Vulnerability and Exposure Management Program Manager

Vulnerability And Exposure Management Program Manager

At U.S. Bank, we're on a journey to do our best. Helping the customers and businesses we serve to make better and smarter financial decisions and enabling the communities we support to grow and succeed. We believe it takes all of us to bring our shared ambition to life, and each person is unique in their potential. A career with U.S. Bank gives you a wide, ever-growing range of opportunities to discover what makes you thrive at every stage of your career. Try new things, learn new skills and discover what you excel atall from Day One.

This role requires working from a U.S. Bank location three (3) or more days per week.

The Vulnerability And Exposure Management Program Manager is accountable for the enterprise vulnerability management strategy and operating modelexpanding beyond traditional vulnerability management to build and lead a largely newly established continuous exposure management capability.

This is a strategic, enterprise-scale leadership role responsible for transforming an evolving program, addressing effectiveness gaps, and improving stakeholder confidence while reducing risk and enabling business and technology development.

The role partners across technology and business leadership to embed vulnerability and exposure reduction practices across cloud, data, digital, and AI initiatives. It includes ownership of internal and external exposure management capabilities, including attack surface visibility, attack path mitigation, and risk-based prioritization to reduce real-world exploitability.

The leader will operate within a highly regulated environment and must demonstrate strong executive presence and negotiation skills, with the ability to influence senior stakeholders and lead through a multi-layer organization at enterprise scale.

Key Responsibilities

• Define and execute the enterprise vulnerability and exposure management strategy and multi-year roadmap, including transforming program effectiveness and stakeholder outcomes.
• Build, scale, and lead a largely new exposure management capability, expanding beyond current-state maturity into a comprehensive, enterprise-wide program.
• Establish and operate a scalable model across infrastructure, applications, cloud, containers, third-party technology, and external attack surface, including governance, decision rights, and escalation paths.
• Drive risk-based prioritization and remediation by integrating severity, exploitability, threat intelligence, asset criticality, and business context; lead zero-day response and decision-making.
• Set and enforce remediation SLAs aligned to a faster, AI-influenced threat environment, with strong governance for exceptions and compensating controls.
• Partner across CIO/CTO organizations, security, engineering, and business lines to embed vulnerability reduction into delivery practices (e.g., CI/CD), platform guardrails, and operational processes.
• Modernize tooling, processes, and automation (including AI) to improve speed, accuracy, and efficiency of detection and remediation.
• Deliver executive reporting and insights (KPIs/KRIs), translating technical risk into clear business impact, trends, and actions.
• Leverage large-scale data analysis (millions of vulnerabilities) to identify themes, root causes, and opportunities for targeted risk reduction.
• Ensure regulatory and audit readiness through strong documentation, controls, and issue management practices.
• Lead and develop a multi-layer organization (2535+ employees), including 58 direct reports who are people leaders, focusing on strategy and outcomes rather than hands-on technical execution.
• Manage budget, vendors, and strategic partnerships, including evaluation and implementation of capabilities to improve coverage and remediation effectiveness.
• Establish and enhance External Attack Surface Management (EASM) and enterprise asset intelligence, identifying unmanaged or unknown assets and bringing them into governance.
• Incorporate adversary-informed perspectives into prioritization, aligning efforts with real-world threat behavior and attack paths.
• Evolve the program toward a continuous, global operating model to support enterprise-scale responsiveness.

Basic Qualifications

• Bachelor's degree in information security, Computer Science, Information Technology, or a related field; advanced degree preferred
• Professional certifications such as CISSP, CISM, CISA, or equivalent strongly preferred
• 10+ years of progressive experience in information security, technology risk, or security operations, including ownership of enterprise-scale programs in large, complex organizations
• 5+ years of people leadership experience, including leading managers and multi-layer teams (leader of leaders)
• Demonstrated ability to influence senior executives, drive cross-functional alignment, and deliver results in complex, evolving environments
• Experience operating in highly regulated industries (e.g., banking, insurance, healthcare)

Preferred Skills / Experience

• Exceptional executive communication and stakeholder management skills, including regulator- and audit-facing interactions
• Strong negotiation skills to drive alignment, resolve conflict, and deliver outcomes with senior leaders
• Experience leading vulnerability management and/or exposure management programs at enterprise scale
• Expertise in risk-based prioritization, vulnerability lifecycle management, and exposure reduction strategies
• Deep understanding of attack surface management, EASM, and asset discovery across internal and external environments
• Strong data and analytics capability, including experience working with large datasets and translating insights into action
• Metrics-driven leadership (KPIs/KRIs, SLA performance, MTTR, risk posture) with a focus on measurable outcomes
• Experience modernizing security programs through automation, tooling, and AI-enabled capabilities
• Proven ability to operate at enterprise scale, balancing risk reduction with business enablement in a regulated environment

If there's anything we can do to accommodate a disability during any portion of the application or hiring process, please refer to our disability accommodations for applicants.

Benefits

Our approach to benefits and total rewards considers our team members' whole selves and what may be needed to thrive in and outside work. That's why our benefits are designed to help you and your family boost your health, protect your financial security and give you peace of mind. Our benefits include the following:

• Healthcare (medical, dental, vision)
• Basic term and optional term life insurance
• Short-term and long-term disability
• Pregnancy disability and parental leave
• 401(k) and employer-funded retirement plan
• Paid vacation (from two to five weeks depending on salary grade and tenure)
• Up to 11 paid holiday opportunities
• Adoption assistance
• Sick and Safe Leave accruals of one hour for every 30 worked, up to 80 hours per calendar year unless otherwise provided by law

U.S. Bank is an equal opportunity employer. We consider all qualified applicants without regard to race, religion, color, sex, national origin, age, sexual orientation, gender identity, disability or veteran status, and other factors protected under applicable law.