Vulnerability Management Lead

The KPMG EWT function is a cornerstone of our business. We do work that matters to our local business and communities – supporting technical innovation and adoption of cutting-edge solutions across the UK. Working on complex engagements in enterprise technology, this team is responsible for the delivery of cutting-edge technical solutions and trusted to get it right first time.

KPMG is one of the world's largest and most respected consultancy businesses, we've supported the UK through times of war and peace, prosperity and recession, political and regulatory upheaval. We've proudly stood beside the institutions and businesses which make the UK what it is.

This role is in the Security Advisory and Assessment (SAA) team, within the KPMG UK Information Security function. The SAA team are critical in the assessment, development and delivery of innovative, technology-enabled secure solutions for KPMG and our clients. The SAA team is vital to KPMG’s ability to demonstrate that we are delivering ‘secure by design’ solutions such that our business stakeholders, our clients and our regulators trust KPMG.

What will you be doing?

• The role involves leading and being accountable for the end-to-end vulnerability management (VM) service.
• The vulnerability management service helps defend KPMG and its clients by ensuring scans of KPMG information assets are performed and pro-actively managing vulnerabilities in conjunction with Enterprise wide and Technology engineering teams, in alignment with KPMG risk objectives.
• Manage the security services relationship to protect the delivery of the end to service services that involve all KPMG UK Technology services, or third-party suppliers.
• Provide governance for infrastructure security services.
• Provide an overview of the complete set of services provided by all KPMG UK Technology services, or third-party suppliers and troubleshoot any issues and escalate as appropriate.

The Vulnerability Management Lead will:

• Develop the service, using automation, digitisation, security by design and a customer focussed approach as appropriate, and formulate a service strategy for VM within the agreed budget;
• Understand the dependencies & work collaboratively with aligned services & departments such as Data Privacy, Technology, Risk & Legal to provide a consistent and reliable service & approach;
• Maintain good relationships with customer groups and ensure customer satisfaction, by monitoring quality & escalating issues as necessary;
• Take accountability for the VM service and oversee the delivery and quality of the service by your team, other KPMG teams and third parties;
• Lead and manage a team of high performing professionals in delivering the vulnerability management service;
• Provide opportunities and training to develop the skills needed to meet the future needs of the service;
• Be accountable for performing technical risk assessments on vulnerabilities and recommending remediation prioritisation or approving exceptions if necessary;
• Be accountable for working with various internal and external sources to review threat intelligence and vulnerability alerts, assess impact of vulnerabilities in conjunction with Technology and then prioritise actions based on the vulnerability assessment through a risk-based approach to meet KPMG objectives;
• Be accountable for team of specialists who provide subject matter expertise, such as recommending remediation strategies and providing advice on complex configuration changes in support of vulnerability remediation;
• Be accountable for ensuring service documentation, such as process guides, are maintained and kept up to date;
• Be accountable for lifecycle ownership of in-scope technology that supports the vulnerability management service;
• Be responsible for providing reporting to leadership and other service stakeholders on service performance (against KPIs) and vulnerability risk exposure (against KRIs);
• Be responsible for inputting to and reviewing information security policy and standards related to vulnerability management;
• Be responsible for attending and supporting internal and external audits from a vulnerability management service perspective;
• Be responsible for building and maintaining strong relationships with key stakeholders, such as Information Security leadership, CTO’s, Technology Operations, business service owners and any 3rd parties;
• Provide advice to senior leadership on ways to improve control mechanisms, identify, evaluate, and mitigate risks;
• Work towards and achieve or extend professional certifications as part of personal development;
• Share experiences with others to assist their learning and understanding.

What will you need to do it?

• Excellent and relevant experience in a similar vulnerability management leadership role;
• Strong understanding of tooling associated with vulnerability management such as Qualys, Microsoft Defender ATP and ServiceNow.
• Experience and knowledge in vulnerability management of applications and infrastructure within the Cloud, such as AWS, Azure and GCP;
• Experience with managing senior stakeholders;
• Be able to demonstrate the ability to adapt communication style to explain technical concepts to different people within an organisation whether advising stakeholders, directing teams or sharing experience;
• Experience of successfully working in a fast paced, customer service environment, delivering high quality information security services;
• Be calm in challenging situations, able to navigate through complex security problems to find a root cause and balanced outcome.

Skills we’d love to see/Amazing Extras:

• It would be advantageous if you can demonstrate some, or all of:
• Experience with managing a service and developing a product lifecycle;
• Experience with managing third parties to deliver elements of your service;
• Experience and knowledge of container and serverless platforms;
• Any security or vulnerability management product certification.

Our Locations:

With 20 sites across the UK, we can potentially facilitate office work, working from home, flexible hours, and part-time options. If you have a need for flexibility, please register and discuss this with our team.