Lead Information Security Specialist (Threat & Vulnerability Management)

McKesson is an impact-driven, Fortune 10 company that touches virtually every aspect of healthcare. We are known for delivering insights, products, and services that make quality care more accessible and affordable. Here, we focus on the health, happiness, and well-being of you and those we serve - we care.

What you do at McKesson matters. We foster a culture where you can grow, make an impact, and are empowered to bring new ideas. Together, we thrive as we shape the future of health for patients, our communities, and our people. If you want to be part of tomorrow's health today, we want to hear from you.

McKesson is looking for a Lead Information Security Analyst, Threat & Vulnerability Management to help supporting McKesson information security capabilities and compliance across Business units and Enterprise IT organizations within McKesson. As a Lead Information Security Analyst, you will be a key member of our Cybersecurity team. The candidate will have a background in Threat & Vulnerability Management. He or she will also help represent the Cybersecurity team on various projects and boards. The Lead Information Security Analyst works with the Sr. Manager, Threat & Vulnerability plays a critical role in safeguarding the organization's information and systems by identifying and addressing vulnerabilities. This position involves monitoring, analyzing, and advising on vulnerability-related risks.

Responsibilities:
Vulnerability Monitoring:
- Continuously monitor relevant sources (CVE databases, security bulletins, etc.) for newly identified vulnerabilities.
- Assess the impact and severity of vulnerabilities based on the organization's assets and risk appetite.

Risk Evaluation:
- Evaluate the risks posed by identified vulnerabilities to the organization's information and systems.
- Collaborate with cross-functional teams to prioritize vulnerabilities based on business impact.

Advisory Role:
- Provide actionable recommendations to management regarding vulnerability remediation.
- Advise on appropriate measures to eliminate or reduce the organization's risk exposure.

Trend Analysis:
- Analyze vulnerability data to identify trends, patterns, and emerging threats.
- Stay informed about industry best practices and evolving attack vectors.

Stakeholder Communication:
- Regularly communicate vulnerability status, progress, and risk mitigation efforts to relevant stakeholders.
- Foster collaboration with IT teams, system owners, and security architects.

Key Results:
- Patch Compliance Rate:
- Achieve and maintain a high patch compliance rate across all systems and applications.

Vulnerability Reduction:
- Continuously reduce the number of critical and high-risk vulnerabilities within the organization.

Response Time:
- Minimize the time taken to remediate vulnerabilities after discovery.

Risk Score Improvement:
- Work towards lowering the overall risk score associated with vulnerabilities.

Stakeholder Satisfaction:
- Gather feedback from stakeholders on vulnerability management effectiveness and adjust strategies accordingly.

Qualifications (Education, Experience, Skills/Competencies):

• 4-year degree (in IT Security, Information Systems, Computer Science, Engineering, Information Security, Education, Information Technology, Information Systems, Technical, Cyber Security, Technology, a related field) or equivalent experience.
• 5+ years of experience in systems and/or applications security, including maintenance and use of security products in a distributed enterprise environment, Network and Infrastructure Security, Vulnerability Management, Cloud Security, Data Protection Controls (Cryptography, Data Loss Prevention, Access Controls, etc.).
• Knowledge of investigative methodologies and decomposing behavioral profiles to develop investigative plans.
• Ability to manage the security vulnerabilities and risks across the organization including identifying, supporting application/system owners to manage risks and remediate vulnerabilities.
• Ability to analyze site/enterprise Computer Network Defense policies and configurations and evaluate compliance with regulations and enterprise directives.
• Knowledge of Security and Control Frameworks such as NIST, ISO, Cloud Security Alliance, CMMC, etc.
• Knowledge of network protocols IDS/IPS, DNS, TCP/IP, network defense components.
• Security related qualification(s) such as CISSP, GPEN, GCIH, CEH, CISA, CRISC, IAT, CISM, or GIAC.

Additional Knowledge & Skills (Optional):

• Knowledge of healthcare, privacy, and financial compliance regulations.
• Knowledge and experience with secure deployment of applications within cloud environment.
• Experience with law enforcement, defense, or intelligence community.
• Strong analytical and troubleshooting skills with an understanding of IT business operations and information security.
• Experience with Vulnerability Management Tooling.

We are proud to offer a competitive compensation package at McKesson as part of our Total Rewards. This is determined by several factors, including performance, experience and skills, equity, regular job market evaluations, and geographical markets. In addition to base pay, other compensation, such as an annual bonus or long-term incentive opportunities may be offered. For more information regarding benefits at McKesson, please click here.

Our Base Pay Range for this position

$139,000 - $231,600

McKesson is an Equal Opportunity Employer

McKesson provides equal employment opportunities to applicants and employees and is committed to a diverse and inclusive environment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, protected veteran status, disability, age or genetic information. For additional information on McKesson's full Equal Employment Opportunity policies, visit our Equal Employment Opportunity page.

Join us at McKesson!