McKesson is an impact-driven, Fortune 10 company that touches virtually every aspect of healthcare. We are known for delivering insights, products, and services that make quality care more accessible and affordable. Here, we focus on the health, happiness, and well-being of you and those we serve – we care.
What you do at McKesson matters. We foster a culture where you can grow, make an impact, and are empowered to bring new ideas. Together, we thrive as we shape the future of health for patients, our communities, and our people. If you want to be part of tomorrow’s health today, we want to hear from you.

CRITICAL SKILLS

• At least 3 - 4+ years’ experience in information security administration, vulnerability management or security operations.
• Proficient with vulnerability management solutions such as Qualys, Nexpose, Nessus, Kenna Security, Tanium and open source.
• Experience stabilizing systems to run minimal application requirements, least privilege and additional host hardening.
• Understanding of Windows and *nix operating systems, endpoint applications, networking protocols and devices.
• Preferably some experience with vulnerability management across Amazon Web Services (AWS), Microsoft Azure or Google Cloud Platform (GCP).
• Experience conducting organization-wide vulnerability scanning and remediation processes.
• Ability to obtain and maintain technical team and business support to influence a collaborative effort to reduce attack surface.
• Knowledge of one or more compliance standards, including Payment Card Industry (PCI), Health Information Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), National Institute of Standards (NIST) or International Standards Organization (ISO).
• Capable of scripting in Python, Bash, Perl or PowerShell.
• Understanding of OWASP, CVSS, the MITRE ATT&CK framework and the software development lifecycle.

ADDITIONAL KNOWLEDGE AND SKILLS

• Proven trustworthiness and history of acting with integrity, taking pride in work, seeking to excel, being curious and adaptable, and communicating well.
• Self-starter requiring minimal supervision.
• Excellence in communicating business risk and remediation requirements from assessments.
• Analytical and problem-solving mindset.
• Highly organized and efficient.
• Demonstrated strategic and tactical thinking, along with decision-making skills and business acumen.
• Preferably, one or more of the following: GCED, GCCC, GPEN, GCIH, CISSP or CRISC.

EDUCATION

• Bachelor’s degree in computer science (preferred), information assurance, MIS or related field, or equivalent.
  We are proud to offer a competitive compensation package at McKesson as part of our Total Rewards. This is determined by several factors, including performance, experience and skills, equity, regular job market evaluations, and geographical markets. The pay range shown below is aligned with McKesson’s pay philosophy, and pay will always be compliant with any applicable regulations. In addition to base pay, other compensation, such as an annual bonus or long-term incentive opportunities may be offered. For more information regarding benefits at McKesson, please click here.

• Work as a team to consistently learn and share advanced skills and foster team excellence.
• Manage vulnerabilities across applications, endpoints, databases, networking devices, and mobile, cloud and third-party assets.
• Conduct continuous discovery and vulnerability assessment of enterprise-wide assets.
• Document, prioritize and formally report asset and vulnerability state, along with remediation recommendations and validation.
• Communicate vulnerability results in a manner understood by technical and non-technical business units based on risk tolerance and threat to the business, and gain support through influential messaging.
• Procure and maintain tools and scripts used in asset discovery and vulnerability status.
• Leverage vulnerability database sources to understand each weakness, its probability and remediation options, including vendor-supplied fixes and workarounds.
• Support internal and external auditors in their duties that focus on compliance and risk reduction.
• Collaborate with security groups such as red teams, threat intelligence and risk management to form a holistic team dedicated to thwarting attackers and reducing attack surface.
• Work closely with infrastructure teams to advise and support remediation efforts to close vulnerability exposure to new threats in the wild and verify the organization’s security posture against them.
• Regularly research and learn new TTPs in public and closed forums, and work with colleagues to assess risk and implement/validate controls as necessary.
• Maintain an active database comprising third-party assets, their vulnerability state, remediation recommendations, overall security posture and potential threat to the business.
• Arrange and provide support to business units launching new technology applications and services to verify that new products/offerings are not at risk of misconfiguration, compromise or information leakage.
• Periodically attend and participate in change management policy discussions and meetings.
• Define key performance indicators (KPIs) and metrics across business units to illustrate effectiveness with vulnerability management.
• Understand breach and attack simulation solutions for known vulnerabilities and work with the team to validate controls effectiveness.
• Liaise with the security engineering team to improve tool usage and workflow, as well as with the advanced threats and assessment team to mature monitoring and response capabilities.
• Perform other duties as assigned.
  Minimum Requirements
  Bachelor’s Degree or equivalent and typically requires 4+ years of relevant experience