Distinguished Engineer, Exposure Management

We’re building a world of health around every individual — shaping a more connected, convenient and compassionate health experience. At CVS Health®, you’ll be surrounded by passionate colleagues who care deeply, innovate with purpose, hold ourselves accountable and prioritize safety and quality in everything we do. Join us and be part of something bigger – helping to simplify health care one person, one family and one community at a time.

Job Summary

Serves as the senior technical leader and strategist for Exposure Management, setting the architectural direction for how the enterprise scopes, discovers, prioritizes, validates, and mobilizes remediation of vulnerabilities, misconfigurations, and other exploitable weaknesses across IT, cloud, SaaS, identity, and OT/medical-device estates. Leads the transformation of exposure management from batch-oriented, ticket-driven, human-mediated workflows with multi-week SLAs to a continuous, near real-time, threat-informed Continuous Threat Exposure Management (CTEM) capability.

Owns the end-to-end data architecture that the program depends on — the canonical data model, asset and identity graph, ingestion and normalization patterns, data contracts, lineage, and quality/SLA controls that unify a complex set of telemetry and business-context sources.  

Designs and delivers automation, machine learning, and GenAI capabilities that accelerate exposure discovery, prioritization, validation, remediation, and incident response while materially reducing manual work and operating cost. Brings the attacker's perspective into prioritization and validation — integrating threat intelligence, attack surface management, and adversarial exposure validation — so the program acts on real, exploitable attack paths to critical business assets and PHI rather than solely on CVE lists. Collaborates with Cyber-defense and Vulnerability Management team members to develop strategic responses to emerging threat and vulnerability events (novel exploits, zero-days, supply-chain and third-party incidents), driving rapid, automated impact assessment and mobilization in hours rather than days or weeks.

Contributes to design of outcome-based exposure metrics and reporting frameworks that translate technical exposure data into business-aligned risk outcomes for executive audiences and that meet evolving regulatory and disclosure expectations. Accountable for ensuring that metrics can be accurately computed and delivered within SLA. Operates as a trusted bridge between deeply technical security teams and business stakeholders, influencing strategy, investment, and execution across organizational boundaries without relying on direct authority.

Primary Job Duties & Responsibilities

• Leads the strategic transformation of exposure management from batch-oriented, ticket-driven, human-mediated workflows with multi-week SLAs to a continuous, near real-time, machine-speed model — re-architecting the end-to-end pipeline (scoping, discovery, prioritization, validation, mobilization) so that exposures are detected, validated, prioritized, and routed for remediation without manual intervention wherever safe to do so
• Designs and delivers automation, ML, and GenAI capabilities that accelerate exposure discovery, prioritization, validation, remediation, and incident response — including LLM-assisted triage, exposure summarization, remediation guidance, detection engineering, and threat-intel synthesis — and that materially reduce manual workk and operating cost
• Owns the end-to-end data architecture for exposure management — defining the canonical data model, asset and identity graph, ingestion and normalization patterns, data contracts, lineage, retention, and access controls across telemetry and business-context sources — so that downstream automation, prioritization, ML, and reporting are built on trustworthy, timely, and SLA-bound data
• Architects a unified exposure view across vulnerability scanning and CTI tooling — using attack-graph and identity/asset relationship analysis to surface 'toxic combinations' and exploitable paths to critical assets, PHI, and payment data, and to drive attack-path-based prioritization in place of CVE-list-based prioritization
• Defines the outcome-based exposure metrics framework — including validated exposure count, attack-path reduction, MTTR for validated findings, coverage %, validation success rate, automation rate, and risk reduction rate — and the executive and regulatory reporting that translates them into business risk and disclosure narrative; accountable for ensuring metrics can be accurately computed and delivered within SLA
• Builds the cross-team remediation operating model and the automated mobilization layer (ticketing, workflow, change, patch, and IaC integration) that drives adoption of exposure management standards across engineering, IT, cloud, identity, and business owners — replacing email- and meeting-based handoffs with API-driven, SLA-bound automation
• Sets technical direction and the multi-year architectural roadmap for the exposure management platform — including target-state automation and data architecture, build-vs-buy decisions, and integration with resilience, BCDR, and ransomware-recovery planning
• Mentors senior engineers, data engineers, and architects; raises the technical bar across the security engineering organization, with particular focus on automation-first, validation-driven, threat-informed, and data-architecture-led engineering practices
• Represents the enterprise externally with vendors, peer organizations, and the security community on exposure management, automation, and applied AI/ML in security

Education

• Required: Bachelor's Degree (technical: engineering, math, CS preferred)
• Preferred: Master's Degree, or Doctorate

Essential Qualifications, Essential Functions & Preferred Qualifications

• 15+ years of experience in technical roles, with demonstrated ability to influence without authority across technical and executive audiences
• 10+ years of experience acting as a bridge between deep technical work and business strategy, translating between the two fluently
• 10+ years of data architecture experience at enterprise scale — including canonical/conceptual data modeling, entity-relationship and graph modeling, ingestion and normalization patterns, data contracts, lineage, master/reference data, and data quality/SLA management — with demonstrated ownership of end-to-end data architecture for a complex, multi-source platform (not solely field-/table-level data product design)
• 8+ years architecting large-scale automation and data/ML systems in production, with demonstrated experience integrating ML or LLM capabilities into security or operational workflows
• 8+ years in cybersecurity, with at least 5 of those in vulnerability management, exposure management, threat & vulnerability response, detection engineering, or red team / offensive security
• 5+ years setting multi-year technical strategy and architectural roadmaps for enterprise-scale platforms, including the underlying data architecture
• Demonstrated experience leading the transformation of a security or IT operations capability from batch, ticket-driven, human-mediated workflows to continuous, automated, near real-time operations at enterprise scale — including measurable reductions in manual work and operating cost
• Deep working knowledge of the CTEM lifecycle (Scoping, Discovery, Prioritization, Validation, Mobilization) and of the supporting tool categories — EASM, RBVM, BAS/AEV, CSPM, SSPM, ISPM/ITDR, and CTI platforms — including how their data is integrated into a unified exposure view
• Demonstrated experience defining and operating outcome-based exposure metrics — validated exposure count, attack-path reduction, MTTR for validated findings, coverage %, validation success rate, and automation rate — and reporting them to executive and board audiences, including accountability for the underlying data pipelines and SLAs
• Experience designing and operating exposure programs across hybrid environments (public cloud, SaaS, on-prem, identity) at enterprise scale
• Strong written and verbal communication, including proven experience briefing executive leadership and the board
• 3+ years leading strategic response to high-impact security events under time pressure (zero-days, supply-chain incidents, active exploitation), including driving the shift from manual war-room response to automated, playbook-driven impact assessment and mobilization

Preferred Qualifications:

• Demonstrated track record applying GenAI / LLMs to security operations problems (alert triage, exposure summarization, remediation guidance, detection engineering, threat-intel synthesis), including practical awareness of model-risk, prompt-injection, data-leakage, and non-human-identity exposure concerns
• Hands-on experience with attack-graph / security-graph platforms (e.g., XM Cyber, Wiz Security Graph, Tenable One, Microsoft Security Exposure Management) and attack-path analysis at enterprise scale
• Deep experience with modern data platforms and patterns relevant to security analytics — data lakehouse, streaming/event-driven ingestion, graph databases, identity/asset graphs, semantic layers, and federated query — and with data governance, lineage, and observability tooling
• Experience integrating cyber threat intelligence (CTI) into prioritization and validation workflows, and mapping exposure findings to adversary TTPs (MITRE ATT&CK, D3FEND) relevant to healthcare-sector threat actors
• Experience governing non-human / machine identity exposure — service accounts, API keys, OAuth tokens, secrets, and AI agent identities — including automated discovery, rotation, and least-privilege enforcement
• Experience building automated mobilization and remediation pipelines using SOAR, ITSM (ServiceNow, Jira), patch and configuration management, and IaC (Terraform, GitOps) integrations — including automated change-management and rollback patterns
• Healthcare-sector exposure experience: medical device security (FDA pre/post-market guidance, MDS2), PHI-handling clinical and pharmacy systems, retail-store endpoint estates, and healthcare OT/IoT
• Experience operating exposure programs simultaneously against the SEC cyber-incident disclosure rule, HIPAA Security Rule, HITRUST CSF, PCI DSS 4.0, and NIST CSF 2.0
• Experience extending exposure visibility and prioritization to critical third parties, SaaS providers, and software supply chain (SBOM, dependency, and build-system exposure)
• Partnership experience with resilience, BCDR, and incident response leadership, ensuring exposure findings inform recovery planning and ransomware-readiness exercises
• Industry certifications such as CISSP, GIAC (e.g., GCIH, GPEN, GXPN, GCDA), OSCP / OSCE, or equivalent
• Open-source, publication, or community contribution in exposure management, vulnerability management, detection engineering, data architecture, or applied ML for security

Pay Range

The typical pay range for this role is:

$175,100.00 - $334,750.00

This pay range represents the base hourly rate or base annual full-time salary for all positions in the job grade within which this position falls.  The actual base salary offer will depend on a variety of factors including experience, education, geography and other relevant factors.  This position is eligible for a CVS Health bonus, commission or short-term incentive program in addition to the base pay range listed above.  This position also includes an award target in the company’s equity award program. 
 

Our people fuel our future. Our teams reflect the customers, patients, members and communities we serve and we are committed to fostering a workplace where every colleague feels valued and that they belong.

Great benefits for great people

We take pride in offering a comprehensive and competitive mix of pay and benefits that reflects our commitment to our colleagues and their families.

This full‑time position is eligible for a comprehensive benefits package designed to support the physical, emotional, and financial well‑being of colleagues and their families. The benefits for this position include medical, dental, and vision coverage, paid time off, retirement savings options, wellness programs, and other resources, based on eligibility.

Additional details about available benefits are provided during the application process and on Benefits Moments.

We anticipate the application window for this opening will close on: 09/30/2026

Qualified applicants with arrest or conviction records will be considered for employment in accordance with all federal, state and local laws.