Director, Vulnerability Management

Fitch Group is currently seeking a Director of Vulnerability Risk based out of our Manchester office.

We are seeking a Director to lead our Vulnerability Management (VM) team. This role is ideal for an experienced security leader with a risk mindset who can oversee all aspects of vulnerability management, including identification, risk prioritization, and remediation of vulnerabilities discovered. The ideal candidate for this role will bring innovative ideas on how to consistently apply risk prioritization through automation, leveraging AI where appropriate.

Success will look like:

• Application of a risk mindset with consideration for the company’s set of standing security controls
• Ideas on opportunities to strengthen protection of our critical assets
• Strong collaboration across the vulnerability management teams and stakeholders
• Delivering real-time metrics reports
• Remediation tracking aligned with organizational risk priorities

This is a new role to oversee a recently established unified vulnerability management program, covering infrastructure and cloud scanning, application security testing, and penetration testing.

• Define and execute the strategic roadmap the Unified Vulnerability Management program, including resource planning, performance tracking, and establishing and reporting on metrics (key performance indicators; key risk indicators; and objectives and key results) for the program.
• Lead the end-to-end vulnerability management lifecycle using a consistent, risk-based assessment methodology that evaluates likelihood, impact, control environment and Fitch specific business context, ensuring timely remediation and compliance with internal policies.
• Govern the intake, normalization, and triage of findings originating from tools and assessments to ensure alignment with a unified lifecycle management process
• Manage vulnerabilities identified from scanning tools covering open source, custom source code, dynamic application scanning, static application scanning, infrastructure scanning, and cloud security posture management solutions. (SCA, SAST, DAST, infrastructure, and CSPM)
• Provide risk informed visibility to stakeholders through clear dashboards and other reporting mechanisms which indicate remediation expectations
• Ensure proper reporting of vulnerabilities to stakeholders and drive remediation efforts from an Information Security perspective.
• Develop strong partnerships with engineering, application development, and infrastructure teams to ensure aligned remediation workflows and streamlined ticketing processes for opening and closing vulnerabilities.
• Maintain and track team workload, ensuring transparency and accountability.
• Collaborate with subject matter experts across Info Sec and Technology to contextualize findings, validate assessments, resolve ambiguity and accelerate closure without compromising risk posture.
• Own and operationalize Fitch’s cyber risk taxonomy, threat intelligence, compensating control analysis, and architectural context to ensure findings are prioritized appropriately.
• Perform contextual analyses for vulnerability risk prioritization based on the following criteria: the business criticality of systems to Fitch, cloud architecture details such as network segmentation and access controls, understanding of system and application architecture, and data confidentiality.
• Produce and maintain dashboards, metrics and trend analyses that facilitate consumption of risk information and enable responses to requests for executive reporting and audit requests.
• Deliver VM team projects on time and on budget, ensuring alignment with department goals, organizational goals, and regulatory requirements.

The ideal candidate will have 7-10 years of progressive leadership experience in Information Security, with at least 2 years in a dedicated Vulnerability Management role.

They should demonstrate strong leadership skills, experience managing vulnerabilities across SAST, DAST, SCA, infrastructure, and CSPM solutions, and excellent communication and collaboration abilities for engaging technical teams and senior stakeholders.