Manager, Information Security - Threat Vulnerability & Risk Management

Manager, Information Security (Threat, Vulnerability, and Risk Management)

Manager, Information Security (Threat, Vulnerability, and Risk Management)

Who are we? Versant Health is one of the nation’s leading administrators of managed vision care, serving millions of our clients’ members nationwide. We are driven by our mission to help members enjoy the wonders of sight through healthy eyes and vision.

As a Versant Health associate, you can enjoy a comprehensive Total Rewards package, which includes health and dental insurance, tuition reimbursement, 401(k) with company match, pet insurance, no-cost-to-you vision insurance for you and your qualified dependents. We are also invested in your success. There are many opportunities for advancement and development throughout all stages of your career with us.

See how you can make a difference with the support of strong leadership and a team environment.

See Everything, Be Anything™.

What are we looking for? The Manager, Information Security (Threat, Vulnerability and Risk Management) is a strategic, people-focused leader responsible for overseeing the cyber risk and threat landscape across Versant Health. This leader is accountable for the maturity, governance, and performance of the enterprise cyber risk management program—owning the risk scoring framework, threat identification, vulnerability analysis, risk register governance, and the full lifecycle of risk identification, prioritization, treatment planning, mitigation, monitoring, and executive-level reporting. The Manager, Information Security (Threat, Vulnerability, and Risk Management) reports to the Director, Information Security (Governance, Risk, and Compliance) and will manage a team of vulnerability and risk analysts, guiding their work, developing their capabilities, and ensuring consistent execution across threat monitoring, risk assessment, scoring, reporting, and remediation oversight. This is a hands-on “working manager” role that requires strong technical depth in vulnerability management and threat analysis, combined with the ability to translate technical issues into business-aligned risk decisions. This leader will also work closely with several teams across the organization.

The successful candidate will have expertise in running vulnerability scans, determining appropriate risk and response levels as well as proactively identifying zero-day vulnerabilities and ensuring an appropriate response. This leader will have expertise in uncovering gaps in our security posture and make recommendations on how to resolve those identified gaps. They will also have demonstrated experience leading governance processes, facilitating risk acceptance discussions, influencing cross-functional remediation plans, and presenting risk insights to senior leadership. This person will also have experience leading and conducting information security risk assessments of new and existing vendor tools and solutions and consulting engagements which impact our network, data and system assets and identify methods to reduce risks associated with them where necessary.

Success requires strong business acumen, the ability to contextualize risk in terms of operational and strategic business impact, and the confidence to advocate for risk-based decisions at all levels of the organization.

Where you will have an impact

• Conduct recurring scans and audit and track mitigation activities through to completion
• Conduct both self-assessments and coordinate third party risk assessments of technology infrastructure and operational processes and controls for assigned areas
• Conduct scheduled, targeted (in response to advisories and remediation verification) and ad-hoc IT compliance checks and vulnerability scans for the Versant Health global enterprise
• Investigate and validate risk levels associated with vulnerabilities identified via vulnerability scanning tools (Tenable, Qualys, Kenna, etc.)
• Provide remediation guidance and recommendations and coordinate with Development Operations, IT and other teams as needed to provide oversight to the remediation and/or mitigation of enterprise vulnerabilities
• Maintain and improve upon, as necessary, the existing IT and vulnerability management infrastructure, including maintenance of scanning tools, licensing, procedures, reporting, and associated communications (downtimes, upgrades, report changes, etc.)
• Find security gaps within our enterprise and systems that would not otherwise be detected by a scanning solution in target systems, networks, and applications in order to help organization to improve existing security controls and mechanisms.
• Create processes and workflows for all aspects of IT compliance auditing and vulnerability management. Work with cross-functional teams to improve processes, workflows and operational efficiencies
• Utilize proven sources to maintain an awareness of prevailing and emerging vulnerabilities to proactively address vulnerabilities as early as possible
• Provide recurring and ad-hoc vulnerability reports upon request
• Establish appropriate vulnerability management calendar, schedule engagements and track activities to completion. Maintain history of scans and activities for future reference
• Lead and mature the enterprise cyber risk management program, ensuring alignment with business objectives, regulatory requirements, and organizational risk appetite.
• Lead and mature the end-to-end risk scoring methodology, incorporating CVSS, likelihood/impact modeling, FAIR-aligned or semi-quantitative scoring, business context, and environmental modifiers, and compensating controls.
• Own and maintain the Information Security Risk Register, ensuring risks are accurately documented, tracked, scored, and updated.
• Implement and maintain governance cadences including monthly risk reviews, cross-functional risk working groups, and executive reporting cycles.
• Oversee recurring and ad-hoc risk assessments for infrastructure, applications, data flows, business processes, and third-party technologies.
• Partner with business owners to define risk treatments, mitigation plans, compensating controls, timelines, and acceptance decisions.
• Facilitate formal risk acceptance processes, ensuring that risk owners understand business impact, alternatives, and required residual-risk documentation.
• Develop and provide executive-level risk reporting and metrics to leadership, including heat maps, trends, KPIs/KRIs, and remediation status – always framing issues in terms of business impact, probability, and required action. Conduct and oversee risk assessments aligned to major IT controls and security frameworks including NIST CSF, NIST 800-53, SOC 2, ISO 27001/27701, HIPAA Security Rule, CIS Controls, and COBIT.
• Collaborate with Internal Audit, Compliance, and Enterprise Risk Management functions to ensure integrated risk reporting and consistent scoring methodologies across the organization.

What’s necessary to do the job?

• Experience leading risk programs including identification, scoring, evaluation, and mitigation.
• Experience owning a risk register, driving governance processes, and partnering with executive stakeholders to influence risk-based decisions.
• Direct experience with maintaining and utilizing common commercial and open sourced vulnerability scanning and security auditing tools (Nesuss, Nexpose, OpenVAS, etc.) in both cloud (virtual machines, AWS, Azure, etc.) and conventional (physical endpoints, servers, etc.) environments
• Thorough understanding of network defense technologies, TCP/IP networking, Active Directory, DHCP, DNS, network security monitoring tools, secure engineering principles and technical security testing methodologies
• Deep understanding of IT controls and security frameworks including NIST CSF, NIST 800-53, SOC 1/SOC 2, ISO 27001/27002, HIPAA Security Rule, CIS Controls, and COBIT.
• Ability to assess control design and operating effectiveness in cloud and on-prem environments.
• Extensive Windows, Mac, Linux and Unix experience including deep knowledge of file system layout, log file analysis, timeline creation, and common configuration deficiencies
• Desktop, server, application, database, and network security hardening principles and practices for threat prevention
• Experience working as part of a patch management process and a familiarity with patching tools (i.e. SCCM, JAMF, KACE, etc.)
• Knowledge of methods for on-going evaluation of the effectiveness and applicability of information security controls (e.g., vulnerability testing, and assessment tools).
• Ability to understand information security and information technology risks associated with vulnerability testing, patch management, and secure configuration management.
• Ability to analyze and prioritize vulnerabilities to appropriately characterize threats and provide remediation advice.
• Familiarity with classes of vulnerabilities, appropriate remediation, and industry-standard classification schemes (CVE, CVSS, CPE).

HIPAA & Security Requirements All Associates must comply with the Health Insurance Portability Accountability Act of 1996 (HIPAA) as it pertains to disclosures of protected health information (PHI) as described in the Notice of Privacy Practices and HIPAA Privacy Policies and Procedures. As a component of job roles and responsibilities, Associates may have access to covered information, cardholder data or other confidential customer information which must be protected at all times. As a result, Associates must explicitly adhere to all data security guidelines established within the Company’s Privacy & Security Training Program.

Versant Health will never request money from candidates who seek employment with us and will never ask for any payment as part of the recruitment process.

Versant Health is a proud Equal Employment Opportunity and Affirmative Action employer dedicated to attracting, retaining, and developing a diverse and inclusive workforce. All qualified applicants will receive consideration for employment at Versant Health without regards to race, color, religion, sex (including pregnancy, childbirth, or related medical conditions), sexual orientation, gender identity or expression, age, disability, national origin, marital or domestic/civil partnership status, genetic information, citizenship status, uniformed service member or veteran status, or any other characteristic protected by law.