Vulnerability and Exposure Management Program Manager

At U.S. Bank, we’re on a journey to do our best. Helping the customers and businesses we serve to make better and smarter financial decisions and enabling the communities we support to grow and succeed. We believe it takes all of us to bring our shared ambition to life, and each person is unique in their potential. A career with U.S. Bank gives you a wide, ever-growing range of opportunities to discover what makes you thrive at every stage of your career. Try new things, learn new skills and discover what you excel at—all from Day One. Job Description Location Expectation This role requires working from a U.S. Bank location three (3) or more days per week. Role Overview The Vulnerability and Exposure Management Program Manager is accountable for the enterprise vulnerability management strategy and operating model—expanding beyond traditional vulnerability management to build and lead a largely newly established continuous exposure management capability. This is a strategic, enterprise-scale leadership role responsible for transforming an evolving program, addressing effectiveness gaps, and improving stakeholder confidence while reducing risk and enabling business and technology development. The role partners across technology and business leadership to embed vulnerability and exposure reduction practices across cloud, data, digital, and AI initiatives. It includes ownership of internal and external exposure management capabilities, including attack surface visibility, attack path mitigation, and risk-based prioritization to reduce real-world exploitability. The leader will operate within a highly regulated environment and must demonstrate strong executive presence and negotiation skills, with the ability to influence senior stakeholders and lead through a multi-layer organization at enterprise scale. Key Responsibilities Define and execute the enterprise vulnerability and exposure management strategy and multi-year roadmap, including transforming program effectiveness and stakeholder outcomes. Build, scale, and lead a largely new exposure management capability, expanding beyond current-state maturity into a comprehensive, enterprise-wide program. Establish and operate a scalable model across infrastructure, applications, cloud, containers, third-party technology, and external attack surface, including governance, decision rights, and escalation paths. Drive risk-based prioritization and remediation by integrating severity, exploitability, threat intelligence, asset criticality, and business context; lead zero-day response and decision-making. Set and enforce remediation SLAs aligned to a faster, AI-influenced threat environment, with strong governance for exceptions and compensating controls. Partner across CIO/CTO organizations, security, engineering, and business lines to embed vulnerability reduction into delivery practices (e.g., CI/CD), platform guardrails, and operational processes. Modernize tooling, processes, and automation (including AI) to improve speed, accuracy, and efficiency of detection and remediation. Deliver executive reporting and insights (KPIs/KRIs), translating technical risk into clear business impact, trends, and actions. Leverage large-scale data analysis (millions of vulnerabilities) to identify themes, root causes, and opportunities for targeted risk reduction. Ensure regulatory and audit readiness through strong documentation, controls, and issue management practices. Lead and develop a multi-layer organization (25–35+ employees), including 5–8 direct reports who are people leaders, focusing on strategy and outcomes rather than hands-on technical execution. Manage budget, vendors, and strategic partnerships, including evaluation and implementation of capabilities to improve coverage and remediation effectiveness. Establish and enhance External Attack Surface Management (EASM) and enterprise asset intelligence, identifying unmanaged or unknown assets and bringing them into governance. Incorporate adversary-informed perspectives into prioritization, aligning efforts with real-world threat behavior and attack paths. Evolve the program toward a continuous, global operating model to support enterprise-scale responsiveness. Basic Qualifications Bachelor’s degree in information security, Computer Science, Information Technology, or a related field; advanced degree preferred Professional certifications such as CISSP, CISM, CISA, or equivalent strongly preferred 10+ years of progressive experience in information security, technology risk, or security operations, including ownership of enterprise-scale programs in large, complex organizations 5+ years of people leadership experience, including leading managers and multi-layer teams (leader of leaders) Demonstrated ability to influence senior executives, drive cross-functional alignment, and deliver results in complex, evolving environments Experience operating in highly regulated industries (e.g., banking, insurance, healthcare) Preferred Skills / Experience Exceptional executive communication and stakeholder management skills, including regulator- and audit-facing interactions Strong negotiation skills to drive alignment, resolve conflict, and deliver outcomes with senior leaders Experience leading vulnerability management and/or exposure management programs at enterprise scale Expertise in risk-based prioritization, vulnerability lifecycle management, and exposure reduction strategies Deep understanding of attack surface management, EASM, and asset discovery across internal and external environments Strong data and analytics capability, including experience working with large datasets and translating insights into action Metrics-driven leadership (KPIs/KRIs, SLA performance, MTTR, risk posture) with a focus on measurable outcomes Experience modernizing security programs through automation, tooling, and AI-enabled capabilities Proven ability to operate at enterprise scale, balancing risk reduction with business enablement in a regulated environment If there’s anything we can do to accommodate a disability during any portion of the application or hiring process, please refer to our disability accommodations for applicants. Benefits: Our approach to benefits and total rewards considers our team members’ whole selves and what may be needed to thrive in and outside work. That's why our benefits are designed to help you and your family boost your health, protect your financial security and give you peace of mind. Our benefits include the following: Healthcare (medical, dental, vision) Basic term and optional term life insurance Short-term and long-term disability Pregnancy disability and parental leave 401(k) and employer-funded retirement plan Paid vacation (from two to five weeks depending on salary grade and tenure) Up to 11 paid holiday opportunities Adoption assistance Sick and Safe Leave accruals of one hour for every 30 worked, up to 80 hours per calendar year unless otherwise provided by law Review our full benefits available by employment status here. U.S. Bank is an equal opportunity employer. We consider all qualified applicants without regard to race, religion, color, sex, national origin, age, sexual orientation, gender identity, disability or veteran status, and other factors protected under applicable law. E-Verify U.S. Bank participates in the U.S. Department of Homeland Security E-Verify program in all facilities located in the United States and certain U.S. territories. The E-Verify program is an Internet-based employment eligibility verification system operated by the U.S. Citizenship and Immigration Services. Learn more about the E-Verify program. The salary range reflects figures based on the primary location, which is listed first. The actual range for the role may differ based on the location of the role. In addition to salary, U.S. Bank offers a comprehensive benefits package, including incentive and recognition programs, equity stock purchase 401(k) contribution and pension (all benefits are subject to eligibility requirements). Pay Range: $170,255.00 - $200,300.00 U.S. Bank will consider qualified applicants with arrest or conviction records for employment. U.S. Bank conducts background checks consistent with applicable local laws, including the Los Angeles County Fair Chance Ordinance and the California Fair Chance Act as well as the San Francisco Fair Chance Ordinance. U.S. Bank is subject to, and conducts background checks consistent with the requirements of Section 19 of the Federal Deposit Insurance Act (FDIA). In addition, certain positions may also be subject to the requirements of FINRA, NMLS registration, Reg Z, Reg G, OFAC, the NFA, the FCPA, the Bank Secrecy Act, the SAFE Act, and/or federal guidelines applicable to an agreement, such as those related to ethics, safety, or operational procedures. Applicants must be able to comply with U.S. Bank policies and procedures including the Code of Ethics and Business Conduct and related workplace conduct and safety policies. Posting may be closed earlier due to high volume of applicants. At U.S. Bank, we’re on a journey to do our best. Helping the customers and businesses we serve to make better and smarter financial decisions and enabling the communities we support to grow and succeed. We believe it takes all of us to bring our shared ambition to life, and each person is unique in their potential. A career with U.S. Bank gives you a wide, ever-growing range of opportunities to discover what makes you thrive at every stage of your career. Try new things, learn new skills and discover what you excel at—all from Day One.