Team Lead - Vulnerability Management

What you'll do

• Lead the Vulnerability Management team, ensuring alignment with Xero’s security engineering and risk management strategy.
• Partner with the Security Product Team to develop and deliver the team roadmap, embedding security throughout Xero's software development lifecycle.
• Support the complete vulnerability management process, including discovery, risk assessment, triage, remediation coordination, and reporting.
• Build scalable, automated processes for vulnerability scanning and detection across infrastructure, cloud environments, and applications.
• Drive risk-based prioritisation of vulnerabilities using contextual threat intelligence, asset criticality, and exploitability data.
• Partner with engineering, platform, and product teams to ensure timely and effective remediation, removing roadblocks and supporting decision-making.
• Implement metrics and dashboards that provide real-time visibility of security posture, vulnerability trends, and remediation progress.
• Evaluate and integrate security tooling such as vulnerability scanners, container/image security tools, infrastructure-as-code scanning, and runtime security platforms.
• Continuously improve team processes to reduce response time, improve consistency, and align with evolving threats and compliance obligations.
• Lead and grow a high-performing team by coaching, mentoring, and connecting their work directly to Xero's strategic goals.
• Provide clarity of direction and individual growth by supporting goal setting and development opportunities.
• Champion a culture of shared responsibility for security across the broader engineering organisation.
• Empower your team to operate with autonomy, make decisions, and take ownership of their work.
• Act as a role model for values-led leadership, promoting Xero’s values in every aspect of work.
• Collaborate closely with leaders across Security, Engineering, and Platform to strengthen alignment, ways of working, and delivery rhythm.

Success looks like

• Your team owns and operates a modern, effective vulnerability management function that reduces risk and enables delivery.
• Delivers timely, risk-informed insights on vulnerabilities and remediation progress to engineering and leadership teams.
• Maintains high-quality data and visibility on vulnerabilities across all relevant systems and platforms.
• Successfully embeds automated scanning and vulnerability detection into CI/CD pipelines and runtime environments.
• Builds strong, trusted relationships with engineering teams, enabling consistent and predictable remediation cycles.
• Your reports understand how their work contributes to reducing risk and improving Xero’s overall security posture.
• Feel empowered to lead, experiment, and grow supported by strong coaching and a values-led culture.
• Continuously build their security expertise through on-the-job learning, stretch projects, and mentoring.
• Are recognised and celebrated for their contributions, while also receiving honest feedback to grow.
• Collaborate proactively across teams, breaking silos and championing shared security ownership.
• Clearly understand how their work contributes to Xero’s security and business success.
• Clearly understand their areas of development and their personal growth. Feel supported in their career growth and technical development.

What you'll bring with you

• Strong domain expertise in vulnerability management, detection engineering, or security operations.
• Experience operating or leading a vulnerability management program at scale, preferably in a cloud-native or SaaS environment.
• Familiarity with security tooling such as Qualys, Tenable, Wiz, or similar; and integration into CI/CD and DevOps workflows.
• Coaching and mentoring – utilising software delivery, technical experience and expertise, offering the right knowledge, at the right time in the right way – understanding why and how people learn.
• Growth mindset – understanding that competency is not fixed but is enhanced through dedication and hard work. Demonstrating a love of learning and resilience to adversity that is essential for great accomplishment.
• High EQ – self-aware, self-regulated, motivated and empathetic, with great interpersonal skills.
• Leading and living the vision and values – building and fostering an inclusive and positive team culture. Keeping the team’s vision and values at the forefront of decision-making. Communicating and helping others understand the importance of the vision and values. Translating the vision and values into day-to-day activities and behaviors.
• People leadership – demonstrating honesty and integrity. Providing clear objectives, guiding career development and fostering an inclusive environment that promotes psychological safety and teamwork. Clearly communicating expectations. Having an open mind and the flexibility to change opinions. Developing and supporting others.
• Teamwork – working with peers and stakeholders to establish an overall collaborative relationship.
• Outstanding communication and time management skills.
• Good understanding of vulnerability types (CVE/CWE), risk prioritisation (e.g., CVSS, EPSS), and remediation strategies.
• Hands-on experience with infrastructure, cloud platforms (e.g., AWS, GCP), containerisation, and related security concerns.
• Proven track record of leading teams to deliver high-quality engineering initiatives in a fast-paced environment, leveraging lean-agile techniques, while managing competing priorities and ensuring alignment with strategic goals.
• Excellent grasp of modern software delivery practices and life cycle.
• Proven ability to balance the needs of the individual with the needs of the business.
• Strong stakeholder management skills, with the ability to influence without authority and align security priorities with business needs.
• Passion for developer enablement, making security accessible and empowering engineers to write secure code.