Vulnerability Management Program Manager

The Executive Office of Technology Services and Security (EOTSS) is the state’s leading office for information technology. We provide enterprise level information technology services including network management and security; computer operations; application hosting; desktop provisioning and management; and modern and responsive digital services to 40,000 internal stakeholders plus the residents, business owners and visitors to the Commonwealth of Massachusetts.

EOTSS is seeking to hire a Vulnerability Management Program (VMP) Manager to join the EOTSS Security Operations Vulnerability Management Team. The Vulnerability Management Program Manager will be primarily responsible in assisting the Director of Security Operations in managing and reporting on team activities and projects that support internal and external vulnerability scanning, perimeter assessments, and timely vulnerability remediation for the Executive Office of Technology Services and Security. The Vulnerability Management Program Manager will be responsible for contributing to the analysis, development, and implementation of standards-based vulnerability and risk management control frameworks and technologies for the Commonwealth’s Information Security infrastructure and applications. This individual will serve as a senior internal information security resource, providing guidance, leadership & security strategy, while actively managing and mentoring a team of administrators and analysts.

The primary work location for this role will be 200 Arlington Street Chelsea, Massachusetts 02150. The work schedule for this position is Monday thru Friday, 9AM to 5PM EST. This position would be expected to follow a hybrid model of reporting to work that combines in-office workdays and work from home days as needed (currently a 40% on prem and 60% remote work arrangement).

Responsibilities:

• Lead and manage a team of security analysts, fostering a culture of collaboration, continuous learning, and high performance in supporting the Vulnerability Management Program.

• Promotes a candid, collaborative, and positive work environment while being accessible to team members and stakeholders.

• Manage team performance by delivering valuable coaching and feedback and documenting in performance management system (EPRS).

• Ensures and oversees the creation and updates to team documentation including standard operating procedures and playbooks.

• Manage and optimize work intake processes to effectively complete security related work requests.

• Ensures that VMP projects are managed, timelines are adhered to, deliverables are complete and documented.

• Contribute to the development and institutionalization of the Commonwealth's security best practices, policies, and standards, while providing and promoting security awareness.

• In collaboration with security architects and engineers, assist in the research, analysis, design, and implementation of tactical and strategic security solutions.

• Supervise and actively mentor enterprise security office staff members, within own group and others as appropriate.

• Support and assist in ongoing projects or specified service request deployment validation & verification.

• Support the Commonwealth’s Enterprise IT Security Compliance and Assurance Program with technical assessment services.

• Support and co-lead incident & problem resolution support in a timely and effective manner as necessary and/or requested.

• Delegates decision making authority appropriately.

• Demonstrates timely and accurate completion of financial and administrative duties.

Preferred Knowledge, Skills, and Abilities:

• Five (5) years of enterprise-class information technology and security vulnerability management experience with the capabilities in elevating a vulnerability program with proper reporting in place and ability to identify enhancements.

• Five (5) years of relevant experience in a supervisory capacity managing small to medium sized teams in a large IT enterprise environment.

• Strong hands-on experience and knowledge with Cloud Technologies: (e.g., related to Fundamentals, Security, Amazon AWS, Microsoft Azure, Google Cloud Platform).

• Strong knowledge and experience evaluating, designing, testing, and supporting hardware and software-based security.

• Strong knowledge and experience with information security and network communications practices and principles, technologies, and systems.

• Proficient knowledge and experience with vulnerability scanning plus risk and mitigation best practices.

• Ability to stay knowledgeable of cybersecurity trends and emerging threats.

• Proficient knowledge and proven experience with the following skillsets:

o Networking/Data Communications

o Risk Management

o Operating Systems (e.g., Windows/Linux)

o Vulnerability management tools such as Tenable and Palo Alto Xpanse

o Other Security Tool sets/categories (e.g., Firewalls, Routers/switches, Database, Web Servers, Applications); Common vulnerabilities, CVEs, and CWEs; Encryption and cipher technologies

• Experience with security frameworks such as NIST (e.g., NIST 800-53) and CIS.

• Demonstrated experience and success with development and promulgation of enterprise-class security policy and standards.

• Demonstrated experience and success with completion of risk assessments and vulnerability assessments.

• LAN/WAN operational experience, including networking, OS, web/application/Database servers, storage, hardware, firewalls, and monitoring and detection tools.

• Excellent people management, communication, and customer interaction skills.

• Ability to work independently, manage projects, and exercise judgement in reaching solutions.

• Ability to quickly grasp how new technologies work and how they might be applied to achieve business goals.

• Demonstrated ability to communicate effectively, both orally and in writing.

Education and Certifications:

• Bachelor’s Degree in Business Administration, Finance, Public Administration or related field, or equivalent work experience.

• CISSP, A , Security , CEH, CISA, CRISC, or other IT security operations/vulnerability management certifications is a plus, but not required.

Comprehensive Benefits

When you embark on a career with the Commonwealth, you are offered an outstanding suite of employee benefits that add to the overall value of your compensation package. We take pride in providing a work experience that supports you, your loved ones, and your future.

Want the specifics? Explore our Employee Benefits and Rewards!