Senior Vulnerability Analyst - The Vulnerability Management Lead role is responsible for overseeing Income Insurance enterprise vulnerability management program, driving continuous identification, assessment, and remediation of security weaknesses across internal and external IT infrastructure including but not limited to web and mobile applications. This includes leveraging both automated tools and manual techniques, and liaising with system and application owners for follow-up actions. Maintain proactive oversight to uphold Income Insurance's vulnerability management standards, strengthen organization cyber resilience and safeguard Income Insurance's technology environment. This role will come under the IT Risk and Security department, reporting to the Cyber Assurance Manager.
Key Responsibilities
- Perform vulnerability scanning/discovery, tracking of remediation SLA, and follow up on closure.
- Manage private bug bounty and public vulnerability disclosure program by performing triaging and follow up on reports received.
- Coordinate penetration testing engagements with external vendors, ensuring scope, timelines, and deliverables are met.
- Conduct meetings to communicate the findings and implications to stakeholders.
- Validate remediation efforts through vulnerability fix verification to confirm effectiveness.
- Perform risk assessments and assess existing mitigative controls, recommend compensating controls when remediation is not possible.
- Support audit and ensure regulatory compliance (e.g., MAS TRM) by providing vulnerability evidence and remediation status.
- Analyze vulnerability management results and present technical data clearly to senior stakeholders, turning insights into actionable recommendations.
- Optimize vulnerability management lifecycle, improving identification, remediation, and follow-up processes.
- Collaborate with CTI to act on FINTEL threat intelligence and ensure timely remediation.
- Support in vendor evaluation prior to contract award
Qualifications
- At least 4-5 years of experience in IT/Information Security, Vulnerability Management.
- Diploma/Degree in Computer Science, Cybersecurity, Information Security Management or related.
- Having CISSP, CISM, OSCP, GPEN, GWAPT certifications is an advantage.
Competencies
- 4-5 years of hands-on experience in vulnerability management and using VA tools (e.g. TenableOne, Qualys, Rapid7).
- Strong understanding and knowledge on industry standard scoring models such as CVSS, EPSS, exploitability and remediation strategies.
- Knowledge of common web and mobile security vulnerabilities in OWASP Top 10.
- Familiarity with penetration testing techniques and tools such as web application proxies (Burp Suite, OWASP ZAP), packet. capture analysis software, penetration testing Linux distributions (e.g. Kali Linux), static source code analyzers, API testing tools (e.g SoapUI, Postman), mobile application security frameworks (e.g. MobSF, Frida).
- Familiarity with application security testing approaches such as SAST, DAST, SCA.
- Experience with aligning with regulatory requirements (MAS, ISO 27001) and support audit readiness.
- Having Cloud security knowledge and AI LLM knowledge is a plus.
- Experience in support in vendor evaluation prior to contract award will be advantage
- Basic structured programming or scripting skills as C, Java, Python, Javascript, Powershell.
