Senior Manager, Vulnerability Management and Application Security

Position Overview

As a Senior Manager, Vulnerability Management and Application Security, you will lead Car Max’s enterprise vulnerability management and application security programs and serve as a trusted subject matter expert responsible for strengthening the organization’s security posture. You will mentor and guide a high-performing team, streamline processes, optimize program operations, and deliver actionable insights that influence decision-making across all levels, including executive leadership.

This role is ideal for a collaborative, results-driven leader with a passion for building effective programs and improving the security, resilience, and reliability of technology environments and software delivery practices.

At Car Max, we are the nation’s largest retailer of used cars with stores from coast to coast, and we are still growing. We’re rethinking the way people buy cars - and it’s our associates that help us do just that. We believe work should feel meaningful and rewarding, with opportunities to make an impact every day. This is where innovation meets passion - be inspired and supported to take us to the future.

The Vulnerability Management and Application Security team guides enterprise strategy for identifying, analyzing, and prioritizing remediation of risks across Car Max’s systems, infrastructure, and applications. As the Senior Manager, you will shape program strategy, strengthen integration with cybersecurity and engineering partners, and enable teams to build and operate secure technology through clear communication, effective governance, thorough reporting, and trusted leadership.

• Oversee and continuously improve the enterprise vulnerability management and application security programs, ensuring effective alignment of processes, tools, and assessments.
• Develop and manage program roadmaps, budgets, and priorities for security assessments across infrastructure, networks, cloud services, and applications.
• Create and deliver executive-ready reporting with clear documentation, risk insights, program metrics, and prioritized mitigation recommendations.
• Define and maintain vulnerability management and application security standards, SLAs, and governance practices in partnership with cybersecurity and technology leaders.
• Lead risk-based remediation prioritization and ensure consistent progress across infrastructure, engineering, and product teams and partners.
• Coordinate and communicate responses to emerging threats, zero-day vulnerabilities, and critical application security findings to drive timely remediation.
• Lead the application security program, including secure development lifecycle practices, application security testing, and risk-based remediation strategies.
• Partner with engineering, architecture, and product teams to embed security requirements, threat modeling, code scanning, and security reviews into the software development lifecycle - foster a culture of security.
• Mature application security capabilities such as SAST, DAST, software composition analysis, secrets detection, and security testing for internally developed and third-party applications.
• Provide guidance on secure coding practices, common vulnerabilities, and remediation approaches.
• Adapt to and apply technology innovation, including AI, to the role and program overall.
• Adapt the team and programs to ever-changing threat and regulatory landscape.

• 8+ years of cybersecurity experience with emphasis on vulnerability management, application security, risk analysis, and security assessment practices.
• 5+ years of experience designing, implementing, or supporting secure information systems and application security practices.
• 3+ years in a security leadership or management role guiding teams or programs.
• One or more certifications such as CISA, CISM, CEH, CISSP, or SANS.
• Experience with enterprise security technologies and application security tooling such as vulnerability scanners, SAST, DAST, software composition analysis, SIEM platforms, and network devices - firewalls, IDS/IPS, routers, and switches.
• Strong ability to analyze complex security findings,…