Analyst IT Vulnerability Management

Position Summary At JetBlue, cybersecurity is driven by risk management, threat-informed defense, and operational resilience. The Analyst, Vulnerability Management - Cloud supports JetBlue's vulnerability management program across cloud-hosted infrastructure, cloud control planes, containers, infrastructure as code, and application-adjacent cloud services. This Crewmember identifies, analyzes, validates, reports, and coordinates remediation of cloud vulnerabilities and misconfigurations across JetBlue's multi-cloud environment, including AWS, Azure, GCP, OCI, and future cloud platforms as adopted. The Analyst works closely with Cybersecurity, Cloud Engineering, DevOps, Infrastructure, Application, Product, GRC, Threat Intelligence, and Managed Service Provider teams to improve vulnerability visibility, remediation accountability, and risk-based prioritization. Essential Responsibilities * Conduct and support vulnerability assessments across cloud-hosted infrastructure, cloud configurations, containers, Kubernetes, infrastructure as code, application components, and related cloud services. * Use approved vulnerability management, cloud security, CSPM/CNAPP, container, code-scanning, and external attack-surface tools to identify vulnerabilities, misconfigurations, exposed services, outdated software, and insecure deployment patterns. * Analyze findings using severity, exploitability, CISA KEV status, exposure, asset criticality, data sensitivity, compensating controls, and business impact. * Coordinate with cloud engineering, DevOps, application, infrastructure, and product owners to prioritize and track remediation through patching, configuration changes, code changes, image updates, infrastructure-as-code changes, or compensating controls. * Validate remediation through rescans, evidence review, configuration review, ticket closure checks, or other approved verification methods. * Assist with authenticated scan coverage, agent deployment coordination, cloud account onboarding, asset tagging, ownership validation, and CMDB/application mapping. * Support remediation governance by tracking findings against JetBlue policy timelines and escalating overdue, disputed, or blocked remediation items. * Collaborate with engineering and QA teams to ensure proper Software Development Life Cycle (SDLC) practices and minimize the release of vulnerable software through the deployment pipeline. * Route non-remediated or delayed findings through the approved cyber risk exception / acceptance process when required. * Configure and maintain vulnerability metrics and reporting for cloud findings, remediation progress, risk exposure, aging, coverage gaps, recurring issues, and exception trends. * Partner with Threat Intelligence, Detection & Response, Penetration Testing, and Application Security teams to incorporate active exploitation, external exposure, attack path, and test-result context into prioritization. * Support Cyber compliance requirements with evidence, reporting, and control validation for PCI, SOX, TSA-related obligations, and other applicable oversight frameworks. * Participate in cross-functional working sessions to improve cloud vulnerability remediation processes, reduce direct exposure, strengthen compensating controls, and improve cloud security visibility. * Other duties as assigned. Minimum Experience and Qualifications * Bachelor's Degree in Computer Science, Information Security, Information Technology, Cybersecurity, Cloud Computing, or a related field; OR demonstrated capability to perform job responsibilities with a High School Diploma/GED and at least four (4) years of previous relevant work experience * One (1) year of experience in vulnerability management, cloud security, security operations, infrastructure security, DevOps, application security, or a related cybersecurity role. * Working knowledge of at least one major cloud provider; AWS/Azure preferred. * Experience with vulnerability scanning tools such as Tenable, Qualys, Rapid7, Prisma Cloud, Wiz, Defender for Cloud, AWS Inspector, or similar. * Understanding of cloud shared responsibility models, cloud networking, identity, compute, storage, containers, Kubernetes, and infrastructure-as-code concepts. * Ability to analyze scan results, identify false positives, validate risk, and communicate remediation needs clearly. * Knowledge of vulnerability risk factors such as CVSS, exploitability, internet exposure, asset criticality, data sensitivity, compensating controls, and remediation timelines. * Familiarity with patch management, configuration remediation, change management, and remediation validation. * Strong written and verbal communication skills with the ability to interact effectively with stakeholders across all levels of the organization. * Ability to work collaboratively with Cybersecurity, IT, DevOps, infrastructure, product, application, compliance, and managed service provider teams.Available for occasional overnight travel (10%). * Must pass a pre-employment drug test. * Must be legally eligible to work in the country in which the position is located. * Authorization to work in the United States is required; this position is not eligible for visa sponsorship. Preferred Experience and Qualifications * Two (2) years of experience in vulnerability management, cloud security, DevSecOps, infrastructure security, or application security. * Experience with CSPM, CNAPP, CWPP, container scanning, code scanning, IaC scanning, or external attack surface management. * Working knowledge with AWS Systems Manager, Azure Update Manager, cloud-native patching tools, or enterprise patch platforms. * Understanding with Kubernetes, container registries, golden images, base-image maintenance, and CI/CD security gates. * Experience using Terraform, CloudFormation, ARM/Bicep, Kubernetes manifests, or other infrastructure-as-code technologies. * Knowledge of NIST CSF, CIS Controls, CIS Benchmarks, PCI DSS, TSA cybersecurity requirements, ISO 27001, or similar standards. * Certifications such as Security+, CySA+, AWS Security Specialty, Azure Security Engineer, Google Professional Cloud Security Engineer, CCSK, CCSP, or equivalent. Crewmember Expectations * Regular attendance and punctuality. * Potential need to work flexible hours and be available to respond on short notice. * Able to maintain a professional appearance. * When working or traveling on JetBlue flights, and if time permits, all capable crewmembers are asked to assist with light cleaning of aircraft. * Must be an appropriate organizational fit for the JetBlue culture, that is, exhibit the JetBlue values of Safety, Caring, Integrity, Passion and Fun. * Promote JetBlue's #1 value of safety as a Safety Ambassador, supporting JetBlue's Safety Management System components, Safety Policy, and behavioral standards. * Identify safety and/or security concerns, issues, incidents or hazards that should be reported and report them whenever possible and by any means necessary including JetBlue's confidential reporting systems (Aviation Safety Action Program (ASAP) or Safety Action Report (SAR)) * The use of ChatGPT or any other automated tool during the interview process will disqualify a candidate from being considered for the position. Equipment * Computer and other office equipment. Work Environment * Traditional office environment. Physical Effort * Generally not required, or up to 10 pounds occasionally, 0 pounds frequently. (Sedentary) Compensation * The base pay range for this position is between $70,000.00 and $120,000.00 per year. Base pay is one component of JetBlue's total compensation package, which may also include access to healthcare benefits, a 401(k) plan and company match, crewmember stock purchase plan, short-term and long-term disability coverage, basic life insurance, free space available travel on JetBlue, and more. #LI-AC1 #LI-Hybrid JetBlue Airways is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, age, national origin, disability, protected veteran status, or any other legally protected basis.