Director, Vulnerability Management

Job Description Summary

For over forty years, HarbourVest has been home to a committed team of professionals with an entrepreneurial spirit and a desire to deliver impactful solutions to our clients and investing partners. As our global firm grows, we continue to add individuals who seek a collaborative, open-door culture that values diversity and innovative thinking.

In our collegial environment that’s marked by low turnover and high energy, you’ll be inspired to grow and thrive. Here, you will be encouraged to build on your strengths and acquire new skills and experiences.

We are committed to fostering an environment of inclusion that promotes mutual respect among all employees. Understanding and valuing these differences optimizes the potential of both the individual and the firm.

HarbourVest is an equal opportunity employer.

This position will be a hybrid work arrangement, which translates to 4 days minimum per week in the office.

This individual will work in a cross-functional capacity, partnering with infrastructure, application, and business teams to identify, assess, and remediate vulnerabilities across the enterprise. They will be responsible for managing the vulnerability lifecycle, including scanning, prioritization, and remediation tracking, as well as developing and maintaining processes to ensure timely patching and risk reduction. In addition, this role will lead incident response efforts, coordinating detection, containment, eradication, and recovery activities—while continuously improving HarbourVest’s incident response playbooks and capabilities.

The ideal candidate is someone who is:

• Passionate about results, goal driven, outspoken, accountable, and collaborative

• Able to drive business decisions using data and comfortable reporting on metrics

• Familiar working at a company with a global presence spanning multiple time zones

• Demonstrates a strong commitment to ethical practices and maintaining the highest standards of honesty and transparency

• Self-starter with demonstrable ability to work independently, think on their feet and prioritize tasks and time effectively

• Takes the initiative to identify and address potential issues before they become significant problems

• Is an exceptional communicator, both written and verbally

• Has expertise in the various common cyber security frameworks (ISO27001, NIST CSF & 800-53 etc.)
   

What you will do:

• Develop, lead and be accountable end to end for the enterprise vulnerability management strategy, roadmap, and program.

• Oversee vulnerability scanning, risk assessments, and prioritization processes across infrastructure, applications, containers, cloud environments, and critical third parties.

• Own vulnerability management platforms, ensuring optimal configuration, tuning, and coverage.

• Partner with Technology and business teams, and asset owners to drive remediation and track progress.

• Provide threat-based prioritization of vulnerabilities using CVSS, threat intelligence, exploitability data, and business context.

• Lead the response to high-profile vulnerabilities (e.g., zero-days, critical CVEs) with timely impact analysis and coordinated remediation actions.

• Develop and present executive-level reporting on vulnerability trends, KRIs, KPIs, and risk posture.

• Maintain compliance with relevant standards and frameworks (e.g., NIST CSF 2.0).

• Own governance for exception handling and risk acceptance processes related to un-remediated vulnerabilities.

• Lead, mentor, and grow a team of vulnerability analysts.

• Develop awareness campaigns to promote the importance of vulnerability management and compliance across the organization.

• Oversee and track enterprise-wide SLA compliance for vulnerability remediation, focusing on timely resolution across all asset classes.

• Analyze SLA trends, identify non-compliance patterns, and work with asset owners to address gaps.

• Escalate risks related to overdue vulnerabilities to leadership in accordance with established protocols.

• Design, maintain, and optimize dashboards and reporting mechanisms to provide actionable insights for executives, asset owners, and security teams.

• Stay informed on industry trends, tools, and best practices to recommend and implement program improvements.

What you bring:

• Bachelor’s degree or higher in Computer Science, Information Security, Engineering, or related field.

• 5+ years of experience in cybersecurity, with at least 3 years in a leadership or management capacity.

• Proven experience building or leading a mature vulnerability management program at scale.

• Deep understanding of vulnerability scanning technologies, CVSS scoring, and threat modeling.

• Strong knowledge of cloud platforms (AWS, Azure), and container security.

• Familiarity with compliance frameworks and standards.

• Experience managing and mentoring technical teams and working cross-functionally with non-security teams.

• Excellent communication and stakeholder engagement skills with the ability to convey complex risk topics to executive audiences.

• Strong program management skills with a solid understanding of vulnerability management, governance, and stakeholder engagement.

• Strong problem-solving skills, flexibility, and the ability to take initiative.

• Relevant certifications (e.g., CISSP, CISM, OSCP, or similar) preferred.

• Experience integrating vulnerability management with SIEM, ticketing, and asset management tools.

• Strong understanding of risk management and cyber risk quantification.

• Excellent communication skills and the ability to work cross-functionally with Engineering, Product, and DevOps

Education Preferred

• BS in Computer Science, Information Security, or equivalent work experience

Experience

• 5+ years of relevant work experience
  #LI-Hybrid

Salary Range

This USD base salary range represents only one component of total compensation for this role and is provided in accordance with local requirements. This role is eligible for a discretionary annual bonus, which is determined based on individual and overall firm performance. In addition to salary and bonus, total compensation may include eligibility for long-term reward programs and a comprehensive total rewards package that may include retirement, health, insurance, paid time off, and wellness programs. Our total rewards offerings are influenced by several business factors, and eligibility for certain components will vary by position and geography. Please note the posted ranges do not apply outside the U.S. and should not be converted to other currencies as a proxy for compensation in other countries.