Tomorrow’s health is… Tackling challenges no one else can.

Job Title: MTAP - Vulnerability Disclosure Program Lead

McKesson is growing– and we’re hiring! Our Vulnerability Disclosure Program is evolving, and we need a dynamic cybersecurity lead to take the reins. We're looking for someone who’s not just tech-savvy but also a natural connector, with a knack for transforming a vulnerability disclosure program into a world-class Bug Bounty initiative. If you’ve got a keen eye for root cause analysis and can seamlessly navigate interactions with external researchers, we want you on our team.  

The ideal candidate will have a background in cybersecurity and experience with vulnerability management. You’ll serve as a bridge between McKesson and the external research community, ensuring disclosures are handled with finesse and that our internal teams are aligned and ready to act. Working closely with key departments such as legal, compliance, and product development, your role will be pivotal in fortifying McKesson’s cybersecurity posture.  

Join us and become part of a team that’s all about transparency, collaboration, and proactive risk management. This is your chance to make a significant impact on our organization’s resilience and reputation within the cybersecurity community. You’ll be at the forefront of driving our mission to enhance stakeholder trust and uphold our organizational values. 

Come join McKesson’s amazing future and be a catalyst for change!

Key Responsibilities: 

• Program Development: Design and implement a comprehensive Vulnerability Disclosure Program that aligns with industry best practices and evolves into a robust Bug Bounty initiative. 
• Stakeholder Collaboration: Work closely with internal teams, including legal, compliance, and product development, to ensure vulnerabilities are addressed promptly and efficiently. 
• External Researcher Engagement: Build and maintain strong relationships with external security researchers and ethical hackers to facilitate effective vulnerability reporting and resolution. 
• Root Cause Analysis: Conduct thorough root cause analyses of reported vulnerabilities and provide actionable recommendations to mitigate risks. 
• Policy and Procedure Enhancement: Develop and refine policies and procedures to ensure a consistent and transparent approach to vulnerability disclosure and management. 
• Education and Training: Conduct training sessions and workshops to educate internal teams on the importance of vulnerability management and the role of the Bug Bounty program. 
• Incident Response Coordination: Collaborate with incident response teams to ensure timely and effective handling of disclosed vulnerabilities and security incidents. 
• Metrics and Reporting: Establish metrics to track program performance and effectiveness and provide regular reports to senior management and stakeholders. 
• Market Awareness and Adaptation: Stay informed about emerging cybersecurity threats and trends to ensure the program remains relevant and proactive. 
• Advocacy and Communication: Act as an advocate for transparency and proactive risk management within the organization, promoting a culture of security awareness and continuous improvement. 

Education Requirements

• BA/BS degree or equivalent experience 

Skills and Experience

Minimum Requirements:

• Requires 10+ years of professional work experience 
• Requires 3+ years of vulnerability disclosure or bug bounty experience (from any point of view) 

Required Skills:

• 5+ years of experience in cybersecurity, particularly in vulnerability management and disclosure processes. 
• 3+ years of experience in root cause analysis with the ability to provide strategic recommendations for risk mitigation. 
• Proven ability to engage and collaborate with external researchers and ethical hackers to facilitate vulnerability reporting. 
• Expertise in coordinating with internal teams, including legal, compliance, and product development, to ensure effective vulnerability resolution. 
• Excellent communication skills to convey complex security issues to diverse audiences, including technical teams and business stakeholders. 
• Demonstrated ability to apply an empathetic approach when interacting with both internal teams and external researchers, fostering a collaborative and respectful environment. 
• Familiarity with regulatory and compliance standards relevant to the healthcare industry, such as HIPAA and HITRUST. 
• Experience in developing and implementing policies and procedures that promote transparency and proactive risk management. 
• Ability to manage and prioritize multiple tasks and projects in a dynamic environment.  

Preferred Skills:

• 2+ years of experience leading a Bug Bounty or similar vulnerability disclosure program. 
• Knowledge of the healthcare industry's unique cybersecurity challenges and regulatory requirements. 
• 3+ years of experience with incident response and crisis management in a healthcare setting. 
• Familiarity with cloud security practices and technologies, particularly those used in healthcare IT environments. 
• Strong analytical skills and the ability to interpret security data to drive informed decision-making. 
• Proficiency in using security metrics to track program performance and effectiveness. 
• Experience in fostering a culture of security awareness and continuous improvement within an organization. 

Certification Requirements:

Preferably, one or more (or working toward one or more) of the following: CCSP, CISSP, CEH, OSCP, GPEN, Security+, AWS Certified Cloud Practitioner, or additional AWS advanced certifications such as AWS Certified DevOps Engineer 

Physical Requirements: General Office Demands  

Candidate must be authorized to work in the U.S, now or in the future, without the support from McKesson.

Relocation is NOT budgeted for this position.