About the Role:
McKesson is seeking a Vulnerability Management Operations Lead to support information security capabilities and compliance across Business units and Enterprise IT organizations within McKesson.
This role is a key member of our Cybersecurity team, requiring a technical background in Threat & Vulnerability Management and Infrastructure Engineering.
The successful candidate will work with the Sr. Manager of Endpoint Vulnerability Management, playing a critical role in safeguarding the organization's information and systems by identifying and addressing vulnerabilities.
Key Responsibilities
* Vulnerability Management:
* Lead the deployment, configuration and optimization of McKesson's Vulnerability Management Solution (VMS)
* Establish clear understanding and documentation of all infrastructure associated with McKesson's VMS
* Periodically assess McKesson's VMS configuration to ensure that all sites, exclusions, users and policies are accurate and up to date
* Work with Solution, Platform, Risk Management and Global Threat and Vulnerability Management teams to patch or remediate operating system and network vulnerabilities in line with security policy requirements
* Develop and maintain processes, policies and procedures to ensure McKesson's Vulnerability Management solution remains compliant with McKesson's security standards and industry best practice
* Collaborate with Cybersecurity Service teams and BISO's to implement delivery plans for security tools and capabilities
* Risk Evaluation:
* Continuously monitor relevant sources for newly identified vulnerabilities
* Assess the impact and severity of vulnerabilities based on McKesson's assets and risk appetite
* Implement appropriate security solutions and tools based on the level of risk identified
* Prioritize vulnerabilities based on business impact
* Maintain detailed knowledge of emerging threats, risks and technical innovations / security capabilities
* Advisory Role:
* Provide actionable recommendations regarding vulnerability identification, prioritization and remediation
* Advise on measures to eliminate or reduce the organization's risk exposure
* Trend Analysis:
* Analyze vulnerability data to identify trends, patterns and emerging threats
* Stay informed about industry best practices and evolving attack vectors
* Key Results:
* Achieve and maintain maximum coverage for vulnerability scanning across McKesson's environment
* Ensure all Vulnerability Management infrastructure remains patched and compliant in terms of vulnerabilities
* Stakeholder Satisfaction:
* Gather feedback from stakeholders on vulnerability management effectiveness and adjust strategies accordingly
What We're Looking For:
Minimum Requirements:
* 10+ years in systems/application security, handling security products in enterprise settings
* Proven experience in Network Security, Vulnerability Management, Cloud Security, and Data Protection
* Skilled in managing VMS, identifying risks, and remediating vulnerabilities
* Capable of documenting vulnerabilities and communicating solutions effectively
* Experience with vulnerability management software including tools like Veracode, Twistlock, MPT, Rapid7 Nexpose, or Tenable
* Extensive experience in Security Engineering/Operations in matrixed enterprises
* Expert Knowledge of identity access management (e.g., MFA, privileged access, SSO)
* Ability to assess network defense compliance with regulations and make recommendations
* Experience in creating solution documentation and performance metrics
* Familiar with Security Frameworks (NIST, ISO, Cloud Security Alliance, etc.)
* Understanding of network protocols and defense components
* Holds security certifications such as CISSP, GPEN, GCIH, CEH, CISA, CRISC, IAT, CISM, or GIAC advantageous
Additional Skills:
* Knowledge of healthcare, privacy, and financial compliance regulations
* Knowledge and experience with secure deployment of applications within cloud environment
* Strong analytical and troubleshooting skills with an understanding of IT business operations and information security
* Knowledge of the healthcare industry is an advantage
* Familiarity with healthcare, privacy, and financial compliance regulations would be an advantage
* Knowledge of ITIL service methodology would be an advantage
* Experience in working with cloud-based solutions would be an advantage
Education:
* 4-year degree (in IT Security, Information Systems, Computer Science, Engineering, Information Security, Education, Information Technology, Information Systems, Technical, Cyber Security, Technology, a related field) or equivalent experience