Manager, Attack Surface Management (ASM)

ABOUT THE DEPARTMENT

The University of Southern California (USC) is advancing its cybersecurity posture with a renewed focus on resilience, cyber risk management, and threat-informed defense. As a world-class research institution, USC is building a culture of security that supports its academic and research mission in a rapidly evolving threat landscape.

This role sits within a newly restructured cybersecurity organization that’s leading this transformation. You’ll join a team focused on scalable, proactive defense strategies, incident preparedness, and operational excellence—working alongside experts who are deeply committed to service, innovation, and impact.

If you’re driven by purpose, thrive in complexity, and want to help shape the future of cybersecurity at a leading university, we invite you to bring your leadership to the table.

POSITION SUMMARY

As the Manager, Attack Surface Management (ASM) you will be an integral leader of the cybersecurity department while also collaborating with stakeholders across the university ecosystem, and reporting to the Cyber Defense Director.  This is a full-time exempt position, eligible for all of USC’s fantastic Benefits + Perks.  This opportunity is remote.

The Manager, Attack Surface Management (ASM) leads the university’s Attack Surface Management (ASM) program, integrating vulnerability management, cyber threat intelligence (CTI), and vendor-led managed security services (MSSPs) aligning to threat-informed defenses. Responsible for external and internal attack surface visibility, prioritized remediation, and adversary-informed defense design. Responsible for overseeing vulnerability assessments, penetration testing, and proactive risk mitigation to safeguard the university's digital assets. Directs third-party security providers (e.g., managed services, professional services) as well as coordination with cross functional cyber teams to implement attack surface management strategies. Responsible for establishing processes for the ASM team to continuously monitor and utilize security tools to assess the university's digital footprint, identifying vulnerabilities (internal and external), and implementing measures to mitigate risks and provide recommended remediation action.

The Manager, Attack Surface Management (ASM) will:

• Oversees the entire attack surface management process (e.g., detection, monitoring, reporting, impact assessment). Defines and maintains criteria to prioritize vulnerabilities based on risk, potential impact, and business continuity needs. Leads ASM program strategy, operations, the execution of security and vulnerability scans to identify and mitigate risks proactively in a university environment.

• Develops and implements strategic remediation plans to minimize the university’s internal and external attack surface. Works with IT teams, Information Security Officers (ISOs), and Cyber Governance to ensure timely and effective remediation of vulnerabilities. Collaborates with ISOs and Cyber Governance to engage with DSUs to provide expert guidance on risk mitigation strategies. Continuously improves processes for addressing vulnerabilities, application security risks, and cyber threat intelligence gaps.

• Leads the development of use cases and requirements for ASM security tools, ensuring proper configuration and deployment. Manages and directs third-party security service providers that support ASM capabilities (e.g. vulnerability and cyber threats). Ensures effective use of security tools such as vulnerability scanners, penetration testing platforms, and automated monitoring solutions. Manages and directs managed service providers utilized to enable ASM capabilities. Oversees managed service provider performance, defines KPIs, manages delivery quality, and guides threat-hunting activities. Monitors the latest security threats, vulnerabilities, and industry best practices to proactively adapt ASM strategies. Serves as an ASM subject-matter expert, aligning intelligence requirements with cyber defense strategies. Directs vulnerability assessments, penetration testing, and risk management activities to enhance security resilience. Provides tailored remediation guidance to DSUs based on threat telemetry and unit-specific exposures.

• Assists in security incident response efforts, focusing on attack surface exploitation and future risk mitigation. Ensures attack surface management aligns with broader cybersecurity frameworks, compliance regulations, and organizational risk management policies. Formalizes and maintains the criteria and framework to prioritize vulnerabilities based on risk and potential impact. Collaborates with IT teams to ensure attack surface initiatives comply with regulatory frameworks and industry standards. Provides regular reports on vulnerability status, attack surface trends, and risk mitigation effectiveness.

• Supports strategic planning efforts related to cybersecurity, compliance, and risk management. Focuses on continuous improvement to mitigate risks associated with vulnerabilities, application security, and cyber threat intelligence. Collaborates with IT teams and stakeholders to validate effective end-to-end vulnerability remediation and maintain a consistent customer experience. Collaborates with ISOs and Cyber Governance to engage with DSUs to advise on recommended remediation strategies for vulnerabilities.

• Participates in staff management activities (e.g., hiring, coaching, training, performance reviews, pay actions, and promotions). Offers recommendations to leadership on security monitoring and incident response strategies based on informed analysis.

• Maintains awareness and knowledge of current changes within legal, regulatory, and technology environments which may affect operations. Encourages a workplace culture where all employees are valued, value others and have the opportunity to contribute through their ideas, words and actions, in accordance with the USC Code of Ethics.

MINIMUM QUALIFICATIONS

Great candidates for the position of Manager, Attack Surface Management (ASM) will meet the following qualifications:

• 5 years in attack surface and vulnerability management.

• A bachelor's degree or combined experience/education as substitute for minimum education.

• Strong understanding of attack surface management, security testing practices, and methodologies.

• Ability to develop and implement a comprehensive attack surface management strategy that aligns with the university’s objectives and risk appetite.

• Deep understanding of cybersecurity principles, attack vectors, and the threat landscape.

• Familiarity with MITRE ATT&CK, Diamond Model, OWASP Top 10, and CVSS frameworks

• Experience operationalizing CTI and IOCs across SIEM, EDR, and ASM workflows

• Ability to assess business risks and recommend suitable cybersecurity measures.

• Adaptability to changes in the external environment and organizational shifts.

• Knowledge of system, application, and database hardening techniques.

• Effective communication skills and the ability to interact with all organizational levels.

• Project management experience and the ability to lead complex security initiatives.

• Ability to collaborate and manage managed service providers, including MSSPs, SLA tracking, contract influence, performance oversight.

• Ability to engage with other teams across the cybersecurity function to push for continuous improvement of the attack surface management capability.

• Experience managing MSSPs, including SLA tracking, contract influence, and performance oversight

• Commitment to staying current with the latest security threats, trends, and technologies.

• Strong leadership and people management skills.

• Solid technical knowledge and troubleshooting skills.

• Ability to work effectively in high-stress situations and manage crisis situations.

• Skilled in communicating with a wide range of stakeholders and business partners.

• Experience in the management and/or implementation of security monitoring, anti-malware, and vulnerability management technologies.

• In-depth experience in application security management and knowledge of cyber threat intelligence.

• Comprehensive knowledge of cloud computing and associated security challenges.

• Ability to work evenings, weekends and holidays as the schedule dictates.

PREFERRED QUALIFICATIONS

Exceptional candidates for the position of Manager, Attack Surface Management (ASM) will also bring the following qualifications or more:

• 7 years relevant experience.

• 3 years leading a vulnerability management program, with the ability to prioritize projects and deliverables

• Demonstrated success building or evolving a program from scratch

• Strong interpersonal and communication skills

• A Master's degree

• Cyber certification (e.g., CISSP, GIAC, CISM).

In addition, the successful candidate must also demonstrate, through ideas, words and actions, a strong commitment to USC’s Unifying Values of integrity, excellence, community, well-being, open communication, and accountability.

SALARY AND BENEFITS

The annual base salary range for this position is $186,100.12 to $227,349.86. When extending an offer of employment, the University of Southern California considers factors such as (but not limited to) the scope and responsibilities of the position, the candidate’s work experience, education/training, key skills, internal peer alignment, federal, state, and local laws, contractual stipulations, grant funding, as well as external market and organizational considerations.

To support the well-being of our faculty and staff, USC provides benefits-eligible employees with a broad range of perks to help protect their and their dependents’ health, wealth, and future. These benefits are available as part of the overall compensation and total rewards package. You can learn more about USC’s comprehensive benefits here.

Join the USC cybersecurity team within an environment of innovation and excellence.

Minimum Education: Bachelor's degree Addtional Education Requirements Combined experience/education as substitute for minimum education Minimum Experience: 5 years in attack surface and vulnerability management. Minimum Skills: Strong understanding of attack surface management, security testing practices, and methodologies. Ability to develop and implement a comprehensive attack surface management strategy that aligns with the university’s objectives and risk appetite. Deep understanding of cybersecurity principles, attack vectors, and the threat landscape. Familiarity with MITRE ATT&CK, Diamond Model, OWASP Top 10, and CVSS frameworks Experience operationalizing CTI and IOCs across SIEM, EDR, and ASM workflows Ability to assess business risks and recommend suitable cybersecurity measures. Adaptability to changes in the external environment and organizational shifts. Knowledge of system, application, and database hardening techniques. Effective communication skills and the ability to interact with all organizational levels. Project management experience and the ability to lead complex security initiatives. Ability to collaborate and manage managed service providers, including MSSPs, SLA tracking, contract influence, performance oversight. Ability to engage with other teams across the cybersecurity function to push for continuous improvement of the attack surface management capability. Experience managing MSSPs, including SLA tracking, contract influence, and performance oversight Commitment to staying current with the latest security threats, trends, and technologies. Strong leadership and people management skills. Solid technical knowledge and troubleshooting skills. Ability to work effectively in high-stress situations and manage crisis situations. Skilled in communicating with a wide range of stakeholders and business partners. Experience in the management and/or implementation of security monitoring, anti-malware, and vulnerability management technologies. In-depth experience in application security management and knowledge of cyber threat intelligence. Comprehensive knowledge of cloud computing and associated security challenges. Preferred Education: Master's degree Preferred Certifications: Cyber certification (e.g., CISSP, GIAC, CISM). Preferred Experience: 7 years With 3 years leading a vulnerability management program, with the ability to prioritize projects and deliverables.