Share this Job

Vulnerability Management Lead

Date: Apr 13, 2021

Location: London, United Kingdom

Company: KPMG UK

Vulnerability Management Lead

The Team
This role is in the Security Advisory and Assessment (SAA) team, within the KPMG UK Information Security function. The SAA team are critical in the assessment, development and delivery of innovative, technology-enabled secure solutions for KPMG and our clients. The SAA team is vital to KPMG’s ability to demonstrate that we are delivering ‘secure by design’ solutions such that our business stakeholders, our clients and our regulators trust KPMG.

The Role
The role involves leading and being accountable for the end to end vulnerability management (VM) service. The vulnerability management service helps defend KPMG and its clients by ensuring scans of KPMG information assets are performed and pro-actively managing vulnerabilities in conjunction with Enterprise wide and Technology engineering teams, in alignment with KPMG risk objectives.

The Vulnerability Management Lead will:
• Develop the service, using automation, digitisation, security by design and a customer focussed approach as appropriate, and formulate a service strategy for VM within the agreed budget;
• Understand the dependencies & work collaboratively with aligned services & departments such as Data Privacy, Technology, Risk & Legal to provide a consistent and reliable service & approach;
• Maintain good relationships with customer groups and ensure customer satisfaction, by monitoring quality & escalating issues as necessary;
• Take accountability for the VM service and oversee the delivery and quality of the service by your team, other KPMG teams and third parties;
• Lead and manage a team of high performing professionals in delivering a vulnerability management service;
• Provide opportunities and training to develop the skills needed to meet the future needs of the service;
• Be accountable for performing technical risk assessments on vulnerabilities and recommending remediation prioritisation or approving exceptions if necessary;
• Be accountable for working with various internal and external sources to review threat intelligence and vulnerability alerts, assess impact of vulnerabilities in conjunction with Technology and then prioritise actions based on the vulnerability assessment through a risk-based approach to meet KPMG objectives;
• Be accountable for team of specialists who provide subject matter expertise, such as recommending remediation strategies and providing advice on complex configuration changes in support of vulnerability remediation;
• Be accountable for ensuring service documentation, such as process guides, are maintained and kept up to date.
• Be accountable for lifecycle ownership of in-scope technology that supports the vulnerability management service.
• Be responsible for providing reporting to leadership and other service stakeholders on service performance (against KPIs) and vulnerability risk exposure (against KRIs).
• Be responsible for inputting to and reviewing information security policy and standards related to vulnerability management.
• Be responsible for attending and supporting internal and external audits from a vulnerability management service perspective.
• Be Responsible for building and maintaining strong relationships with key stakeholders, such as Information Security leadership, CTO’s, Technology Operations, business service owners and any 3rd parties;
• Provide advice to senior leadership on ways to improve control mechanisms, identify, evaluate, and mitigate risks;
• Work towards and achieve or extend professional certifications as part of personal development;
• Share experiences with others to assist their learning and understanding.

The Person
You must have:
• Excellent and relevant experience in a similar vulnerability management leadership role;
• Strong understanding of tooling associated with vulnerability management such as Qualys, Kenna, Microsoft Defender ATP and ServiceNow.
• Experience and knowledge in vulnerability management of applications and infrastructure within the Cloud, such as AWS and Azure;
• Experience with managing senior stakeholders;
• Be able to demonstrate the ability to adapt communication style to explain technical concepts to different people within an organisation whether advising stakeholders, directing teams or sharing experience;
• Experience of successfully working in a fast paced, customer service environment, delivering high quality information security services; and
• Be calm in challenging situations, able to navigate through complex security problems to find a root cause and balanced outcome.

It would be advantageous if you can demonstrate some, or all of:
• Experience with managing a service and developing a product lifecycle;
• Experience with managing third parties to deliver elements of your service;
• Experience and knowledge of container or serverless platforms;
• Any security or vulnerability management product certification.

Job Segment: Manager, Information Security, PLM, Management, Technology