Information Security Analyst

Role : Information Security Analyst (Remediation Operations)Location : Phoenix AZ (onsite 3 days in office)6-9 years expOverview:The Information Security Analyst for the Remediation Operations team is responsible for evaluating security exceptions, assessing associated risk, and driving remediation of critical and high-risk vulnerabilities across applications and platforms. This role operates within the Application Security and Infrastructure Security ecosystem, ensuring adherence to Enterprise Vulnerability standards and reducing enterprise risk exposure.Key Responsibilities:Exception Review & Risk Assessment· Review and assess security exception requests for compliance with Enterprise Vulnerability standards and supporting policies.· Validate business justifications, compensating controls, and risk responses (Mitigate, Accept, Transfer, Avoid).· Ensure exceptions align with the Exceptions Management Program and include required documentation and leadership approvals.· Challenge insufficient or unjustified exceptions, prioritizing remediation over risk acceptance.Vulnerability Governance & Remediation Oversight· Monitor and track critical and high vulnerabilities across application and infrastructure portfolios.· Enforce remediation timelines in accordance with defined Service Level Objectives (SLOs).· Ensure vulnerabilities exceeding SLOs are either remediated or formally documented via approved exceptions.· Validate remediation through coordination with security tooling, rescans, or evidence-based confirmation.Stakeholder Engagement & Reach-Out· Proactively engage application and platform owners with critical risk exposure or past-due vulnerabilities.· Communicate risk clearly, including exploitability, business impact, and compliance implications.· Drive accountability through follow-ups, escalation paths, and alignment with leadership where required.· Support application teams in understanding remediation options and security requirements.Security Tooling & Data Analysis· Leverage results from enterprise security tools (e.g., SAST, DAST, SCA, IRIS, Tenable, API security tools) to identify and track vulnerabilities.· Analyze risk metrics, dashboards, and reports (e.g., Application Health, vulnerability reports) to prioritize actions.· Correlate findings across tools to identify systemic risk patterns and recurring issues.Policy & Standards Alignment· Ensure adherence to:· Application Security Policy· Enterprise Vulnerability Standard· Application Vulnerability Management Procedure· Interpret and translate policy requirements into actionable guidance for engineering teams.· Identify gaps or non-compliance and recommend corrective actions.Continuous Threat Exposure Management (CTEM) Support· Contribute to continuous risk identification, prioritization, and validation efforts.· Support risk-based prioritization using exploitability, asset criticality, and exposure context.· Assist in reducing attack surface and improving overall security posture.Required QualificationsTechnical & Security Expertise· Strong understanding of:· Application Security (OWASP Top 10, secure coding practices)· Vulnerability management lifecycle and risk-based prioritization· Security testing methodologies (SAST, DAST, SCA, API security)· Familiarity with enterprise security tools and platforms· Ability to interpret vulnerability data, CVSS scoring, and exploitability context.Risk & Governance Knowledge· Experience with security exceptions management and risk acceptance processes.· Understanding of SLO-driven remediation and escalation models.· Ability to assess compensating controls and residual risk.Communication & Stakeholder Management· Ability to engage technical and non-technical stakeholders effectively.· Strong written and verbal communication skills for risk articulation and escalation.· Experience driving remediation through influence rather than authority.Preferred Qualifications· Experience within financial services or highly regulated environments.· Familiarity with Enterprise Vulnerability Management or similar enterprise security frameworks.· Exposure to CTEM practices and risk-based security operations.· Experience working with cloud, APIs, or distributed systems.Key Success Metrics· Reduction in critical/high vulnerabilities past SLO· Decrease in exception volume and aging exceptions· Improved application security posture· Timely engagement and remediation outcomes with application teams· Quality and completeness of exception reviews and risk assessmentsRole PositioningThis role is not a passive reviewer. It is an active risk driver responsible for:· Enforcing security standards· Driving remediation outcomes· Preventing misuse of exceptions as a substitute for fixing risk