Vulnerability Manager

The Department of Information Technology (DoIT) leads the State in the creation and implementation of information technology solutions that improve IT infrastructure and government services and keep Maryland current within IT industry trends.

Dept. of Information Technology

100 Community Place

Supports program goals, Service Level Agreements (SLAs), standards, and controls to meet both agency and program objectives while overseeing their achievement.  

Provides reporting and analysis to demonstrate program effectiveness, drives improvements to maturity and creates stakeholder awareness, and develops strategic improvements.

Works with key stakeholders throughout the organization(s) to drive remediation and build relationships based on an understanding of stakeholder needs.

Responsible for identifying and prioritizing vulnerabilities based on their severity and impact and providing plans for remediation.

Provides break-fix troubleshooting, root cause analysis and support for platform technical issues.

Work with the Portfolio Office and agency contacts to onboard new agencies to the Managed Vulnerability Management Service Provision and deprovision administrator and customer access to the vulnerability and attack surface management platforms.

Create and provide key performance indicator metrics to leadership.

Responsible for creating and hosting a biweekly vulnerability meeting with Department of Information Technology platform, system, and service owners to communicate vulnerability risks and remediation.

Collaborates with the Director of Governance, Risk, and Compliance to create plans of action and milestones to mitigate residual risks.

Performs security reviews of software, applications, and systems, being integrated with the environment.

Leads the team of vulnerability analysts and engineers in the design, implementation, operation, and maintenance of the vulnerability management platform and the managed vulnerability management service.

Prioritizes program projects, develops work plans and deadlines, monitors project progress against delivery commitments, and ensures adherence to established policies, procedures, and standards.

Develops, implements, configures, and maintains the design of the vulnerability management architecture, configuration, policies, and procedures.

Responsible for overall administration and management of the vulnerability management platform’s operational and security audit logs.

Evaluates new technologies which may either enhance existing services or which represent new services.

Responsible for vulnerability management patch/upgrade monitoring, reviews, and maintenance scheduling and deployment.

Responsible for monitoring alerts and responding to security incidents.

Participates in incident response and disaster recovery planning and training exercises.

Develops and documents incident response procedures in collaboration with other team leads.

Education: A bachelor's degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering.

Experience: Five (5) years work experience in the following areas:

Implementing, optimizing, managing, and supporting the vulnerability management process and platform responsible for conduction vulnerability scanning and reporting,

Overseeing the identification, assessment, and prioritization of vulnerabilities across various technology platforms, systems, and applications, using both automated tools and manual detection techniques,

Assessing vulnerabilities for scope, researching steps required to remediate, and developing an actionable remediation plan that effectively addresses identified vulnerabilities,

Developing and delivering regular metrics, reports, KPIs and presentations to leadership and key stakeholders, conducting risk assessments of information systems, applications, and third-party SaaS applications,

Applying the NIST Risk Management Framework (RMF) towards supporting the technical assessment of control implementations and continuous monitoring post-system Authority to Operate (ATO),

Conducting risk assessments of information systems, applications, and third-party SaaS applications.

Note:  Additional experience may be substituted on a year for year basis for the education requirement. 

Preference Will be Given to Candidates Who Have One or More of the Following Certifications:

Certified Information Systems Security Professional (CISSP)

Certified in Risk and Information Systems Control (CRISC)

GIAC Enterprise Vulnerability Assessor Certification (GEVA)

Please make sure that you provide sufficient information on your application/resume to show that you meet the qualifications for this recruitment. All information concerning your qualifications must be submitted by the closing date. We will not consider information submitted after this date. Successful candidates will be placed on the eligible (employment) list for at least one year.

The assessment may consist of a rating of your education, training, and experience related to the requirements of the position. It is important that you provide complete and accurate information on your application/resume. Please report all experience and education that is related to this position.

STATE OF MARYLAND BENEFITS

Online applications are highly recommended. However, if you are unable to apply online, the paper application and supplemental questionnaire may be submitted to: Department of Budget and Management, Recruitment and Examination Division, 301 W. Preston St., Baltimore, MD 21201. Paper application materials must be received in our office by the closing date for the recruitment. No postmarks will be accepted.

For questions regarding this recruitment, please contact the DBM Recruitment and Examination Division at Application.Help@maryland.gov or 410-767-4850, MD TTY Relay Service 1-800-735-2258.

We thank our Veterans for their service to our country.

People with disabilities and bilingual candidates are encouraged to apply.

As an equal opportunity employer, Maryland is committed to recruitment, retaining and promoting employees who are reflective of the State's diversity.

For education obtained outside the U.S., a copy of the equivalent American education as determined by a foreign credential evaluation service must be provided prior to hire.