Attack Surface Management Engineer

Montefiore is ranked among the top hospitals nationally and regionally by U.S. News & World Report. For more than 100 years we have been innovating new treatments, procedures, and approaches to patient care, producing stellar outcomes and raising the bar for academic medical centers in the region and around the world. Our work to improve health outcomes in underserved communities is unparalleled in the United States. Our workforce is among the most diverse in the US: Montefiore associates speak 60+ languages.

As a Cybersecurity Engineer in Montefiore Technology, you directly support patient safety, clinical operations, and the protection of sensitive health information. This role provides the opportunity to work deeply with modern security technologies while contributing to our mission-driven organization where cybersecurity is essential to care delivery. 

 
The Attack Surface Management (ASM) Engineer is a security engineering role responsible for conducting and supporting attack surface discovery, vulnerability management, and exposure reduction activities across a complex healthcare environment. Building upon foundational ASM analyst experience, this role emphasizes hands-on technical execution, operational discipline, and collaboration with IT, Clinical Engineering, Cloud, and Security Operations teams to reduce cyber risk while supporting patient care. 
 

Responsibilities:

• Work with architecture and engineering personnel to implement automation and orchestration solutions where appropriate to improve efficiency and reduce manual effort.
• Collaborate with IT, clinical teams, and other departments to ensure cybersecurity measures are integrated into everyday operations without disrupting patient care.
• Manage vendor relationships related to security solutions, testing services, and consulting engagements.
• Maintain security tools and services ensuring continued uptime and efficient execution of scanning activities.
• Work with DevOps, cloud, and IT infrastructure teams to incorporate secure development practices and vulnerability remediation into their workflows.
• Perform continuous device and asset discovery across IT, cloud, medical, and IoT/OT environments using approved ASM tooling.
• Review and validate asset discovery and vulnerability findings to identify unmanaged, unknown, or misclassified assets.
• Correlate exposure and vulnerability data with CMDBs, internal inventories, and cloud asset repositories to improve accuracy.
• Support the enterprise vulnerability management lifecycle by tracking findings from identification through remediation.
• Apply risk-based vulnerability prioritization using exploitability, asset criticality, and business impact.
• Coordinate with system, application, and device owners to validate their proposed remediation actions and timelines.
• Review third-party penetration testing results and assist with remediation tracking and validation.
• Collaborate with SOC and incident response teams to contextualize vulnerabilities during investigations.
• Develop and maintain technical documentation, SOPs, and workflows related to ASM processes.
• Contribute to dashboards, KPIs, and reporting that measure attack surface coverage, vulnerability aging, and risk reduction.
• Monitor vulnerability and threat trends relevant to healthcare and emerging technologies.
• Assist with automation and orchestration initiatives to improve ASM efficiency under manager guidance.

Requirements:

• Bachelor's degree or equivalent work experience. 

• 4 - 6 years Cybersecurity or IT experience with progression from vulnerability analysis, exposure management, or ASM analyst functions.  

• 4 - 6 years prior experience in highly regulated environments. 

• Strong proficiency with asset discovery and attack surface management technologies across on‑prem IT, cloud, and IoMT environments. 

• Strong ability to interpret, validate, and assess findings from attack surface management (ASM) and vulnerability management platforms. 

• Strong understanding of the vulnerability management lifecycle, including remediation processes and governance requirements. 

• Foundational experience correlating data across CMDBs, cloud inventories, and security tools. 

• Ability to communicate technical findings to non-technical stakeholders with guidance. 

• Working knowledge of healthcare cybersecurity frameworks including HIPAA, HITECH, NIST CSF, HITRUST, HICP, and NYSDOH 405.46. 

• Strong analytical skills with attention to detail and data accuracy. 

• Ability to operate effectively within defined processes and escalate appropriately. 

Preferred:

• Prior experience in healthcare
• One of the following certifications required or obtained within 18 months of hire:
  • CompTIA PenTest+
  • GIAC Security Essentials (GSEC)
  • Tenable Certified Nessus Auditor (TCNA)
  • CREST Registered Vulnerability Specialist (RVS)