InfoSec Engineer III Pentesting Program Lead

About Us: 

As a not-for-profit organization, Mass General Brigham is committed to supporting patient care, research, teaching, and service to the community by leading innovation across our system. Founded by Brigham and Women’s Hospital and Massachusetts General Hospital, Mass General Brigham supports a complete continuum of care including community and specialty hospitals, a managed care organization, a physician network, community health centers, home care and other health-related entities. Several of our hospitals are teaching affiliates of Harvard Medical School, and our system is a national leader in biomedical research.

We’re focused on a people-first culture for our system’s patients and our professional family. That’s why we provide our employees with more ways to achieve their potential. Mass General Brigham is committed to aligning our employees’ personal aspirations with projects that match their capabilities and creating a culture that empowers our managers to become trusted mentors. We support each member of our team to own their personal development—and we recognize success at every step.

Our employees use the Mass General Brigham values to govern decisions, actions and behaviors. These values guide how we get our work done: Patients, Affordability, Accountability & Service Commitment, Decisiveness, Innovation & Thoughtful Risk; and how we treat each other: Diversity & Inclusion, Integrity & Respect, Learning, Continuous Improvement & Personal Growth, Teamwork & Collaboration.

General Summary/ Overview: 

The Mass General Brigham (MGB) Information Security Engineer III – Attack Surface Management Lead will be responsible for leading initiatives related to the identification, validation, and evaluation of attack surface risks across our digital and physical technology environments, measuring defensive resilience against emerging threats. This role will also require the technical testing of security controls deployed throughout the environment to confirm defenses are functioning as expected; or lead efforts to mitigate risks where necessary. The ideal candidate will be deeply technical minded security professional with prior experience in one or more of the following areas:

· Penetration testing

· Web application security testing

· Vulnerability management

· Application development security 

· Incident response

· Security controls validation

· Scripting languages 

Principal Duties and Responsibilities: 

· Attack Surface Analysis: Conduct comprehensive assessments to identify risks within the organization's network, applications, and systems. This includes both internal and external assets.

· Threat Intelligence Integration: Leverage threat intelligence to anticipate and prepare for emerging threats. Ensure that relevant threat intelligence is integrated into the assessment of the attack surface.

· Vulnerability Management: Integrate with and support existing vulnerability management processes, including identification, evaluation, mitigation, and reporting of security vulnerabilities. 

· Cross-functional Collaboration: Work closely with IT, network, and application teams to ensure a cohesive approach to security. Facilitate communication and collaboration across departments to ensure alignment with security goals.

· Incident Response Support: Support the incident response team by providing insights into potential attack vectors and vulnerabilities that may be exploited during a cyber incident.

· Team Leadership and Development: Lead, mentor, and develop a team of security professionals. Foster a culture of continuous learning and improvement.

· Written Documentation: Create, review, and update documentation related to the information security and information privacy controls.

· Strategic Planning: Lead efforts to drive strategic change initiatives designed to mitigate attack surface risks across the enterprise.

· Communication: Clear and concise written and verbal communication including long-form documentation, enterprise broadcast communications, and executive presentations; special attention required to translate technical detail into language the intended audience can understand.

· Industry Knowledge: Maintain awareness of new technologies and related opportunities for impact on system or application security.

· MGB Values: Use/s the Mass General Brigham values to govern decisions, actions and behaviors. These values guide how we get our work done: Patients, Affordability, Accountability & Service Commitment, Decisiveness, Innovation & Thoughtful Risk; and how we treat each other: Diversity & Inclusion, Integrity & Respect, Learning, Continuous Improvement & Personal Growth, Teamwork & Collaboration.

· Other duties as assigned.

Working Conditions:  
· FTE

· Normal Office conditions in Hybrid Remote/Office Context

· Possible local travel to Mass General Brigham sites 

· While performing the duties of this job, the employee is frequently required to sit; talk; or hear; use hands to finger; handle; or feel; reach with hands and arms. The employee is occasionally required to stand; walk; and stoop; kneel; or crouch. The employee must frequently lift and/or move up to 5 pounds and occasionally lift and/or move up to 20 pounds. Specific vision abilities required by this job include close vision, distance vision and depth perception.

· The work environment characteristics described here are representative of those an employee encounters while performing the essential functions of this job. Normal office working conditions. The noise level in the work environment is quiet to moderate.

· Bachelor’s degree (B.A. / B.S.) in Information Security, Computer Science, Computer Engineering or equivalent from an accredited college or university required.

· 5+ years of experience in Information Technology or Information Security required.

· ​​Broad general understanding of cybersecurity concepts. 

· ​Basic knowledge of tools used in day-to-day processes with ability to learn new tools and skills. 

· ​Ability to apply defined processes to resolve a wide variety of issues. 

· ​Critical thinking and problem-solving skills sufficient to identify and communicate key issues or understand when escalation support is required. 

· ​An understanding of business needs and commitment to delivering high-quality, prompt and efficient service to the business. 

· ​Ability to collaborate effectively with team members, providing assistance and support as needed.​ 

· Knowledge of NIST Cybersecurity Framework (CSF), NIST 800-53, ISO 27K, is desirable.

· Preferred certifications include: Offensive Security Certified Professional (OSCP), Offensive Security Certified Expert (OSCE), GIAC Penetration Tester Certification (GPEN), GIAC Experienced Penetration Tester (GX-PT), GIAC Certified Red Team Professional (GRTP), GIAC Security Operations Certified (GSOC), GIAC Security Expert (GSE), etc.

Skills/Abilities/Competencies: 

· Possess strong interpersonal skills to effectively communicate with cross functional teams.

· Strong time management and organizational skills required, project management skills are desired.

· An ability to work under the required guidelines and deliver on business/project requirements.

· Strong vocabulary, written and verbal communication and effective interpersonal skills is critical.

· Comfortable working in a dynamic environment with multiple work streams, goals, and objectives.

· Must know how to use common M365 Office Suite of products.

· Ability to work independently with appropriate supervision.

· Ability to successfully negotiate and collaborate with others of different skill sets, backgrounds an levels within and external to the organization.

· Experience in one or more of the following technologies preferred: endpoint detection and response (EDR), vulnerability scanners, static and dynamic source-code analysis, SIEM, privileged access management (PAM), network technologies, cloud hosting platforms, IoT search engines, OSINT tools, etc.

· Strong problem solving and critical thinking skills.