CNA Insurance · 1 day ago
Director of Vulnerability Management
Chicago, IL
Full-time
Hybrid
Senior Level, Lead/Staff
$97K/yr - $189K/yr
10+ years expCNA Insurance is committed to fostering a culture where employees matter and are part of something important. The Director of Vulnerability Management leads the enterprise-wide Vulnerability Management program, leveraging technical expertise and strategic leadership to safeguard assets and ensure compliance with business and regulatory requirements.
FinanceFinancial ServicesInformation ServicesInformation TechnologyInsuranceProperty ManagementReal EstateRisk Management
Responsibilities
Leads and executes a comprehensive Vulnerability Management program throughout a global technology organization leveraging legacy and modern assets and applications located on-premises and in the cloud
Own and operate the enterprise vulnerability management program, including vulnerability scanning, reporting, and remediation tracking
Builds and nurtures strong partnerships with asset owners and managed service providers to drive vulnerability remediation, mitigation, reduce exposure and potential business impact, and ensure secure asset configurations
Oversee and technically validate the MSP’s delivery of vulnerability scanning and assessments using Tenable tools
Accountable for the vulnerability remediation process within CNA, which may include vulnerabilities discovered through, but not limited to, vulnerability scanning, ethical hacking, threat intelligence, application security, responsible disclosure, etc
Holistically owns the secure configuration management process within CNA, which may include working with various teams in developing secure technical specifications for technologies, assessing the environment against those specifications, and continuously improving the posture through governance and technical leadership
Develops enterprise policy, standards, plans, strategy, and procedures with specific regard to vulnerability management and secure configuration in alignment with business, industry, and regulatory requirements ensuring adherence across the enterprise to avoid audit findings and compliance gaps
Develops and presents VM program metrics, KPIs, KRIs, and other applicable performance reporting measures to communicate risk and program effectiveness to governance and leadership
Perform detailed analysis of vulnerability data to identify trends, recurring issues, and systemic weaknesses, and use this analysis to prioritize remediation efforts based on risk and business impact
Identifies, recommends, and prioritizes appropriate measures to manage and remediate vulnerabilities and reduce potential impacts on information resources to acceptable risk tolerances
Successfully partners with other teams to risk assess potential impact from vulnerabilities and recommends appropriate compensating security controls
Mentor and develop a team of vulnerability management professionals, fostering a culture of continuous learning and operational excellence
Be a champion for vulnerability management and information security including broadening awareness and use of the team's services, education of security best practices and integration with other business areas
Lead, mentor, and develop an internal vulnerability management team (FTEs and contractors)
Serve as primary point of contact and escalation for the MSP, holding them accountable to SLAs, quality standards, and performance metrics
Communicate vulnerability risks, trends, and remediation progress to senior leadership, including executives and the Board, in clear business terms
Partner with application and infrastructure owners to ensure remediation activities are prioritized and executed effectively
Qualification
Required
Strong hands-on expertise with Tenable.sc, Tenable.io, or equivalent enterprise vulnerability scanning tools
Proven track record of leading vulnerability management programs and teams with expert-level knowledge and competence in security concepts and strategies and the ability to successfully implement them
Hands-on experience with leading vulnerability management tools at enterprise scale and strong technical understanding and experience assessing vulnerabilities and identifying weaknesses in legacy and modern assets and applications located on-premises and in the cloud
Expertise in identifying, evaluating, and prioritizing vulnerabilities within CNA's environment, paired with the capability to design and implement holistic remediation strategies that effectively address both immediate and long-term risks across CNA
Excellent written and verbal communications and interpersonal skills to work effectively with peers, leadership, and subordinates. Must be able to clearly communicate complex technical and business concepts both to business partners, internal and external teams, and leadership
Strong analytical and project management skills
Proven ability to effectively lead, manage, coach, and develop a team. This includes both direct leadership but also cross-functional capabilities
Proven experience managing MSP relationships, including SLA enforcement and technical oversight
6+ years in a vulnerability management program. Knowing not only how to assess vulnerabilities but also prioritize and drive remediation activities
Experience interacting with auditors and regulators
Experience and comfort working across evolving cloud and on-premises hybrid environments and technologies
Self-starter with the ability to make independent data-driven decisions and the judgment to know when to seek guidance
Expert-level understanding of key vulnerability management and information security concepts, such as: risk, severity, exploitability, CVE, CVSS, asset management, secure configuration management, etc
Ability to foster collaborative, open, working relationships with stakeholders
Strong understanding of enterprise, network, endpoint, and application-level security issues and risks
Solid understanding of operating systems (Windows, Linux, Unix), networking, cloud platforms (GCP, AWS, Azure), and common enterprise application stacks
Bachelor's degree in Computer Science, or related discipline, or equivalent work experience
Typically, a minimum of ten years' related work experience in Information Technology
Preferred
CISSP, CISM, PMP, Tenable or equivalent certifications preferred
Benefits
CNA offers a comprehensive and competitive benefits package to help our employees – and their family members – achieve their physical, financial, emotional and social wellbeing goals.
Company
CNA Insurance
CNA is one of the largest U.S. commercial property and casualty insurance companies.
5001-10000 employees
H1B Sponsorship
CNA Insurance has a track record of offering H1B sponsorships. Please note that this does not
guarantee sponsorship for this specific role. Below presents additional info for your
reference. (Data Powered by US Department of Labor)
Distribution of Different Job Fields Receiving Sponsorship
Represents job field similar to this job
Trends of Total Sponsorships
2025 (30)
2024 (32)
2023 (25)
2022 (43)
2021 (32)
2020 (14)
Funding
Current Stage
Public CompanyTotal Funding
$0.88M2016-09-12Post Ipo Equity· $0.88M
1978-01-13IPO
Leadership Team
Luke Mellors
Vice President, Technology
Daniel Franzetti
EVP of Worldwide Claim
Recent News
2025-11-03
MarketScreener
2025-11-03
Company data provided by crunchbase