Penetration Testing Manager

AARP is the nation's largest nonprofit, nonpartisan organization dedicated to empowering people 50 and older to choose how they live as they age. With a nationwide presence, AARP strengthens communities and advocates for what matters most to the more than 100 million Americans 50-plus and their families: health and financial security, and personal fulfillment. AARP also works for individuals in the marketplace by sparking new solutions and allowing carefully chosen, high-quality products and services to carry the AARP name. As a trusted source for news and information, AARP produces the nation's largest-circulation publications, AARP The Magazine and the AARP Bulletin.

Information Technology Services is responsible for AARP enterprise-wide technology and information security functions. Services range from infrastructure design and operations, system and software lifecycle implementations, enabling the mobile workforce and protecting AARP network, systems and data. A variety of technologies and practices are used including cloud computing, automation, artificial intelligence and machine learning within highly collaborative Agile teams.

The Penetration Testing Manager manages, plans, and assesses oversight of information security controls. Drives risk and information security control implementation projects, which may include operational, regulatory, or compliance components, providing subject matter expertise for information security control implementation to the organization. Advises management on information security controls and alignment with information security frameworks, internal policies and procedures, and applicable laws and regulations. The Penetration Testing Manager oversees the implementation of methodologies to track risks and control alignment, including technology solutions, and the documentation, awareness, and training necessary for the effective use of such technologies. Executes special projects for senior management.

• Assists and/or leads training and education sessions on emerging risks and information security controls to mitigate those risks for the benefit of the department and organization.
• Collaborates with other organization personnel to identify and implement controls and/or process improvements to reduce risk, including solutions to manage risks more effectively in support of the business unit or organization’s goals.
• Communicates alignment of information security controls with established frameworks to business owners, managers, and executives in an understandable and compelling way to drive risk-mitigation adoption.
• Plans, leads, manages, and executes risk-based assessments of information security controls, working collaboratively with management to identify and mitigate top risks.
• Provides leadership and guidance for co-sourced subject matter experts and staff to deliver consistent and exceptional client service in execution of information security control assessments and risk and controls advisory projects.
• Serves as operational liaison across the organization portfolio of companies to manage and mitigate information security risks in a consistent manner, sharing lessons learned and identifying areas of risks for risk mitigation.
• Stays abreast of current and emerging operational and regulatory risks and assesses the risk’s relevance to the organization and its operations to continuously prepare and protect the organization.
• Defines work using agile frameworks and practices and in alignment with information security GRC outcomes.

• Bachelor's degree or equivalent in Cybersecurity, Information Technology, Computer Science, Engineering, or related field.
• 3+ years of prior experience in performing penetration tests and/or managing penetration testing activities conducted by third parties.
• Demonstrated ability to prioritize and coordinate remediation of penetration test results and other vulnerabilities with cross-functional teams.
• Familiarity with penetration testing methods and tools (e.g., Metasploit, BurpSuite, Nmap) to find attack paths across diverse technologies (e.g., network, web applications, mobile applications, cloud infrastructure, etc.)
• GIAC, IIS, CompTIA, or equivalent certification in penetration testing and/or Ethical Hacking, or the ability to obtain one within 3 months, preferred.
• 3+ years assessing and providing implementation guidance on information security controls, and delivering value-added security control implementation metrics to diverse organizational audiences.
• Strong written and verbal communication skills with demonstrated experience translating complex, technical topics into simple, understandable terms.
• Progressive IT and security program management experience and use of agile delivery methodologies, including Scrum and Kanban.

AARP will not sponsor an employment visa for this position at this time.

Additional Requirements 

• Regular and reliable job attendance
• Effective verbal and written communication skills
• Exhibit respect and understanding of others to maintain professional relationships
• Independent judgement in evaluation options to make sound decisions
• Home office environment with the ability to work effectively surrounded by moderate home environment noise. 

Compensation and Benefits

AARP offers a competitive compensation and benefits package including a 401(k); 100% company-funded pension plan; health, dental, and vision plans; life insurance; paid time off to include company and individual holidays, vacation, sick, caregiving, and parental leave; performance-based and peer-based recognition and tuition reimbursement.

Equal Employment Opportunity

AARP is an equal opportunity employer committed to hiring a diverse workforce and sustaining an inclusive culture. AARP does not discriminate on the basis of race, ethnicity, religion, sex, color, national origin, age, sexual orientation, gender identity or expression, mental or physical disability, genetic information, veteran status, or on any other basis prohibited by applicable law.