AVP Offensive Security

JOB DESCRIPTION

Flexible hybrid work environment: 4-days a week in office.

Why GMF Cybersecurity?

Our Cybersecurity team is tasked with security engineering, regulatory response, third party risk, and incident response capabilities necessary to secure GM Financial, the captive auto finance subsidiary of General Motors. Reporting directly to the CEO, our Cybersecurity team enjoys unprecedented support to deliver the highest level of security capabilities using cutting edge technologies and automating mundane tasks, allowing our teams to focus on interesting and rewarding security work.

As a part of GM Financial, you'll have the opportunity to work on Cybersecurity projects across financial services, automotive, manufacturing, high-tech, and military industries. We are looking for team players who want the freedom to innovate leading edge capabilities to join our growing Cybersecurity team.

RESPONSIBILITIES

About the Role

The AVP Offensive Security will lead the planning, execution, and oversight of all offensive security initiatives, including advanced threat simulations, penetration testing, and ethical hacking in both physical and digital environments. Collaborating closely with Cybersecurity peers, this role manages a skilled team that fosters innovation while aligning the team's operations with business priorities. By proactively developing attack methodologies and addressing real-world adversary tactics targeting enterprise financial services, the AVP strengthens GM Financial's defenses and ensures the protection of sensitive customer and financial data.

In this role, you will:

Strategic Leadership & Program Management

• Develop and execute a comprehensive offensive security strategy aligned with the company's business goals and risk appetite
• Design and execute advanced threat emulation scenarios, including physical, social, and digital attack vectors
• Collaborate with Cybersecurity peers and partners (i.e. Architecture, Engineering, Operations, Threat Intelligence, and Risk Management) to ensure comprehensive attack coverage and feedback loops
• Lead and mentor a team of offensive security professionals, fostering a culture of innovation, continuous learning, and excellence
• Manage the full lifecycle of offensive security engagements, including scope definition, execution, reporting, and remediation tracking
• Establish and maintain a robust penetration testing program that covers all critical applications, infrastructure, and network components

• Oversee and conduct advanced penetration tests on web applications, mobile applications, APIs, network infrastructure, and physical locations
• Perform vulnerability research and exploit development to identify and test zero-day vulnerabilities in our systems
• Analyze and interpret complex security data to identify trends, emerging threats, and areas for improvement
• Stay current with the latest offensive security tools, techniques, and procedures (TTPs) and apply them to our security assessments
• Conduct Cybersecurity Tabletop exercises and summarize the exercise for senior leadership, including areas of success and opportunities for improvement

• Communicate complex security risks and findings to both technical and non-technical stakeholders across the organization, including senior leadership
• Integrate the identification and remediation of findings with other Cybersecurity departments, business owners, and information technology partners
• Deliver detailed post-engagement reports with risk-rated findings, proof of concept artifacts, and remediation guidance
• Partner with development, IT, Digital, and business teams to ensure security is integrated into the software development lifecycle (SDLC) and business processes
• Act as a subject matter expert for internal teams on offensive security topics
• Establish and maintain strong partnerships with key peers and groups to ensure the success of the Offensive Security Team through challenging situations, keeping focus on long-term outcomes and results

• Report to: SVP Cybersecurity Architecture & Offensive Security

• Extensive experience in network and application penetration testing, red and purple teaming, threat emulation and modeling, and attack path development using MITRE ATT&CK
• Advanced knowledge of internal testing tactics, state-sponsored threat actor techniques, and insider threat behaviors to assess risk from an adversarial perspective
• Advanced knowledge in securing operating systems, databases, applications, and network protocols, including hands-on experience with Windows, UNIX/Linux, SQL, Oracle, and application source code reviews
• Proficient with the common commercial and open-source penetration testing and assessment tools (e.g. Metasploit, Burp Suite, Cobalt Strike, Brute Ratel, etc.)
• Proficient in one or more languages (e.g. Python, Ruby, Perl, Bash, Java, etc.) with experience developing custom exploits
• Ensure operations align with industry regulations and compliance standards such as NIST, CCPA/CPRA, PIPEDA, LGPD, CFPB, GDPA, FFIEC, NYDFS, etc.
• Advanced knowledge of cybersecurity technologies, concepts, methodologies, policies, standards, and best practices
• Excellent interpersonal, written, and verbal communication skills, with the ability to influence senior leaders and employees at all levels.
• Communicates quickly, clearly, concisely, appropriately, and intelligently
• Interpersonal skills necessary to work well independently and with others in teams and collaborative work situations
• Strong leadership skills that include delegation, coaching, training, development, and performance management
• Organization and prioritization abilities
• Ability to lead through influence, inspiration, collaboration, and teamwork
• Ability to apply knowledge, critical thinking, and problem-solving skills in day-to-day problems and solutions
• Ability to demonstrate integrity while successfully managing work demands, pressure, and dealing with confidential and sensitive information
• Ability to manage multiple projects and tasks
• Experience in the financial services or automotive industries is a significant plus
• Continually pursues personal development

• 12+ years in Cybersecurity or other related fields required
• 5+ years in a dedicated offensive security role including penetration testing, vulnerability management or ethical hacking required
• 5+ years of supervisory and/or leadership experience required
• 5+ years of experience in large and complex business environments with a successful track record of working directly with senior level management required
• High School Diploma or equivalent required
• Bachelor's Degree in Computer Science, Computer Engineering, Information Technology, Information Security, Information Assurance, Information Management or equivalent experience required
• Relevant Cybersecurity certifications are preferred (CISSP, OSCP, OSCE, CRTO, GCTI, GPEN, GWAPT, GXPN, etc.)