Manager, Cloud & Infrastructure Vulnerability - USDS

About the Team The Validation and Verification (VnV) organization ensures the security and reliability of our products by validating that security controls are implemented correctly, operating effectively, and delivering measurable risk reduction across the enterprise.

VnV operates across a continuous security lifecycle: Prevent * Assure * Test * Fix * Prove, ensuring that security posture is not only designed and tested, but continuously validated in real-world conditions.

About the Role We are looking for a Vulnerability Management expert to lead the identification, prioritization, and remediation of security flaws across our specialized cloud environments and corporate office infrastructure. This role is at the heart of our defense strategy: you aren't just running scans; you are architecting a risk-based program that secures the very foundation of USDS.

You will lead a team of security practitioners to manage the full vulnerability lifecycle, from agent deployment in OCI to securing the physical and digital footprint of our office environments. By leveraging industry-leading tools like Wiz for cloud-native visibility and Qualys for deep asset assessment, you will ensure that our attack surface is minimized and our compliance with ISO 27001 and other standards is absolute.

Responsibilities

• Program Leadership: Build and scale the Vulnerability Management (VM) function for USDS, covering both Cloud and Office/Corporate Infrastructure.
• Cloud-Native Security: Utilize tools like Wiz to perform agentless scanning, analyze the "Security Graph" for toxic combinations, and identify misconfigurations within our Oracle Cloud (and other cloud) tenancies.
• Infrastructure Scanning: Manage the deployment and tuning of Qualys (Vulnerability Management, Detection and Response - VMDR) for corporate endpoints, servers, and office network appliances.
• Risk-Based Prioritization: Move beyond "critical/high" labels by correlating vulnerability data with threat intelligence and business context to drive the most impactful remediation efforts first.
• Cross-Functional Orchestration: Partner with SRE, IT, and Engineering teams to establish patching SLAs, automate remediation workflows, and provide technical guidance on complex "won't-fix" or exception scenarios.
• Office Infrastructure Security: Oversee the security posture of office networks, including firewalls, Wi-Fi controllers, and IoT devices, ensuring corporate environments meet USDS-specific hardening standards.
• Reporting & Governance: Define and report on key risk metrics (MTTR, scan coverage, patch compliance) for executive leadership and external auditors.
• Tooling Optimization: Act as the primary administrator for the Vulnerability Management toolset, ensuring 100% asset visibility and integrating findings into Jira and GRC platforms.

• Experience: 5+ years in Cybersecurity, with at least 3+ years leading a Vulnerability Management or Security Operations team.
• Cloud Expertise: Hands-on experience securing Oracle Cloud Infrastructure (OCI); familiarity with OCI VCNs, IAM, and Compute security. (Experience with AWS/Azure/GCP is also acceptable).
• Tooling Mastery: Advanced proficiency with Wiz (Cloud Security Posture Management) and Qualys (VMDR/Policy Compliance).
• Framework Knowledge: Strong understanding of NIST 800-53, ISO 27001, and CIS Benchmarks as they apply to vulnerability and configuration management.
• Technical Skills: Ability to write scripts (Python, Bash, or PowerShell) to automate data export/normalization or interact with security tool APIs., * Certifications: OCI Architect/Security Associate, Qualys Certified Specialist, or Wiz specialized training. Industry standards like CISSP, CCSP, or CISM.
• Infrastructure as Code (IaC): Experience reviewing Terraform or Ansible for security misconfigurations before deployment.
• Automation: Experience integrating vulnerability data into ITSM tools (ServiceNow, Jira) for automated ticket routing and tracking.
• Communication: Proven ability to explain the "so what?" of a vulnerability to non-technical stakeholders and business owners.

Paid parental leave, Parental leave, Health insurance, 401(k) matching, Vision insurance, Dental insurance, Paid sick time, Life insurance, Compensation may vary outside of this range depending on a number of factors, including a candidate's qualifications, skills, competencies and experience, and location. Base pay is one part of the Total Package that is provided to compensate and recognize employees for their work, and this role may be eligible for additional discretionary bonuses/incentives, and restricted stock units.

Benefits may vary depending on the nature of employment and the country work location. Employees have day one access to medical, dental, and vision insurance, a 401(k) savings plan with company match, paid parental leave, short-term and long-term disability coverage, life insurance, wellbeing benefits, among others. Employees also receive 10 paid holidays per year, 10 paid sick days per year and 17 days of Paid Personal Time (prorated upon hire with increasing accruals by tenure).

The Company reserves the right to modify or change these benefits programs at any time, with or without notice.

About USDS

TikTok USDS Joint Venture LLC is dedicated to the safety and security of millions of Americans who create, discover, and connect with what they love on the apps we operate. The Joint Venture has been established in compliance with the Executive Order signed by President Trump on September 25, 2025. Our foundation is a comprehensive data privacy and cybersecurity program we operate under defined safeguards to protect national security and secure U.S. user data, apps and the algorithm. We safeguard the U.S. content ecosystem, holding decision-making authority for trust and safety policies and moderation. USDS Joint Venture helps ensure Americans can continue to express their creativity, discover new hobbies and interests, and build thriving communities and businesses on a global scale.

On-site presence across teams allows the company to operate with greater speed, alignment, and agility - especially in areas like real-time decision-making, team development, and integrated execution. As such, the company is shifting from a hybrid work model to a fully in-person schedule up to 5 days a week.

Inspiring creativity is at the core of TikTok's mission. Our innovative product is built to help people authentically express themselves, discover and connect - and our global, diverse teams make that possible. Together, we create value for our communities, inspire creativity and bring joy - a mission we work towards every day., TikTok is committed to creating an inclusive space where employees are valued for their skills, experiences, and unique perspectives. Our platform connects people from across the globe and so does our workplace. At TikTok, our mission is to inspire creativity and bring joy. To achieve that goal, we are committed to celebrating our diverse voices and to creating an environment that reflects the many communities we reach. We are passionate about this and hope you are too.