Cybersecurity Findings Analyst - Hybrid

Your opportunity

At Schwab, you’re empowered to make an impact on your career. Here, innovative thought meets creative problem solving, helping us “challenge the status quo” and transform the finance industry together.

We are seeking a motivated Analyst to assist the Schwab Red Team by managing the firm's red team findings and vulnerability mitigation efforts.

As a Cybersecurity Findings Analyst, you will be responsible for working with penetration testers to document vulnerabilities, recommendations and observations found during test efforts, work with finding owners to manage and document the progression of any mitigating controls or actions, and assist with validating the effectiveness of any mitigating controls and actions.  

This position offers an opportunity to actively manage and mitigate risk to the firm by ensuring the prioritization and timely mitigation of vulnerabilities and security risks.  The role would be ideally suited to an individual with experience managing tasks and small projects with an interest in offensive security and includes opportunities to participate in red team exercises and penetration tests.  

What you'll do:

Reviewing penetration test results:
Thoroughly examining the data gathered by penetration testers, including identified vulnerabilities, exploitability levels, and potential attack vectors.  Assist with assigning severity and criticality for each vulnerability or finding, identifying recommendations and appropriate observations,

Reporting & Deliverables:
Work with penetration testers on documenting findings identified during test efforts.  Ensure findings are sufficiently detailed, clearly communicate risk, can be reproduced by stakeholders, and have appropriate evidence of exploits and recommended next steps.  Work with penetration testers on documenting and managing finding creation in JIRA.

Communication and collaboration:
Assist with presenting findings to stakeholders, including technical and non-technical audiences and explaining the risks in understandable terms.  Work with stakeholders to identify finding owners, obtain regular updates on necessary fixes and progress, and document finding mitigation efforts.  Work with peer teams to refer, manage and escalate findings as appropriate.

Finding Management:
Document all finding management efforts in JIRA.  Work to maintain finding quality and reporting.  Actively monitor & document finding progress with stakeholders.
 

Testing & Validation:
Work either independently or with penetration testers to reproduce penetration test findings, validate the effectiveness of mitigating controls, and document evidence of closed findings.  Participate in penetration tests, control tests and red team exercises.

What you have

To ensure that we have fulfilled our promise of "challenging the status quo," this role has specific qualifications that successful candidates should have.

Key Competencies:

• Strong communication skills.
• Strong analytical and critical thinking skills.
• Detail-oriented, self-driven, and capable of working independently in a fast-paced environment.

Required Qualifications:

Technical expertise:
Broad familiarity with network protocols, operating systems, web application security, databases, and common vulnerabilities (OWASP/CVE).  Familiarity with Cybersecurity industry standards and best practices for secure system design and configuration.

Analytical skills:
Ability to analyze complex data, identify patterns, and draw logical conclusions about potential threats.  Familiarity with common approaches to risk rating such as CVE, CVSS and DREAD.

Report writing Skills:
Clear and concise communication of technical information in a way that is easily understood by non-technical audiences.

Project Management Skills:
Experience managing small projects, tasks, bugs or issues.

Problem-solving skills:
Identifying practical solutions to mitigate vulnerabilities and implement effective security controls.

Preferred

• Experience in a bug, findings or vulnerability management role.
• Relevant certifications such as CISSP, GPEN or OSCP.
• Experience managing projects, tasks & Issues in JIRA.
• Bachelor’s degree in cybersecurity, information technology, or a related field preferred.
• Experience with scripting and automation (e.g. Python, PowerShell, JIRA Simple Issue Language) a plus.

In addition to the salary range, this role is also eligible for bonus or incentive opportunities