Role : InfoSec Analyst– InfoSec
Location : Phoenix AZ (onsite 3 days in office)
Overview:
The Information Security Analyst for the Remediation Operations team is responsible for evaluating security exceptions, assessing associated risk, and driving remediation of critical and high-risk vulnerabilities across applications and platforms. This role operates within the Application Security and Infrastructure Security ecosystem, ensuring adherence to Enterprise Vulnerability standards and reducing enterprise risk exposure.
Key Responsibilities:
Exception Review & Risk Assessment
· Review and assess security exception requests for compliance with Enterprise Vulnerability standards and supporting policies.
· Validate business justifications, compensating controls, and risk responses (Mitigate, Accept, Transfer, Avoid).
· Ensure exceptions align with the Exceptions Management Program and include required documentation and leadership approvals.
· Challenge insufficient or unjustified exceptions, prioritizing remediation over risk acceptance.
Vulnerability Governance & Remediation Oversight
· Monitor and track critical and high vulnerabilities across application and infrastructure portfolios.
· Enforce remediation timelines in accordance with defined Service Level Objectives (SLOs).
· Ensure vulnerabilities exceeding SLOs are either remediated or formally documented via approved exceptions.
· Validate remediation through coordination with security tooling, rescans, or evidence-based confirmation.
Stakeholder Engagement & Reach-Out
· Proactively engage application and platform owners with critical risk exposure or past-due vulnerabilities.
· Communicate risk clearly, including exploitability, business impact, and compliance implications.
· Drive accountability through follow-ups, escalation paths, and alignment with leadership where required.
· Support application teams in understanding remediation options and security requirements.
Security Tooling & Data Analysis
· Leverage results from enterprise security tools (e.g., SAST, DAST, SCA, IRIS, Tenable, API security tools) to identify and track vulnerabilities.
· Analyze risk metrics, dashboards, and reports (e.g., Application Health, vulnerability reports) to prioritize actions.
· Correlate findings across tools to identify systemic risk patterns and recurring issues.
Policy & Standards Alignment
· Ensure adherence to:
· Application Security Policy
· Enterprise Vulnerability Standard
· Application Vulnerability Management Procedure
· Interpret and translate policy requirements into actionable guidance for engineering teams.
· Identify gaps or non-compliance and recommend corrective actions.
Continuous Threat Exposure Management (CTEM) Support
· Contribute to continuous risk identification, prioritization, and validation efforts.
· Support risk-based prioritization using exploitability, asset criticality, and exposure context.
· Assist in reducing attack surface and improving overall security posture.
Required Qualifications
Technical & Security Expertise
· Strong understanding of:
· Application Security (OWASP Top 10, secure coding practices)
· Vulnerability management lifecycle and risk-based prioritization
· Security testing methodologies (SAST, DAST, SCA, API security)
· Familiarity with enterprise security tools and platforms
· Ability to interpret vulnerability data, CVSS scoring, and exploitability context.
Risk & Governance Knowledge
· Experience with security exceptions management and risk acceptance processes.
· Understanding of SLO-driven remediation and escalation models.
· Ability to assess compensating controls and residual risk.
Communication & Stakeholder Management
· Ability to engage technical and non-technical stakeholders effectively.
· Strong written and verbal communication skills for risk articulation and escalation.
· Experience driving remediation through influence rather than authority.
Preferred Qualifications
· Experience within financial services or highly regulated environments.
· Familiarity with Enterprise Vulnerability Management or similar enterprise security frameworks.
· Exposure to CTEM practices and risk-based security operations.
· Experience working with cloud, APIs, or distributed systems.
Key Success Metrics
· Reduction in critical/high vulnerabilities past SLO
· Decrease in exception volume and aging exceptions
· Improved application security posture
· Timely engagement and remediation outcomes with application teams
· Quality and completeness of exception reviews and risk assessments
Role Positioning
This role is not a passive reviewer. It is an active risk driver responsible for:
· Enforcing security standards
· Driving remediation outcomes
· Preventing misuse of exceptions as a substitute for fixing risk
