MTA – Vulnerability Management Analyst

A vulnerability management analyst is an advanced, hands-on practitioner and representative of the cybersecurity defense team. The role is technical, and candidates must possess a solid understanding of information security and preferably have held positions in cybersecurity and systems administration.

• Manage vulnerabilities across applications, endpoints, databases, networking devices, and mobile, cloud and third-party assets.
• Conduct continuous discovery and vulnerability assessment of enterprise-wide assets.
• Document, prioritize and formally report asset and vulnerability state, along with remediation recommendations and validation.
• Communicate vulnerability results in a manner understood by technical and non-technical business units based on risk tolerance and threat to the business, and gain support through influential messaging.
• Procure and maintain tools and scripts used in asset discovery and vulnerability status.
• Leverage vulnerability database sources to understand each weakness, its probability and remediation options, including vendor-supplied fixes and workarounds.
• Support internal and external auditors in their duties that focus on compliance and risk reduction.
• Collaborate with security groups such as red teams, threat intelligence and risk management to form a holistic team dedicated to thwarting attackers and reducing attack surface.
• Work closely with infrastructure teams to advise and support remediation efforts to close vulnerability exposure to new threats in the wild and verify the organization’s security posture against them.
• Regularly research and learn new TTPs in public and closed forums, and work with colleagues to assess risk and implement/validate controls as necessary.
• Maintain an active database comprising third-party assets, their vulnerability state, remediation recommendations, overall security posture and potential threat to the business.
• Arrange and provide support to business units launching new technology applications and services to verify that new products/offerings are not at risk of misconfiguration, compromise or information leakage.
• Periodically attend and participate in change management policy discussions and meetings.
• Define key performance indicators (KPIs) and metrics across business units to illustrate effectiveness with vulnerability management.
• Understand breach and attack simulation solutions for known vulnerabilities and work with the team to validate controls effectiveness.
• Liaise with the security engineering team to improve tool usage and workflow, as well as with the advanced threats and assessment team to mature monitoring and response capabilities.
• Perform other duties as assigned.

• Bachelor's Degree or equivalent and typically requires 4+ years of relevant experience
• Critical Skills: At least 4+ years’ experience in information security administration, vulnerability management or security operations.
• Proficient with vulnerability management solutions such as Qualys, Nexpose, Nessus, Kenna Security, Tanium and open source.
• Understanding of Windows and *nix operating systems, endpoint applications, networking protocols and devices.
• Preferably some experience with vulnerability management across Amazon Web Services (AWS), Microsoft Azure or Google Cloud Platform (GCP).
• Experience conducting organization-wide vulnerability scanning and remediation processes.
• Ability to obtain and maintain technical team and business support to influence a collaborative effort to reduce attack surface.
• Knowledge of one or more compliance standards, including Payment Card Industry (PCI), Health Information Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), National Institute of Standards (NIST) or International Standards Organization (ISO).
• Capable of scripting in Python, Bash, Perl or PowerShell.
• Understanding of OWASP, CVSS, the MITRE ATT&CK framework and the software development lifecycle.
• Proven trustworthiness and history of acting with integrity, taking pride in work, seeking to excel, being curious and adaptable, and communicating well.
• Self-starter requiring minimal supervision.
• Excellence in communicating business risk and remediation requirements from assessments.
• Highly organized and efficient.
• Demonstrated strategic and tactical thinking, along with decision-making skills and business acumen.
• Preferably, one or more of the following: GCED, GCCC, GPEN, GCIH, CISSP or CRISC.

• Medical, Dental, and Vision
• Health Spending Accounts
• Flexible Spending Accounts
• 401(k) (U.S.)
• Pension (Canada)
• Employee Stock Purchase Plan
• Mental Health Programs
• Flexible Schedules
• Paid Time Off
• Wellness Program
• Education Reimbursement
• Volunteer Opportunities
• Flexible Work Environment

McKesson is an impact-driven, Fortune 10 company that touches virtually every aspect of healthcare. We are known for delivering insights, products, and services that make quality care more accessible and affordable.