Infosec Analyst

Key Responsibilities

Exception Review & Risk Assessment

· Review and assess security exception requests for compliance with Enterprise Vulnerability standards and supporting policies.

· Validate business justifications, compensating controls, and risk responses (Mitigate, Accept, Transfer, Avoid).

· Ensure exceptions align with the Exceptions Management Program and include required documentation and leadership approvals.

· Challenge insufficient or unjustified exceptions, prioritizing remediation over risk acceptance.

Vulnerability Governance & Remediation Oversight

· Monitor and track critical and high vulnerabilities across application and infrastructure portfolios.

· Enforce remediation timelines in accordance with defined Service Level Objectives (SLOs).

· Ensure vulnerabilities exceeding SLOs are either remediated or formally documented via approved exceptions.

· Validate remediation through coordination with security tooling, rescans, or evidence-based confirmation.

Stakeholder Engagement & Reach-Out

· Proactively engage application and platform owners with critical risk exposure or past-due vulnerabilities.

· Communicate risk clearly, including exploitability, business impact, and compliance implications.

· Drive accountability through follow-ups, escalation paths, and alignment with leadership where required.

· Support application teams in understanding remediation options and security requirements.

Security Tooling & Data Analysis

· Leverage results from enterprise security tools (e.g., SAST, DAST, SCA, IRIS, Tenable, API security tools) to identify and track vulnerabilities.

· Analyze risk metrics, dashboards, and reports (e.g., Application Health, vulnerability reports) to prioritize actions.

· Correlate findings across tools to identify systemic risk patterns and recurring issues.

Policy & Standards Alignment

· Ensure adherence to:

· Application Security Policy

· Enterprise Vulnerability Standard

· Application Vulnerability Management Procedure

· Interpret and translate policy requirements into actionable guidance for engineering teams.

· Identify gaps or non-compliance and recommend corrective actions.

Continuous Threat Exposure Management (CTEM) Support

· Contribute to continuous risk identification, prioritization, and validation efforts.

· Support risk-based prioritization using exploitability, asset criticality, and exposure context.

· Assist in reducing attack surface and improving overall security posture.

Required Qualifications

Technical & Security Expertise

· Strong understanding of:

· Application Security (OWASP Top 10, secure coding practices)

· Vulnerability management lifecycle and risk-based prioritization

· Security testing methodologies (SAST, DAST, SCA, API security)

· Familiarity with enterprise security tools and platforms

· Ability to interpret vulnerability data, CVSS scoring, and exploitability context.

Risk & Governance Knowledge

· Experience with security exceptions management and risk acceptance processes.

· Understanding of SLO-driven remediation and escalation models.

· Ability to assess compensating controls and residual risk.

Communication & Stakeholder Management

· Ability to engage technical and non-technical stakeholders effectively.

· Strong written and verbal communication skills for risk articulation and escalation.

· Experience driving remediation through influence rather than authority.