Sr. Analyst, Vulnerability Management

What you will do:

The Johnson Controls Global Cyber Security (GCS) team is undergoing transformation and expansion as Johnson Controls increases its cybersecurity resources and capabilities to address the ever-changing cybersecurity threat landscape. 

The Sr. Vulnerability Analyst for Vulnerability Management will ensure the continuous identification and monitoring of vulnerabilities in the JCI Corporate infrastructure and websites and will support the IT department of Johnson Controls. The role will also identify and recommend methods and techniques to improve security posture and help establish a security culture across the various IT departments. Creates documentation and technical working instructions to support high-quality security operations, monitoring, and compliance in corporate environments. Supports achieving the vulnerability program objectives in the infrastructure, web application and compliance area. The candidate will also coordinate the improvement of current automation related to the vulnerability management area.  The successful candidate will need to be highly knowledgeable of the concepts of security vulnerability management and IT compliance hardening and have the technical skills and communication abilities to converse with IT engineers about security vulnerabilities and support remediation. The candidate will be able to articulate thoughts clearly, run operations, plan initiatives, and execute with appropriate urgency. The candidate will demonstrate drive, intelligence, maturity, and energy and will be a proven change agent..

How you will do it:

• Coordinate and/or perform regular Infrastructural and Web Application vulnerability assessments;
• Identify, and maintain the vulnerability management corporate platform in order to prompt identify weakness in the internal and external perimeter, including Cloud infrastructure;
• Monitor the identified security vulnerabilities or misconfiguration and support the IT stakeholders for remediation;
• Enforce VM processes and procedures to ensure also the right coverage and security of the Corporate Business Infrastructure and Web Applications;
• Collaborate with GIS teams to develop or optimize automations used for vulnerability tracking and reporting;
• Support to adopt Security best practices and security standards applied by the organization.

What we look for:

Required

• Minimum 8 years working in Information Security and Security Operations area.
• Knowledge of industry best practices in Vulnerability Management and Compliance areas; (e.g. NIST and “CVSS - Common Vulnerability Scoring System” frameworks)
• Experience in management and configuration of vulnerability assessment platform (e.g Rapid7 Insight VM and AppSec, Nessus, Qualys VM and WAS, Burp Suite, ZAP)
• Experience with administration of ITSM solutions used for vulnerability tracking and reporting (Service Now SecOps VM Module/Jira)
• Experience with OWASP Top 10 assessment and methodology and CIS hardening standard;
• Experience with various cloud providers (Azure, Google, Amazon) and knowledge on methodology how to secure them;
• Experience on enforcement of VM operational Security process and procedures;
• Experience with penetration test assessment, red/blue team activities and security monitoring;
• Effective communication skills to interface with both internal and external stakeholders;
• Self-starter mentality that defaults to action and thinks creatively on how to overcome challenges;
• Good communicator, both verbally and in writing;
• Highly motivated, adaptable and willing to learn new technologies.

Preferred

• Bachelor’s degree in computer engineering, computer security or computer science discipline;
• Previous technical background in IT or Software development roles;
• Experience with Splunk SIEM Platform;
• Experience with management of Service NOW SecOps Vulnerability Response module.

Desired Security certifications:

• Certified Information Systems Security Professional (CISSP)
• Certified Ethical Hacker (CEH)
• Offensive Security Certified Professional (OSCP)
• CompTIA Security+
• Qualys Certified Specialist
• Burp Suite Certified Practitioner