurations.
Accountable for the vulnerability remediation process within CNA, which may include vulnerabilities discovered through, but not limited to, vulnerability scanning, ethical hacking, threat intelligence, application security, responsible disclosure, etc.
Holistically owns the secure configuration management process within CNA, which may include working with various teams in developing secure technical specifications for technologies, assessingthe environment against those specifications, and continuously improving the posture through governance and technical leadership.
Develops enterprise policy, standards, plans, strategy, and procedures with specific regard to vulnerability management and secure configuration in alignment with business, industry, and regulatory requirementsensuring adherence across the enterprise to avoid audit findings and compliance gaps.
Develops and presents VM program metrics, KPIs, KRIs, and other applicable performance reporting measuresto communicate risk and program effectiveness to governance and leadership.
Perform detailed analysis of vulnerability data to identify trends, recurring issues, and systemic weaknesses, and use this analysis to prioritize remediation efforts based on risk and business impact.
Serve as primary point of contact and escalation for the MSP, holding them accountable to SLAs, quality standards, and performance metrics.
Communicate vulnerability risks, trends, and remediation progress to senior leadership, including executives and the Board, in clear business terms.
May perform additional duties as assigned.
Skills, Knowledge & Abilities
Expertise in identifying, evaluating, and prioritizing vulnerabilities within CNA's environment, paired with the capability to design and implement holistic remediation strategies that effectively address both immediate and long-term risks across CNA.
Excellent written and verbal communications and interpersonal skills to work effectively with peers, leadership, and subordinates. Must be able to clearly communicate complex technical and business concepts both to business partners, internal and external teams, and leadership.
Proven ability to effectively lead, manage, coach, and develop a team. This includes both direct leadership but also cross-functional capabilities.
Expert-level understanding of key vulnerability management and information security concepts, such as:risk, severity, exploitability, CVE, CVSS, asset management, secure configuration management, etc.
Strong understanding of enterprise, network, endpoint, and application-level security issues and risks.
Solid understanding of operating systems (Windows, Linux, Unix), networking, cloud platforms (GCP, AWS, Azure), and common enterprise application stacks.
In certain jurisdictions, CNA is legally required to include a reasonable estimate of the compensation for this role. In District of Columbia,California, Colorado, Connecticut, Illinois, Maryland, Massachusetts, New York and Washington, the national base pay range for this job level is $97,000 to $189,000 annually. Salary determinations are based on various factors, including but not limited to, relevant work experience, skills, certifications and location. CNA offers a comprehensive and competitive benefits package to help our employees – and their family members – achieve their physical, financial, emotional and social wellbeing goals. For a detailed look at CNA’s benefits, please visit cnabenefits.com.
CNA is committed to providing reasonable accommodations to qualified individuals with disabilities in the recruitment process. To request an accommodation, please contactleaveadministration@cna.com.
