Senior Analyst, Vulnerability Management

Reference Code 4619

Country:

US Locations: USA - Tampa

Deloitte Global is the engine of the Deloitte network. Our professionals reach across disciplines and borders to develop and lead global initiatives. We deliver strategic programs and services that unite our organization.

Work you'll do

Work you’ll do:

As a Vulnerability Management T2 Operator, you will leverage your expertise to ensure the Vulnerability Management Service consistently delivers high-quality results across regional areas, in alignment with Deloitte’s best practices and recognized industry standards. You will be responsible for the initial triage and prioritization of critical vulnerabilities, ensuring swift action on high-impact risks. You will develop, maintain, and optimize infrastructure, focusing on continuous improvement and automation of the service roadmap. By adhering to frameworks such as NIST, ISO/IEC 27001, and Deloitte’s internal protocols, you will maximize value for global service teams and member firms, ensuring that processes remain secure, efficient, and compliant with regulatory requirements.

Manage Global Vulnerability Management (VM) Infrastructure:

• Oversee the global VM infrastructure and conduct analysis, implementation, and orchestration of regional VM operational solutions.
• Monitor maintenance and drive continual improvement of vulnerability management infrastructure, initiatives, integrations, and processes.
• Act as a regional operator managing and optimizing VM scanning tools (e.g., Qualys, Tenable, Rapid7).
• Manage major service upgrades and changes to core platforms to ensure consistency and stability.
• Improve and automate existing vulnerability management systems.

Vulnerability Analysis and Validation:

• Perform in-depth review and validation of vulnerability findings from enterprise scanning and threat intelligence sources.
• Analyze exploitability, asset criticality, exposure, and business impact for accurate prioritization.
• Identify and resolve false positives, compensating controls, and misclassified risks.
• Perform information system security vulnerability scanning across networks, operating systems, applications, databases, and other system components.
• Support rapid response activities for zero-day and executive-level priority vulnerabilities.
• Research and assess emerging security threats and vulnerabilities.

Strategic Guidance and Team Support:

• Provide strategic recommendations to the VM team on major changes or tactical enhancements to improve quality, resiliency, value, and exploit new business opportunities.
• Serve as the primary escalation point for Tier 1 analysts, critical vulnerabilities, and SLA-at-risk findings.
• Act as a liaison between Member Firms, Infrastructure, Cloud, Application, and Engineering teams and other Global teams.
• Be the main point of contact for the team, representing the team as subject matter expert.
• Provide technical support for vulnerability management projects.
• Act as tooling subject matter expert to provide insight and guidance on service deployment structure.

Remediation and Communication:

• Clearly communicate remediation expectations, timelines, and technical guidance to asset owners.
• Track remediation commitments, validate fixes through rescans or evidence review, and ensure audit-defensible closure.
• Monitor remediation methods in place and ensure timely completion.
• Support exception handling, risk acceptance reviews, and compensating control documentation.
• Prepare reports on metrics, remediation guidance, and technical risk evaluation.
• Provide exposure reports for vulnerabilities, assets, and software.

Operational Excellence:

• Troubleshoot authenticated scanning, coverage gaps, and data quality issues.
• Maintain accurate ticketing and vulnerability records in enterprise workflow tools.
• Identify operational inefficiencies and recommend improvements to processes, runbooks, and tooling.
• Contribute to vulnerability trend analysis, SLA metrics, and leadership reporting inputs.
• Assist in the development of best practices to mitigate against common threats and assess damage potential.
• Manage multiple projects including ongoing scanning, security awareness, documentation, and technical reviews.
• Maintain documentation regarding threat management, including policies and procedures.

Day-to-Day Support Activities:

• Develop ad-hoc scripts, reports, or dashboards to enhance, automate, and drive service enhancement in the use of vulnerability management tools and triage of data.
• Respond to time-sensitive requests from member firms and patching teams.
• Perform recurring and on-demand scanning of organization systems and cloud environments.
• Monitor vulnerability scans to assess, prioritize, and report findings, providing recommended remediation actions.
• Gather security notifications from vendors and perform initial analysis and reporting.

The team

Global Technology Services works at the forefront of technology development and processes to support and protect Deloitte around the world. In this truly global environment, we operate not in "what is" but rather "what can be" to help Deloitte deliver and connect with its clients, its communities, and one another in ways not previously conceived.

Qualifications

Required:

• Bachelor’s degree in Computer Science, Information Security, Information Systems, or a related field (or equivalent practical experience).
• 5+ years of experience in vulnerability management, security operations, or infrastructure security.
• Strong working knowledge of vulnerability scanning platforms (e.g., Qualys, Tenable, Rapid7, cloud security tools).
• Demonstrated experience triaging and managing critical and high‑risk vulnerabilities in large, complex environments.
• Solid understanding of:
  • CVSS, exploitability, and threat intelligence
  • OS and application patching lifecycles
  • On‑prem, cloud, and hybrid environments
• Strong ability to clearly communicate complex cybersecurity statements to technical and non-technical audiences at various hierarchical levels
• Experience working with CMDBs and ticketing systems (e.g., ServiceNow).
• Ability to translate technical risk into clear, actionable guidance for non‑security stakeholders.

Preferred:

• Demonstrated experience operating within a mature enterprise vulnerability management or security operations program, beyond entry‑level monitoring.
• Hands‑on exposure to complementary security domains such as penetration testing, SIEM operations, threat detection, or network security controls, with the ability to contextualize findings.
• Experience contributing to the design, enhancement, or rollout of security technologies or VM processes in large or complex environments.
• Background supporting IT controls monitoring, audit readiness, or regulatory/compliance‑driven security requirements.
• Experience developing or enhancing risk, vulnerability, or SLA reporting using visualization or dashboarding tools for operational or leadership audiences.
• Working knowledge of cloud computing, automation, networking, and application architectures, with the ability to assess risk across hybrid environments.
• Experience with vulnerability data management, including normalization, prioritization, and process or reporting automation.
• Strong understanding of OWASP Top 10 risks and common secure software development controls.
• Familiarity with at least one major cloud platform (Azure, AWS, and/or GCP) in an enterprise context.
• Practical knowledge of vulnerability standards and scoring frameworks such as CVSS, CVE, and exploit intelligence sources.
• Experience analyzing large or complex data sets to identify risk trends, operational gaps, or remediation bottlenecks.
• Exposure to automation or scripting to reduce manual effort and improve operational efficiency.
• Proven ability to work effectively in cross‑functional, matrixed environments, influencing stakeholders without direct authority.
• Strong understanding of modern threat landscapes, common attack vectors, and indicators of compromise (IOCs).
• Familiarity with Secure Software Development Lifecycle (SSDLC) concepts and security controls.
• Ability to communicate technical risk clearly to both technical teams and non‑technical stakeholders.

Limited immigration sponsorship may be available.

Our culture

At Deloitte Global people are valued and respected for who they are – with opportunities to bring their unique perspectives, talents and passions to business challenges. Our global workspace creates room for individuality and collaboration. Ours is an inclusive, supportive, connected culture with a focus on development, flexibility, and well-being. This culture makes Deloitte Global one of the most rewarding places to work, and to transform your career.

Professional development

From entry-level employees to senior leaders, we believe in investing in you, helping you identify and hone your unique strengths at every step of your career. We offer opportunities to build new skills, take on leadership opportunities, and connect and grow through mentorship. From on-the-job learning experiences to formal development programs, our professionals have a variety of opportunities to continue to grow throughout their career.

Benefits

At Deloitte, we value our people and offer employees a broad range of benefits. Our Total Rewards program reflects our continued commitment to lead from the front in everything we do—that’s why we take pride in offering a comprehensive variety of programs and resources to support your health and well-being.

Recruiting for this role ends on .