3M Attack Surface Management Lead 

United States, Texas, Austin 

755449557

Job Description:

Attack Surface Management Lead

The Impact You Will Make in this Role:

The Attack Surface Management (ASM) Lead will drive the identification, analysis, and reduction of the organization's digital and physical exposure across cloud, on-prem, OT, and third-party environments. This role will lead the enterprise-wide ASM strategy, combining external threat visibility with internal exposure reduction, and will oversee related functions such as vulnerability management, asset discovery, and exposure monitoring. ​

Key Responsibilities:

​

• Define and execute the enterprise Attack Surface Management strategy across cloud, on-premises, and external environments. ​

• Lead and mentor a cross-functional ASM team, including direct oversight of the Vulnerability Management (VM) and Threat Intel & Testing Manager

• Establish clear goals, success metrics, and maturity roadmaps for ASM including VM and Threat Intel & Testing functions. ​

• Collaborate with IT, cloud, OT, and third-party risk teams to align ASM initiatives with organizational risk priorities. ​

• Manage vendor relationships and toolsets supporting ASM, external scanning, and attack surface discovery platforms.​

• Lead efforts to map, monitor, and validate known and unknown assets, services, and digital exposures. ​

• Implement continuous discovery and monitoring of exposed assets and services, including shadow IT, abandoned infrastructure, expired domains, and misconfigured cloud resources. ​

• Develop and maintain asset classification and tagging strategies to support risk-based prioritization and contextual analysis. ​

• Correlate ASM findings with threat intelligence feeds and vulnerability data to identify high-risk exposures and inform remediation efforts. ​

• Define and implement processes for validation, triage, and escalation of ASM findings in coordination with vulnerability management and SOC teams. ​

• Oversee integration of ASM platforms with SIEM/SOAR solutions (e.g., Sentinel, Splunk, ServiceNow) to automate alerting, ticketing, and response workflows. ​

• Collaborate with security engineering and architecture teams to implement preventive controls, such as automated remediation, segmentation, or blocking of exposed services. ​

• Analyze trends and patterns in exposure data to identify systemic issues, control gaps, and architectural weaknesses.​

• Translate ASM insights into business risk terms and influence remediation priorities with stakeholders. ​

• Report attack surface trends, exposure metrics, and risk posture to senior leadership and governance forums. ​

• Collaborate with Security Architecture and GRC to integrate ASM outputs into risk registers and architectural reviews. ​

• Ensure ASM-related processes and reporting support regulatory, compliance, and audit requirements.

Your Skills and Expertise:

To set you up for success in this role from day one, 3M requires (at a minimum) the following qualifications:

• Bachelor's degree in cybersecurity or computer science (completed and verified prior to start) from an accredited university.

• Seven (7) years of experience in cybersecurity, with at least 2 years focused on ASM, external threat management, or exposure reduction in a private, public, government or military environment ​

Additional qualifications that could help you succeed even further in this role include:

• Relevant certifications (e.g., CISSP, OSCP, GIAC, CRTO) preferred.​

• Proven leadership experience managing security functions and personnel, ideally including vulnerability management. ​

• Strong understanding of enterprise architectures, networking, cloud environments (Azure, AWS, GCP), and OT/IoT systems. ​

• Experience with ASM tools (e.g., Randori, Censys, Shodan, Palo Alto Xpanse) and vulnerability platforms (e.g., Wiz, Qualys, Microsoft Defender TVM). ​

• Familiarity with threat modeling frameworks, MITRE ATT&CK, and risk-based prioritization methodologies. ​

• Strong verbal and written communication skills, including experience presenting to executives and technical stakeholders. ​

• Strong leadership and people management skills with cross-functional influence. ​

• Deep understanding of ASM concepts, tools, and exposure management lifecycle. ​

• Experience managing or integrating vulnerability management functions. ​

• Expertise in asset discovery, external reconnaissance, and attack path mapping. ​

• Ability to translate technical risks into business impacts. ​

• Familiarity with hybrid infrastructure (cloud, on-prem, OT, third-party). ​

• Knowledge of security architecture principles and IT/OT convergence challenges. ​

• Skilled in vendor evaluation, tool selection, and capability building. ​

• Competence in data analysis and reporting using dashboards or BI tools. ​

• Excellent documentation and communication skills, with a focus on executive reporting and technical clarity.​

Please note: your application may not be considered if you do not provide your education and work history, either by: 1) uploading a resume, or 2) entering the information into the application fields directly.

Please access the linked document by clicking select the country where you are applying for employment, and review. Before submitting your application, you will be asked to confirm your agreement with the terms.