Ally Financial Careers

At Ally, you get a startup feel, but experience the benefits of a company that has worked out the kinks and is fulfilling its purpose. We are always evolving and see that as a good thing. From owning our work to seeing its impact in the real world, our team is relentless in finding new ways technology can help make experiences better and help people. We are problem solvers, we value diverse thinking, we support one another, and we challenge ourselves to think bigger in the journey to deliver customer-obsessed tech solutions. To read more about what our tech team does, be sure to visit our tech blog at ally.tech

Ally is seeking a highly skilled and experienced Director of Vulnerability Management to lead our Vulnerability Management program. The successful candidate will be responsible for collaborating with various technology teams to report, remediate, and manage technical vulnerabilities within their respective areas. This role involves designing and implementing new vulnerability management processes, risk and control frameworks, and addressing risk issues or regulatory findings as necessary.

At this time, Ally will not sponsor a new applicant for employment authorization for this position.

• Lead the overall Vulnerability Management program at Ally.
• Collaborate with CIO teams to identify, report, and remediate technical vulnerabilities.
• Design and implement new vulnerability management processes and risk control frameworks.
• Assist in the remediation of risk issues or regulatory findings.
• Manage and lead a team of Remediation Coordinators.
• Communicate effectively with stakeholders and team members.
• Analyze and manipulate complex data to support vulnerability management efforts.

Required Qualifications:

• Develop and lead the enterprise-wide vulnerability remediation team, aligning with cybersecurity, risk, and compliance frameworks.
• Strong leadership and stakeholder management skills, with experience engaging CTO, CISO, CIO, and regulatory bodies.
• Maintain or update policies, standards, and best practices for vulnerability identification, prioritization, and remediation.
• Collaborate with risk management, audit, and compliance teams to ensure regulatory reporting and risk mitigation strategies are met.
• Align vulnerability management processes with FFIEC, OCC, GLBA, NIST, SOX, and PCI-DSS regulatory requirements.
• Lead the end-to-end vulnerability detection, risk assessment, and remediation execution across cloud, on-premises, and third-party environments.
• Work with IT, DevOps, and engineering teams to integrate security patching and vulnerability remediation into operational workflows.
• Collaborate with IT infrastructure, application security, and DevSecOps teams to ensure timely patching, configuration hardening, and secure coding practices.
• Drive continuous improvement initiatives to enhance vulnerability detection, threat intelligence, and risk reduction.
• Maintain a risk-based vulnerability prioritization model using CVSS scores, threat intelligence, business impact analysis among other criteria
• Maintain executive-level dashboards and reporting on vulnerability trends, risk posture, and compliance adherence.
• Provide regular briefings to senior leadership and cybersecurity committees as needed.
• Act as a key stakeholder in security incident response, coordinating with SOC, threat intelligence, and forensics teams on vulnerability exploitation scenarios.
• Lead incidents for critical vulnerabilities to expedite remediation. Conduct post-mortem analyses on critical vulnerabilities and breaches to strengthen future resilience

Preferred Qualifications:

• Bachelor's degree in Information Sciences, Cybersecurity, or a related technology field.
• Minimum of 7+ years of experience in cybersecurity / technology management.
• CISSP, CISM, OSCP, CRISC, or GIAC certifications.
• Strong expertise in vulnerability management tools (e.g., Qualys, Rapid7, ServiceNow VR, Prisma Cloud, GitLab, AWS Security Hub).
• Experience in highly regulated banking environments, ensuring compliance with FFIEC, OCC, GLBA, SOX, PCI-DSS, NIST 800-53, and CIS benchmarks.
• Strong knowledge of cloud security vulnerabilities (AWS, Azure) and container security (Kubernetes, Docker).
• Experience working with patch management solutions, threat intelligence platforms, and security automation.
• Familiarity with risk-based vulnerability prioritization frameworks (e.g., EPSS, MITRE ATT&CK, CVSS v3+).
• Knowledge of DevSecOps practices and secure CI/CD pipeline integration.
• Strong communication and interpersonal leadership skills.
• Proficiency with data analysis and data manipulation.