Are you someone who seeks opportunity and has a true desire to grow your career with an organization that has enriched the lives of its clients and communities in the Greater Washington region for more than 150 years? If so, Sandy Spring Bank may be the perfect fit for you!

Sandy Spring Bank is a growing financial services company focused on creating real experiences for our employees, clients, shareholders and communities. We are proud to have been certified as A Great Place To Work, recognized by The Washington Post and the Baltimore Sun as a Top Workplace, by Forbes magazine as the #1 Bank in Maryland. It is our employees who play an integral role in shaping who we are as a company and upholding what matters most to us: people and relationships.

To help us attract the highest quality individuals, we offer a comprehensive benefits package to those who qualify. We offer competitive market salaries, paid time off, multiple retirement savings options, full health care options, life insurance, health care and dependent care flexible spending accounts, career development opportunities, tuition assistance and volunteer opportunities. We are proud to offer those, and so much more, making Sandy Spring Bank a remarkable place to work and build a career.

Sandy Spring Bank is recruiting for a Senior Vulnerability Management Analyst. Reporting to the Manager of Vulnerability Management and Configuration Management, the Sr. Vulnerability Management Analyst is responsible for managing and monitoring the vulnerability lifecycle and system baseline compliance. The role is technical, and candidates must possess a solid understanding of information security and have held positions in cybersecurity and systems administration. Scope of this role includes network devices, infrastructure servers, application servers, desktops, cloud services and software applications (in house developed and open source).

General responsibilities of this position include identifying assets and vulnerabilities, reporting, remediation and continuous assessment. The Sr. Vulnerability Management Analyst must understand applications, operating systems, networking, cloud infrastructure and basic attacker tactics, techniques and procedures (TTPs). In addition, the role involves Baseline Security Compliance standard (i.e. CIS Benchmarks) monitoring and software vulnerability management as part of the SSB DevOps CI/CD pipeline.

Senior Vulnerability Management Analysts are expected to execute the strategic initiatives for short- as well as long-term plans and to assist with identifying and reducing the attack surface across applications and systems. Use of automated tools to identify, assess and report is expected, with emphasis placed on effective communication to constituents relying on applications and systems that support their business. At times manual verification will be required by the analyst to confirm findings and identify false positives. Sr. Vulnerability Management Analysts take an active lead to inform, advise and partner with business units to help better secure their operations.

MAJOR JOB ACCOUNTABILITIES:

• Manage vulnerabilities across applications, endpoints, databases, networking devices, and mobile, cloud and third-party assets.
• Conduct continuous discovery and vulnerability assessment of enterprise-wide assets.
• Document, prioritize and formally report asset and vulnerability state, remediation recommendations and validation.
• Communicate vulnerability results in a manner understood by technical and non-technical business units based on risk tolerance and threat to the business, and gain support through influential messaging.
• Procure and maintain tools and scripts used in asset discovery and vulnerability status of cloud-based services and bank data center systems.
• Leverage vulnerability database sources to understand each weakness, its probability and remediation options, including vendor-supplied fixes and workarounds.
• Support internal and external auditors in their duties that focus on compliance and risk reduction.
• Work closely with infrastructure teams to advise and support remediation efforts to close vulnerability exposure to new threats in the wild and verify the organization's security posture against them.
• Engage with the project management office (PMO), IT, and Project Leads to ensure vulnerability and posture scanning is in-place and performed prior to system deployment.
• Specify and monitor Baseline Security Compliance standards (CIS Benchmarks) for servers, devices, cloud, containers; Deploy File Integrity Monitoring and perform issue analysis, reporting and remediation support.
• Support Application and Software Security Program initiatives by integrating with SDLC including code reviews, penetration tests and open-source vulnerability management into the CI/CD DevOps pipeline bank-wide.
• Regularly research and learn new TTPs in public and closed forums, and work with colleagues to assess risk and implement/validate controls as necessary.
• Maintain an active database comprising third-party assets, their vulnerability state, remediation recommendations, overall security posture and potential threat to the business.
• Support delivery of key performance indicators (KPIs) and metrics across business units to illustrate effectiveness with vulnerability management.
• Develop and publish information security policies, procedures, standards and guidelines based on knowledge of best practices and compliance requirements.

KNOWLEDGE, SKILLS, AND ABILITIES:

• A. or B.S. in Computer Science, Management Information Systems or related field, or equivalent work experience.
• Security certifications desired. Preferably, one or more of the following: GIAC Enterprise Vulnerability Assessor (GEVA), GCED, GCCC, GPEN, CISSP, AWS Solutions Architect
• At least five (5) years of experience in information security administration, vulnerability management or security operations.
• Proficient with vulnerability management solutions such as Qualys, Rapid7 Nexpose, Tenable Nessus, and open source.
• Experience with software security testing tools (SAST/DAST) such as Fortify, JFrog, CheckMarx, Sonatype is desired.
• Experience stabilizing systems to run minimal application requirements, least privilege and additional host hardening using CIS Benchmarks.
• Understanding of Windows and *nix operating systems, endpoint applications, networking protocols and devices.
• Experience with cloud vulnerability management across Amazon Web Services (AWS), Microsoft Azure or Google Cloud Platform (GCP).
• Experience conducting organization-wide vulnerability scanning and remediation processes.
• Experience with API and Web Application Security scanning and remediation.
• Experience with securing container-based solutions such as Docker, Kubernetes (K8s), AWS EKS, AWS ECS, AWS Fargate.
• Prior experience working on a Red Team/ Blue Team / Purple Team is desired.
• Ability to collaborate with technical and business teams in order to remediate vulnerabilities based on risk.
• Knowledge of information security standards (e.g., NIST CSF, ISO 2700x, etc.), rules and regulations related to information security and data confidentiality (e.g., GLBA, SOX) and desktop, server, application, database, network security principles for risk identification and analysis.
• Understanding of OWASP, CVSS, the MITRE ATT&CK framework and the software development lifecycle.
• Proven trustworthiness and history of acting with integrity, taking pride in work, seeking to excel, being curious and adaptable, and communicating well.
• Self-starter requiring minimal supervision.
• Excellence in communicating business risk and remediation requirements from assessments.
• Analytical and problem-solving mindset, collaborative, highly organized and efficient.
• Excellent communication (oral, written, presentation), interpersonal and consultative skills.

SPECIFIC PHYSICAL REQUIREMENTS:

Position requires reasonable mobility in and around the work area and the ability to operate standard office equipment, personal computer systems, and telephone systems.

WORKING CONDITIONS:

• Normal office environment where there is almost no discomfort due to temperature, dust, noise, or other disagreeable elements.

• Work includes little or no potential exposure to hazardous conditions.

• Position requires some weekend and evening assignments, as well as availability during off-hours for participation in scheduled and unscheduled activities.

The above statements are intended to describe the general nature and level of work being performed by people assigned to this classification. They are not intended to be construed as an exhaustive list of all responsibilities, duties and skills required of personnel so classified.

Sandy Spring Bank provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws.

This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation and training.

If you require a reasonable accommodation to apply for a position, please call our job line at 1-800-399-5919 and select option 5. Requests are considered on a case-by-case basis.

Sandy Spring Bank partners with various job boards to advertise our openings. Please visit our website, to confirm the validity of the job posting to avoid any potential fraudulent activity. We encourage and recommend all candidates to apply via our website.