Information Security Analyst; Intermediate

Overview

Company: enGen

Job Description:

Highmark Health – Information Security Analyst, Vulnerability Management

About Highmark Health:
At Highmark Health, we believe in a world where everyone has access to the best health. We are an integrated delivery network dedicated to transforming healthcare, and our Information Security team plays a critical role in safeguarding our mission-critical assets and protected health information. Join us in building a resilient and secure future.

The Opportunity:

We are seeking an adaptive, data-driven Information Security Analyst to join our Vulnerability Management team. This role focuses on strategic risk prioritization and proactive defense of critical assets, integrating newly acquired infrastructure, resolving Redline risks through telemetry and automated orchestration, and ensuring security enables business goals.

If you thrive in a fast-paced environment, understand that security is a business enabler, and are passionate about defending critical systems, we encourage you to apply.

• Strategic Risk Orchestration: Move beyond traditional CVSS-based patching. Transform millions of raw vulnerabilities into a prioritized, actionable resolution queue, focusing on the highest impact risks.
• Operational Asset Discovery & Contextualization: Correlate data from on-premise, cloud, and vendor systems to identify Crown Jewel assets and Operational Core systems, ensuring business context drives remediation priorities.
• M&A Cyber Integration: Perform rapid risk assessments of newly acquired infrastructure, identifying technical debt and key vulnerabilities before integration into the corporate network.
• Workflow & Lifecycle Management: Support end-to-end remediation in Service Now Sec Ops. Manage orchestration between automated discovery and manual resolution, mitigating high-velocity threats within strict, evidence-based SLOs.
• Governance & RAID Advocacy: Proactively manage the RAID Log (Risks, Assumptions, Issues, Dependencies) and escalate blockers that could impact security posture or timelines.
• Remediation Partnership & Diplomacy: Act as a bridge between Security and IT Operations, providing technical rationales and impact data to prioritize security tasks alongside roadmaps.
• Telemetry Integrity: Monitor the efficacy of scanning agents and API integrations to ensure visibility across all public clouds and on-premises segments.

• Experience: 1–3 years in Information Security, Vulnerability Management, or Risk Advisory.
• Vulnerability Frameworks: Experience with attack characteristics, advisories, catalogs, and dynamic risk-based prioritization.
• Tech Stack Proficiency: Hands-on with enterprise vulnerability scanners (e.g., Rapid7, Crowd Strike, Asimily, Defender) and cloud security tools.
• Governance & Compliance: Knowledge of healthcare/government mandates (PCI, NYDFS, CMS, HIPAA, NIST CSF, or NIST 800-53).
• Operational Awareness: Experience with Business Impact Analysis (BIA) or CTO dependencies.

• Analytical Mindset: Correlate threats with business impact using scoring frameworks (CVSS v4.0 or EPSS).
• Cloud & IoT Savvy: Identify risk in cloud workloads and legacy medical/IoT devices.
• Systems Thinking: Understand how delays in one process create downstream risks.
• Agile Documentation: Maintain RAID logs and project tracking in a fast-paced environment.
• Interpersonal Diplomacy: Drive remediation while partnering with Critical Ops teams.
• Technical Breadth: Knowledge of secure SDLC, network security architecture, and virtualization security.

• Education: Required — Bachelor’s Degree in Information Security, Information Systems, Information Assurance, Computer Science, or related field.
• Substitutions: 5 years of Information Security, Governance, Risk and/or Compliance, IT or Business Analysis.
• Experience: Required — 3–5 years in Information Security and related areas; 3–5 years in governance, risk, compliance and related technologies.

• Required: None
• Preferred: GEVA, CySA+, SCS-C02, AZ-500, GSEC/GCT, CCSK, CISA, and related vulnerability/Cloud security certifications as listed.

• Travel: 0-25%
• Location: Office-Based
• ETC: HIPAA, PCI, NIST, HITRUST familiarity and privacy/compliance references retained per policy.

Compliance notes:
This position adheres to ethical and legal standards and company policies. Employees may access confidential information and must comply with HIPAA and all data security guidelines. See company privacy policies and Code of Business Conduct for details.

Pay Range:
Minimum $67,500;
Maximum $126,000. Base pay determined by qualifications, experience, and internal market considerations. This range may vary by location.

EEO statement and accessibility:
Highmark Health and its affiliates prohibit discrimination and strive to be accessible. For accommodation requests, contact HR Services Online  : J276632