Analyst, Attack Surface Management (ASM)

ABOUT THE DEPARTMENT

The University of Southern California (USC) is advancing its cybersecurity posture with a renewed focus on resilience, cyber risk management, and threat-informed defense. As a world-class research institution, USC is building a culture of security that supports its academic and research mission in a rapidly evolving threat landscape.

This role sits within a newly restructured cybersecurity organization that's leading this transformation. You'll join a team focused on scalable, proactive defense strategies, incident preparedness, and operational excellence-working alongside experts who are deeply committed to service, innovation, and impact.

If you're driven by purpose, thrive in complexity, and want to help shape the future of cybersecurity at a leading university, we invite you to bring your leadership to the table.

POSITION SUMMARY

As the Analyst, Attack Surface Management (ASM) you will be an integral member of the cybersecurity department while also collaborating with stakeholders across the university ecosystem, and reporting to the ASM Manager. This is a full-time exempt position, eligible for all of USC's fantastic Benefits + Perks. This opportunity is remote.

The Analyst, Attack Surface Management (ASM) works to identify, assess, and mitigate vulnerabilities across the university's digital environment. Responsible for continuously monitoring and managing the university's attack surface (e.g., on-premises and cloud-based systems, network perimeter, Operational Technology (OT) environments, applications, and external-facing services) to prevent unauthorized access and data breaches. Works with cross-functional teams (e.g., Cyber Threat Intel, Cyber Defense, Cyber Governance) to identify and prioritize threats utilizing vulnerability assessments, penetration testing, and risk evaluations. Collaborates with university IT teams, Departments Schools Units (DSUs), and other stakeholders to implement effective security controls. Works with USC Defense to support security response efforts and ensures ASM practices align with regulatory compliance and university cybersecurity policies.

The Analyst, Attack Surface Management (ASM) will:

• Identifies, catalogs, and continuously maintains an inventory of the university's digital assets (e.g., on-premises and cloud-based systems, Operational Technology (OT) environments, applications, and services).
  Consistently monitors the university's digital environment for new threats, changes to the attack surface, and emerging risks.

• Conducts vulnerability assessments, attack and penetration testing, and risk evaluations to determine security gaps. Scans digital assets for vulnerabilities, assesses their potential impact, and prioritizes risks based on severity. Analyzes potential threats and their impact on the university's systems, applications, and data. Recommends appropriate mitigation strategies.

• Develops and recommends appropriate mitigation strategies to reduce identified risks.
  Works with IT teams, Departments, Schools, and Units (DSUs), and other stakeholders to validate and implement effective remediation. Ensures timely application of security patches and updates to minimize vulnerabilities (e.g., Patch Management).

• Assists in responding to security incidents, focusing on how the attack surface was exploited and how to prevent future attacks. Serves as a subject matter expert (SME) in Attack Surface Management (ASM), formulating and prioritizing intelligence requirements within a risk management framework.

• Provides regular reports on the attack surface status, including potential risks, vulnerabilities, and the effectiveness of implemented security controls. Ensures ASM strategies align with university cybersecurity policies and compliance requirements.

• Engages with IT teams and DSUs to advise on remediation strategies and best practices for reducing the attack surface. Integrates ASM efforts into broader security and risk management initiatives to validate end-to-end remediation.

• Maintains awareness and knowledge of changes within legal, regulatory, and technology environments which may affect operations. Promotes a workplace culture aligned with USC's Code of Ethics, where all employees are valued and empowered to contribute.

MINIMUM QUALIFICATIONS

Great candidates for the position of Analyst, Attack Surface Management (ASM) will meet the following qualifications:

• 2 years of experience in attack surface and vulnerability management.

• A bachelor's degree or combined experience and education as substitute for minimum education.

• Ability to interface with teams across the CISO Office and ITS, such as Enterprise and Infrastructure Services, and across USC IT teams.

• Thorough understanding of technology, tools, policies, and standards related to security systems and incident response.

• Understanding of Operational Technology environments and the security requirements needed to support them.

• Technical knowledge of Cyber Defense concepts, including incident response, security monitoring, cyber threat

• intelligence, attack surface, and vulnerability management.

• Strong leadership and people management skills.

• Solid technical knowledge and troubleshooting skills.

• Ability to work effectively in high-stress situations and manage crisis situations.

• Skilled in communicating with a wide range of stakeholders and business partners.

• Experience in the management and/or implementation of security monitoring, anti-malware, and vulnerability management technologies.

• In-depth experience in application security management and knowledge of cyber threat intelligence.

• Strong understanding of ASM management, security testing practices, and methodologies.

• Experience in building infrastructure and application vulnerability management programs.

• Comprehensive knowledge of cloud computing and associated security challenges.

• Ability to assess business risks and recommend suitable cybersecurity measures.

• Familiarity with common vulnerability frameworks such as CVSS and OWASP Top 10.

• Adaptability to changes in the external environment and organizational shifts.

• Knowledge of system, application, and database hardening techniques.

• Effective communication skills and the ability to interact with all organizational levels.

• Project management experience and the ability to lead complex security initiatives.

• Commitment to staying current with the latest security threats, trends, and technologies.

PREFERRED QUALIFICATIONS

Exceptional candidates for the position of Analyst, Attack Surface Management (ASM) will also bring the following qualifications or more:

• 5 years of related experience in IT security roles with hands-on vulnerability analysis

• A master's degree.

• Strong understanding of cybersecurity threats and remediation practices

• Ability to communicate effectively across technical and non-technical audiences

In addition, the successful candidate must also demonstrate, through ideas, words and actions, a strong commitment to USC's Unifying Values of integrity, excellence, community, well-being, open communication, and accountability.

SALARY AND BENEFITS

The annual base salary range for this position is $112,575.21-$127,577. When extending an offer of employment, the University of Southern California considers factors such as (but not limited to) the scope and responsibilities of the position, the candidate's work experience, education/training, key skills, internal peer alignment, federal, state, and local laws, contractual stipulations, grant funding, as well as external market and organizational considerations.

To support the well-being of our faculty and staff, USC provides benefits-eligible employees with a broad range of perks to help protect their and their dependents' health, wealth, and future. These benefits are available as part of the overall compensation and total rewards package. You can learn more about USC's comprehensive benefits here.

Join the USC cybersecurity team within an environment of innovation and excellence.

Minimum Education: Bachelor's degree
Addtional Education Requirements Combined experience/education as substitute for minimum education
Minimum Experience: 2 years in attack surface and vulnerability management.
Minimum Skills: Ability to interface with teams across the CISO Office and ITS, such as Enterprise and Infrastructure Services, and across USC IT teams. Thorough understanding of technology, tools, policies, and standards related to security systems and incident response. Understanding of Operational Technology environments and the security requirements needed to support them. Technical knowledge of Cyber Defense concepts, including incident response, security monitoring, cyber threat intelligence, attack surface, and vulnerability management. Strong leadership and people management skills. Solid technical knowledge and troubleshooting skills. Ability to work effectively in high-stress situations and manage crisis situations. Skilled in communicating with a wide range of stakeholders and business partners. Experience in the management and/or implementation of security monitoring, anti-malware, and vulnerability management technologies. In-depth experience in application security management and knowledge of cyber threat intelligence. Strong understanding of ASM management, security testing practices, and methodologies. Experience in building infrastructure and application vulnerability management programs. Comprehensive knowledge of cloud computing and associated security challenges. Ability to assess business risks and recommend suitable cybersecurity measures. Familiarity with common vulnerability frameworks such as CVSS and OWASP Top 10. Adaptability to changes in the external environment and organizational shifts. Knowledge of system, application, and database hardening techniques. Effective communication skills and the ability to interact with all organizational levels. Project management experience and the ability to lead complex security initiatives. Commitment to staying current with the latest security threats, trends, and technologies.
Preferred Education: Master's degree
Preferred Experience: 5 years