Exposure Management - Audit Readiness SME / Analyst

Job Title

Exposure Management – Audit Readiness SME / Analyst

Role Summary

The Exposure Management – Audit Readiness SME/Analyst is responsible for ensuring the organization’s exposure management program (vulnerability scanning, attack surface management, and remediation tracking) is audit‑ready, defensible, and aligned with internal controls and regulatory expectations. This role bridges technical security operations with audit, risk, and compliance teams to translate exposure data into clear, evidence‑based narratives for audits and assessments.

Key Responsibilities

Audit & Compliance Readiness

·         Serve as the primary SME for audit readiness related to exposure and vulnerability management.

·         Prepare, review, and validate audit evidence (policies, procedures, scan results, metrics, remediation records).

·         Support internal audits, external audits, regulatory exams, and risk assessments.

Control Mapping & Documentation

·         Map exposure management activities to applicable frameworks (e.g., NIST CSF, NIST 800‑53, ISO 27001, SOC, PCI).

·         Maintain documentation for control design, operational effectiveness, and continuous improvement.

·         Ensure testing frequency, coverage, and remediation practices meet stated control requirements.

Exposure & Risk Analysis

·         Analyze exposure data (vulnerabilities, misconfigurations, exploitability indicators) to support audit inquiries.

·         Validate completeness and accuracy of asset coverage and scanning scope.

·         Translate technical exposure findings into business‑aligned risk statements.

Stakeholder & Cross‑Functional Coordination

·         Act as liaison between security engineering, infrastructure, application teams, and audit/compliance stakeholders.

·         Support audit walkthroughs and provide clear explanations of exposure management processes.

·         Track and manage audit findings related to exposure management through remediation and closure.

Metrics, Reporting & Evidence Management

·         Define and maintain audit‑ready metrics (coverage, scan cadence, remediation SLAs, exceptions).

·         Support dashboards and reporting for leadership, audit committees, and regulators.

·         Ensure evidence repositories are accurate, current, and easily retrievable.

Continuous Improvement

·         Identify control gaps, documentation weaknesses, and audit risks.

·         Recommend remediation actions to improve audit posture and exposure management maturity.

·         Support alignment with Continuous Threat Exposure Management (CTEM) practices.

Required Qualifications

·         5+ years of experience in cybersecurity, vulnerability/exposure management, risk, audit, or compliance.

·         Strong understanding of vulnerability management and exposure concepts (CVSS, exploitability, risk‑based prioritization).

·         Experience supporting internal and/or external audits.

·         Familiarity with security and compliance frameworks (NIST, ISO, SOC, PCI).

·         Strong documentation, communication, and stakeholder management skills.

Preferred Qualifications

·         Experience with exposure or vulnerability management platforms (e.g., Tenable One, Qualys, Rapid7).

·         Experience working with CTEM or attack surface management programs.

·         Prior experience in regulated or large enterprise environments.

·         Certifications such as CISSP, CISA, CRISC, or similar are a plus.

Key Competencies

·         Audit and control mindset

·         Strong technical‑to‑business translation

·         Attention to detail and evidence quality

·         Risk‑based analysis and prioritization

·         Cross‑functional collaboration