Lead Analyst, Attack Surface Management (ASM)

ABOUT THE DEPARTMENT

The University of Southern California (USC) is advancing its cybersecurity posture with a renewed focus on resilience, cyber risk management, and threat-informed defense. As a world-class research institution, USC is building a culture of security that supports its academic and research mission in a rapidly evolving threat landscape.

This role sits within a newly restructured cybersecurity organization that's leading this transformation. You'll join a team focused on scalable, proactive defense strategies, incident preparedness, and operational excellence-working alongside experts who are deeply committed to service, innovation, and impact.

If you're driven by purpose, thrive in complexity, and want to help shape the future of cybersecurity at a leading university, we invite you to bring your leadership to the table.

POSITION SUMMARY

As the Lead Analyst, Attack Surface Management (ASM) you will be an integral member of the cybersecurity department while also collaborating with stakeholders across the university ecosystem, and reporting to the ASM Manager. This is a full-time exempt position, eligible for all of USC's fantastic Benefits + Perks.This opportunity is remote.

The Lead Analyst, Attack Surface Management (ASM) responsible for identifying, assessing, and mitigating security vulnerabilities across our organization's systems, networks, and applications and supports attack surface management operations. Conducts vulnerability assessments, penetration testing, compliance, and risk management activities. Oversees the university's attack surface and vulnerability lifecycle management process, (e.g., detection, monitoring, reporting, and assessing the impact of vulnerabilities) with focus on continuous improvement to mitigate risks associated with vulnerabilities, application security, and cyber threat intelligence. Develops and implements remediation strategies to address vulnerabilities and minimize the university's attack surface. Directly supports program maturity efforts and plays a key role in integrating threat intelligence into the broader university environment.

The Lead Analyst, Attack Surface Management (ASM) will:

• Oversees the vulnerability lifecycle management process (e.g., detection, monitoring, reporting, and assessing the impact of vulnerabilities). Supports regular vulnerability assessments and scans to identify security weaknesses in systems, applications, networks, and OT/IoT environment.

• Develops and implements remediation strategies to address vulnerabilities and minimize the university's attack surface. Implements remediation required by audits. Engages with DSUs to advise on remediation strategies of vulnerabilities.

• Collaborates with IT teams and stakeholders to validate effective end-to-end vulnerability remediation and maintain a consistent customer experience. Collaborates with VM managed service teams and manages daily operations and communications. Evaluates vulnerability trends in third-party applications and services and collaborates with managed service providers as needed.

• Serves as an ASM subject matter expert, formulating and prioritizing intelligence requirements according to established risk management framework. Participates in and influences the roadmap for the university's vulnerability management program.

• Collaborates on detailed reports on vulnerabilities, their impact, and the status of remediation efforts and communicates findings to stakeholders. Provides expertise to help develop and maintain vulnerability and attack surface management policies, procedures, and best practices for the university.

• Maintains awareness and knowledge of current changes within legal, regulatory, and technology environments which may affect operations. Maintains awareness of current university threat intelligence feeds and reports to stay informed about emerging threats and vulnerabilities that may affect the organization's attack surface. Maintains knowledge of emerging vulnerabilities, exploits, and remediation techniques.

• Encourages a workplace culture where all employees are valued, value others and have the opportunity to contribute through their ideas, words and actions, in accordance with the USC Code of Ethics.

MINIMUM QUALIFICATIONS

Great candidates for the position of Lead Analyst, Attack Surface Management (ASM) will meet the following qualifications:

• 5 years in attack surface and vulnerability management.

• A bachelor's degree or combined experience/education as substitute for minimum education.

• Knowledge of the following frameworks: NIST Cybersecurity Framework (NIST CSF), ISO/IEC 27001, MITRE ATT&CK

• Framework, OWASP Top Ten, CIS Controls, COBIT, SANS Critical Security Controls, PCI DSS, NIST SP 800-53, and ITIL.

• Strong understanding of ASM/vulnerability management, security testing practices, and methodologies.

• Understanding and technical knowledge of Cyber Defense concepts, (e.g., incident response, security monitoring, cyber threat intelligence, attack surface and vulnerability management).

• Understanding of Operational Technology environments and security requirements needed to manage the broader attack landscape across the university.

• Experience in building infrastructure and application vulnerability management programs.

• Experience in deploying and operating vulnerability scanning infrastructure and services and deep understanding of vulnerability scanning platforms.

• Comprehensive knowledge of cloud-native vulnerability practices in AWS, Azure, and SaaS platforms and associated security challenges.

• Ability to assess business risks and recommend suitable cybersecurity measures.

• Experience in managing vulnerability assessment tools.

• Knowledge of system, application, and database hardening techniques.

• Strong communication and interpersonal skills, enabling effective interaction across all organizational levels, along with proven analytical and problem-solving abilities, and exceptional attention to detail.

• Project management experience with a track record of leading complex security initiatives, coupled with the ability to teach and train others effectively.

• Ability to work with teams across the cybersecurity function, with managed service providers, and with IT teams across the university.

• Ability to work evenings, weekends and holidays as the schedule dictates.

PREFERRED QUALIFICATIONS

Exceptional candidates for the position of Lead Analyst, Attack Surface Management (ASM) will also bring the following qualifications or more:

• 7 years of related experience.

• A bachelor's degree or combined experience/education as substitute for minimum education.

• Experience working in higher education or complex, decentralized environments.

• CISSP, GCIH, GPEN, Security+, or similar.

In addition, the successful candidate must also demonstrate, through ideas, words and actions, a strong commitment to USC's Unifying Values of integrity, excellence, community, well-being, open communication, and accountability.

SALARY AND BENEFITS

The annual base salary range for this position is $162,315.11-$201.452.98. When extending an offer of employment, the University of Southern California considers factors such as (but not limited to) the scope and responsibilities of the position, the candidate's work experience, education/training, key skills, internal peer alignment, federal, state, and local laws, contractual stipulations, grant funding, as well as external market and organizational considerations.

To support the well-being of our faculty and staff, USC provides benefits-eligible employees with a broad range of perks to help protect their and their dependents' health, wealth, and future. These benefits are available as part of the overall compensation and total rewards package. You can learn more about USC's comprehensive benefits here.

Join the USC cybersecurity team within an environment of innovation and excellence.

Minimum Education: Bachelor's degree
Addtional Education Requirements Combined experience/education as substitute for minimum education
Minimum Experience: 5 years in attack surface and vulnerability management.
Minimum Skills: Knowledge of the following frameworks: NIST Cybersecurity Framework (NIST CSF), ISO/IEC 27001, MITRE ATT&CK Framework, OWASP Top Ten, CIS Controls, COBIT, SANS Critical Security Controls, PCI DSS, NIST SP 800-53, and ITIL. Strong understanding of ASM/vulnerability management, security testing practices, and methodologies. Understanding and technical knowledge of Cyber Defense concepts, (e.g., incident response, security monitoring, cyber threat intelligence, attack surface and vulnerability management). Understanding of Operational Technology environments and security requirements needed to manage the broader attack landscape across the university. Experience in building infrastructure and application vulnerability management programs. Experience in deploying and operating vulnerability scanning infrastructure and services and deep understanding of vulnerability scanning platforms. Comprehensive knowledge of cloud-native vulnerability practices in AWS, Azure, and SaaS platforms and associated security challenges. Ability to assess business risks and recommend suitable cybersecurity measures. Experience in managing vulnerability assessment tools. Knowledge of system, application, and database hardening techniques. Strong communication and interpersonal skills, enabling effective interaction across all organizational levels, along with proven analytical and problem-solving abilities, and exceptional attention to detail. Project management experience with a track record of leading complex security initiatives, coupled with the ability to teach and train others effectively. Ability to work with teams across the cybersecurity function, with managed service providers, and with IT teams across the university.
Preferred Education: Bachelor's degree In Information Science Or Computer Science Or Computer Engineering Or in related field(s)
Preferred Certifications: CISSP, GCIH, GPEN, Security+, or similar.
Preferred Experience: 7 years
Preferred Skills: Experience working in higher education or complex, decentralized environments.