Manager, Information Security Threat Surface

Back Click Here to Apply

Title :

Manager, Information Security Threat Surface

Location :

Washington, D.C.

Job Summary

Gibson Dunn is a leading global law firm, advising clients on significant transactions and disputes. Our exceptional teams craft and deploy creative legal strategies that are meticulously tailored to every matter, however complex or high-stakes. The firm’s work is distinguished by a unique combination of precision and vision.

Based in New York, Washington D.C. or Los Angeles, the Manager, Information Security Threat Surface will be responsible for the development, hands-on execution and ongoing management of programs and initiatives that identify technical vulnerabilities, misconfigurations, and other exposures that challenge the confidentiality, integrity and availability of firm systems and data.

The Manager, Information Security Threat Surface advises the Information Security Team on emerging vulnerabilities and newly introduced risks to firm systems and takes a proactive approach in continually assessing the security of firm systems throughout their lifecycle, providing recommendations for enhancing security and adapting to new threats and vulnerabilities. The scope of this position is firm wide and requires a thorough understanding of all the IT systems the firm uses, and how those systems are secured.

This role reports to the Director, Information Security Governance, Risk & Compliance.

Responsibilities include:

  • Managing/overseeing the firm’s internal technical audit program.
  • Driving and managing the firm’s vulnerability management program, including configuration management and system hardening.
  • Developing and managing the firm’s vendor risk management program.
  • Participating in client audit and related reviews outside counsel guidelines to ensure alignment with information security program capabilities.
  • Coordinating third party technical risk assessments and related audit activity.
  • Serving as a subject matter expert for information security risk management principles and practices.
  • Designing and performing internal technical risk assessments/audits.
  • Producing and maintaining information security documentation including, but not limited to policies, procedures, standards, guidelines and diagrams.
  • Proactively assessing potential items of risk and opportunities of vulnerability in the network.
  • Assisting in the development and knowledge transfer to all junior team members, as well as other IT group members

Qualifications

  • Strong written and oral communication skills.
  • Organized, responsive and thorough problem solver.
  • Ability to relate to non-technical users in user-friendly language.
  • Ability to understand the technical implications of security threats.
  • Ability to effectively prioritize and action threat intelligence.
  • Ability to work collaboratively across departments.
  • Ability to motivate and lead a team of diverse technical professionals.
  • Ability to manage multiple concurrent objectives or activities, and effectively make judgments in prioritizing and time allocation in a high-pressure environment.
  • Ability to write clear and concise reports, including executive summaries.
  • Must demonstrate the ability to maintain strict confidentiality of the firm’s internal and personnel affairs.

Experience

  • University Degree in a technology related discipline or 3 years of relevant experience.
  • 5+ years of full-time experience in dedicated, technical information security roles.
  • 5-7 years of full-time experience in information technology, in areas such as networking, desktop engineering, programming, or systems administration.
  • One or more of the following certifications is required: CISSP, CISM, CISA, OSCP, GIAC GPEN.
  • Knowledge of and practical experience with applying the Center for Internet Security.
  • Solid working understanding of the Mitre Attack Framework.
  • Practical experience extracting and manipulating data across multiple tools/platforms.
  • Practical experience performing vulnerability assessments using tools such as Nessus, Qualys and Rapid 7.
  • Practical experience with applying both proprietary and OSINT in prioritizing vulnerability remediation.
  • Practical experience implementing, maintaining and administering an Attack Surface Management platform.
  • Practical experience using security related assessment tools such as Beef, Burp Suite, Wireshark, Core Impact, Metasploit, Kali Linux, Nikto, etc.
  • Experience working with third-party providers in coordinating technical risk assessments, including but not limited to penetration testing and red team testing.
  • Strong knowledge of technology risk management concepts and their application.
  • Strong knowledge of security implications involving a variety of technologies including but not limited to; SaaS platforms and SaaS as infrastructure (Azure), Microsoft Windows, Cisco, Unix/Linux, and other market leaders in technology solutions, including mobile devices.
  • Experience working in and supporting an ISO 27001 certified Information Security Management System.
  • Strong knowledge of risk management frameworks including ISO 27005, OCTAVE, NIST and COBIT 5.

 

Gibson Dunn will consider for employment qualified Applicants with Criminal Histories in a manner consistent with the requirements of local law.

Compensation & Benefits:

The annual compensation range for this position is $225-295k. The salary offered within this range will depend upon qualifications and other operational considerations.

Benefits offered for this position include health care; retirement benefits; paid days off, including sick time, and vacation time; parental leave; basic life insurance; Flexible Spending Accounts; as well as discretionary, performance-based bonuses.

Gibson Dunn & Crutcher LLP is committed to the principles of equal employment opportunity for all partners, employees and applicants and, in accordance with the applicable federal and state laws, does not discriminate on the basis of sex, race, creed, color, religion, matriculation or political affiliation, national origin, alienage or citizenship status, ancestry, age, marital status or partnership status, family responsibilities, disability, medical condition, personal appearance, genetic information, predisposing genetic characteristics, sexual orientation, military status, status as a victim of domestic violence, stalking and sex offenses, arrest or conviction record, or on any other basis prohibited by law.