Information Security Analyst

Role : Information Security Analyst (Remediation Operations)

Location : Phoenix AZ (onsite 3 days in office)

6-9 years exp

Overview:

The Information Security Analyst for the Remediation Operations team is responsible for evaluating security exceptions, assessing associated risk, and driving remediation of critical and high-risk vulnerabilities across applications and platforms. This role operates within the Application Security and Infrastructure Security ecosystem, ensuring adherence to Enterprise Vulnerability standards and reducing enterprise risk exposure.

Key Responsibilities:

Exception Review & Risk Assessment

· Review and assess security exception requests for compliance with Enterprise Vulnerability standards and supporting policies.

· Validate business justifications, compensating controls, and risk responses (Mitigate, Accept, Transfer, Avoid).

· Ensure exceptions align with the Exceptions Management Program and include required documentation and leadership approvals.

· Challenge insufficient or unjustified exceptions, prioritizing remediation over risk acceptance.

Vulnerability Governance & Remediation Oversight

· Monitor and track critical and high vulnerabilities across application and infrastructure portfolios.

· Enforce remediation timelines in accordance with defined Service Level Objectives (SLOs).

· Ensure vulnerabilities exceeding SLOs are either remediated or formally documented via approved exceptions.

· Validate remediation through coordination with security tooling, rescans, or evidence-based confirmation.

Stakeholder Engagement & Reach-Out

· Proactively engage application and platform owners with critical risk exposure or past-due vulnerabilities.

· Communicate risk clearly, including exploitability, business impact, and compliance implications.

· Drive accountability through follow-ups, escalation paths, and alignment with leadership where required.

· Support application teams in understanding remediation options and security requirements.

Security Tooling & Data Analysis

· Leverage results from enterprise security tools (e.g., SAST, DAST, SCA, IRIS, Tenable, API security tools) to identify and track vulnerabilities.

· Analyze risk metrics, dashboards, and reports (e.g., Application Health, vulnerability reports) to prioritize actions.

· Correlate findings across tools to identify systemic risk patterns and recurring issues.

Policy & Standards Alignment

· Ensure adherence to:

· Application Security Policy

· Enterprise Vulnerability Standard

· Application Vulnerability Management Procedure

· Interpret and translate policy requirements into actionable guidance for engineering teams.

· Identify gaps or non-compliance and recommend corrective actions.

Continuous Threat Exposure Management (CTEM) Support

· Contribute to continuous risk identification, prioritization, and validation efforts.

· Support risk-based prioritization using exploitability, asset criticality, and exposure context.

· Assist in reducing attack surface and improving overall security posture.

Required Qualifications

Technical & Security Expertise

· Strong understanding of:

· Application Security (OWASP Top 10, secure coding practices)

· Vulnerability management lifecycle and risk-based prioritization

· Security testing methodologies (SAST, DAST, SCA, API security)

· Familiarity with enterprise security tools and platforms

· Ability to interpret vulnerability data, CVSS scoring, and exploitability context.

Risk & Governance Knowledge

· Experience with security exceptions management and risk acceptance processes.

· Understanding of SLO-driven remediation and escalation models.

· Ability to assess compensating controls and residual risk.

Communication & Stakeholder Management

· Ability to engage technical and non-technical stakeholders effectively.

· Strong written and verbal communication skills for risk articulation and escalation.

· Experience driving remediation through influence rather than authority.

Preferred Qualifications

· Experience within financial services or highly regulated environments.

· Familiarity with Enterprise Vulnerability Management or similar enterprise security frameworks.

· Exposure to CTEM practices and risk-based security operations.

· Experience working with cloud, APIs, or distributed systems.

Key Success Metrics

· Reduction in critical/high vulnerabilities past SLO

· Decrease in exception volume and aging exceptions

· Improved application security posture

· Timely engagement and remediation outcomes with application teams

· Quality and completeness of exception reviews and risk assessments

Role Positioning

This role is not a passive reviewer. It is an active risk driver responsible for:

· Enforcing security standards

· Driving remediation outcomes

· Preventing misuse of exceptions as a substitute for fixing risk