Vulnerability Analyst IV

Schedule:
Monday - Friday (40 hrs/wk)
8:00 AM - 5:00 PM

Department: IT General - 210

Primary Purpose:

The Vulnerability Analyst conducts extensive research on newly discovered vulnerabilities in operating systems, application software, infrastructure, and firewalls. Serves as a senior technical leader within the Security Operations Center (SOC), responsible for overseeing enterprise-wide vulnerability management strategies. This role investigates, analyzes, and develops methods for exploiting such vulnerabilities. The analyst performs Security Impact Analysis (SIA) to determine how proposed or completed changes to information systems affect overall security. This process involves assessing potential vulnerabilities and risks introduced by modifications to components such as operating systems, networks, software, and security controls. The Vulnerability Analyst reports directly to the Security Operations Center (SOC) Manager.

About ARUP:

ARUP Laboratories is a national clinical and anatomic pathology reference laboratory and an enterprise of the University of Utah and its Department of Pathology. Based in Salt Lake City, Utah.

ARUP proudly hires top talent to create a work environment of diversity, professional growth and continuous development. Our workforce is committed to the important service we provide to over one million patients each month. We always strive for excellence and have a strong desire to have involvement with the advances in medicine and the role laboratory services plays within each patient’s life. We never forget that there is a patient behind every specimen we receive.

We are looking for individuals who want to contribute to ARUP's culture of accountability, integrity, service, and excellence. Consider joining our dynamic team.

Essential Functions:

Lead advanced cyber vulnerability assessments of applications, systems, vendor IT networks, and cloud architecture.

Analyze and validate scan results, correlate findings, and determine severity and risk impact to prioritize remediation efforts.

Maintain and update vulnerability tracking systems, dashboards, and compliance reports.

Develop and present reports, briefs, and metrics to communicate vulnerability status, remediation progress, and compliance standing to leadership.

Stay informed about emerging vulnerabilities, CVEs, threat intelligence, and cybersecurity best practices.

Conduct comprehensive risk assessments of IT systems, applications, and business processes, recommending improvements to security controls.

Maintain detailed risk registers by analyzing threat intelligence and vulnerability data to identify emerging risks.

Develop and perform cybersecurity risk assessments and mitigation strategies.

Collaborate with administrators, DevOps teams, researchers, Change Approval Board (CAB), and IT Tech Debt Committee to identify, prioritize, and remediate vulnerabilities.

Lead efforts with remediation teams, system owners, and senior security staff to track and resolve identified vulnerabilities.

Apply advanced techniques threat modeling, penetration testing, and exploit development techniques to identify risks across on-premises and cloud environments.

Contribute to recurring cyber vulnerability updates and prepare executive-level summaries of findings for senior leadership.

Provide subject matter expert support in incident response investigations and provide technical recommendations to strengthen system defenses.

Develop and deliver training and awareness programs for team members and stakeholders on vulnerability identification, remediation, and secure system design practices.

Provide expert support to the Security Operations Center (SOC) Tier 1 and Tier 2 Analyst teams as needed in performing threat detection and incident response.

Physical Requirements:

Stooping: Bending body downward and forward by bending spine at the waist.

Reaching: Extending hand(s) and arm(s) in any direction.

Mobility: The person in this position needs to occasionally move between work sites and inside the office to access file cabinets, office machinery, etc.

Communication: The person in this position will work in a highly collaborative environment which requires frequent, clear, and professional communication with others.

PPE: Biohazard laboratory environment that requires use of personal protective equipment in accordance with CDC and OSHA regulations and company policies.

ARUP Policies and Procedures: To conduct self in compliance with all ARUP Policies and Procedures.

Sedentary Work: Exerting up to 10 pounds of force occasionally and/or negligible amount of force frequently or constantly to lift, carry, push, pull or otherwise move objects.

Fine Motor Control: Picking, pinching, typing or otherwise working on computer equipment.

Vision: Having close, far, and peripheral visual acuity to perform a variety of tasks such as making general observations of depth and distance.

Experience

Required

• Bachelor’s degree in Cybersecurity, Information Technology, or related field
• Six (6) years of cybersecurity experience, including at least 4 years focused on vulnerability analysis, penetration testing, or cyber risk management
• Strong understanding of security frameworks (e.g., NIST, MITRE ATT&CK)
• Experience with vulnerability scanning tools
• Experience with EDR solutions
• Excellent communication, analytical, and problem-solving skills
• Deep knowledge of NIST, ISO/IEC 27001, HITRUST frameworks

Preferred

• Relevant certifications (e.g., CISSP, CISM, CEH, CND, GCIA, GCIH)
• Experience in healthcare or laboratory environments preferred
• Master’s degree in Cybersecurity, Information Technology, or related field

Education

Required

• Bachelor's Degree or better in Cybersecurity or related field

Preferred

• Master's Degree or better in Cybersecurity or related field

Equal Opportunity Employer/Protected Veterans/Individuals with Disabilities
This employer is required to notify all applicants of their rights pursuant to federal employment laws. For further information, please review the Know Your Rights notice from the Department of Labor.