
Head of Attack Surface Management
Job Description
Job Description
Are You Ready to Make It Happen at Mondelēz International?
Join our Mission to Lead the Future of Snacking. Make It Uniquely Yours.
You work with the information security team as a competent and experienced information security and compliance leader.
How you will contribute
You will assess information security risks in line with internal policies and external best practices and determine requirements how to secure Mondelēz International information and IT assets. In addition, you will develop security standards and policies; advise technical teams when developing relevant procedures or have operational security questions; review and consulting them on compliant and effective use of common tools. You will also keep business stakeholders apprised on the overall security and compliance roadmap, provide training on information security to appropriate teams, and develop security strategies, architectures and roadmaps across process and technologies.
What you will bring
A desire to drive your future and accelerate your career. You will bring experience and knowledge in:
- Information security, compliance and risk management
- Understanding security solutions and their applicability to Mondelēz International
- Developing security strategies, awareness campaigns, policies/standards, and governance
- Communicating effectively with technical specialists, leaders and peers
- Commercially astute
- Leadership and people management skills
About the Role
As a Fortune 100 global consumer packaged goods company operating across dozens of markets, our attack surface spans complex multi-cloud environments, global manufacturing and supply chain infrastructure, thousands of applications, and an increasingly interconnected OT/IoT ecosystem. The Head of Attack Surface Management is a critical senior leadership role responsible for unifying our exposure management capabilities into a single, accountable function that delivers continuous visibility, risk-based prioritization, and measurable reduction of our enterprise attack surface.
This leader will own the strategy, execution, and maturation of four integrated disciplines—Cloud Security Posture Management, Vulnerability Management, Offensive Security, and Application Security—ensuring they operate as a cohesive program. The successful candidate will combine deep technical expertise with executive presence, translating complex exposure data into business risk language that drives action at the highest levels of the organization.
This role is an exceptional opportunity to shape and lead a critical security function at one of the world's largest consumer packaged goods companies, protecting a brand portfolio trusted by billions of consumers globally.
Key Responsibilities
Strategic Leadership & Program Ownership
- Own the end-to-end attack surface management strategy, roadmap, and operating model, aligning priorities to enterprise risk appetite and business objectives across a global CPG environment.
- Establish unified standards for exposure scoring, risk-based prioritization, and SLA enforcement across all four disciplines.
- Own the exposure management platform and tooling strategy, including build-vs-buy decisions, vendor consolidation, and integration architecture to deliver a single pane of glass for enterprise risk posture.
- Build and present executive-level reporting on attack surface risk, remediation velocity, and residual exposure to the CISO, executive leadership, and Board-level audiences.
Cloud Security Posture Management (CSPM)
- Drive cloud security posture management across multi-cloud environments (AWS, Azure, GCP), including misconfiguration detection, IAM entitlement risk analysis, and policy enforcement at scale.
- Partner with cloud engineering and DevOps teams to embed preventive guardrails, IaC policies, and automated remediation, operating within the organization's Product and Platform model.
- Ensure continuous compliance monitoring against regulatory frameworks across all cloud workloads, including containers, serverless, and managed services.
Vulnerability Management
- Lead enterprise vulnerability management covering infrastructure, endpoints, network devices, and OT/IoT environments across global manufacturing and supply chain operations.
- Establish and enforce scanning cadence, risk-based patching SLAs, exception governance, and escalation paths for aged or critical findings.
- Own data quality, asset attribution, and integration between scanning platforms, CMDB, ticketing systems, and risk dashboards.
Offensive Security
- Direct the offensive security function, including internal red team operations, penetration testing, purple team exercises, and adversary simulation aligned to real-world threat actor TTPs.
- Ensure offensive findings feed directly into the vulnerability and remediation pipeline with clear SLAs, validating detection and response effectiveness with the SOC and detection engineering teams.
Application Security
- Own application security across the entire SDLC, including SAST, DAST, SCA, secrets detection, container scanning, IaC security, and API security testing.
- Partner with engineering and product leadership to embed security into CI/CD pipelines and shift remediation left, aligning AppSec as a platform capability for product teams.
Team Leadership & Vendor Management
- Build, lead, and develop a high-performing team of managers and senior individual contributors across all four disciplines, including hiring, performance management, and succession planning.
- Manage vendor relationships and commercial negotiations for scanning, ASM, CSPM, AppSec, and offensive security tooling, driving consolidation and value optimization.
- Foster a culture of collaboration and continuous improvement, ensuring the team operates as an enabling platform service to internal product and platform partners.
Required Qualifications
- 12+ years in cybersecurity with progressive leadership experience, including 5+ years managing multi-disciplinary security teams at a senior manager or director level.
- Demonstrated ownership of at least two of the four core disciplines (CSPM, Vulnerability Management, Offensive Security, Application Security) at a program level—including strategy, budget, staffing, and executive reporting.
- Experience operating within a Product and Platform operating model, delivering security capabilities as platform services that enable product teams to move fast and securely.
- Strong working knowledge of cloud architecture and cloud-native security controls across AWS, Azure, and/or GCP in complex multi-cloud environments.
- Hands-on experience with enterprise vulnerability management platforms (e.g., Tenable, Rapid7, Qualys), CSPM tools (e.g., Wiz, Prisma Cloud, Orca), and AppSec tooling (e.g., Snyk, Checkmarx, Veracode).
- Familiarity with NIST CSF, MITRE ATT&CK, OWASP Top 10, CIS Controls, and CVE/CVSS/EPSS scoring methodologies.
- Proven ability to communicate complex technical risk to non-technical executive audiences and drive cross-functional remediation accountability.
- Bachelor's degree in Computer Science, Cybersecurity, Engineering, or related field—or equivalent professional experience.
- Relevant certifications preferred: CISSP, OSCP, GPEN, GXPN, CISM, or equivalent.
Preferred Qualifications
- Experience in a large, global enterprise environment, ideally within CPG, manufacturing, retail, or industries with complex supply chain and OT/IoT environments.
- Track record of presenting cyber risk posture to executive leadership and Board of Directors, including translating exposure metrics into financial risk quantification.
- Demonstrated success consolidating fragmented security functions into a unified exposure management program with measurable risk reduction outcomes.
- Experience with CAASM/EASM platforms and risk-based prioritization frameworks beyond raw CVSS scoring (e.g., EPSS, business context enrichment, asset criticality weighting).
- Experience operating in regulated environments across SOX, GDPR, FDA, PCI-DSS, or equivalent frameworks.
- MBA or advanced degree in a relevant field is a plus.
Additional Information
- Reports To: Chief Information Security Officer (CISO)
- Work Schedule: standard working hours (Mon-Fri). This is a remote position; candidate must be located in the UK.
- This is a full-time position with permanent contract.
- Travel requirements: candidate must have availability for travelling according to business needs.



No Relocation support available
Business Unit Summary
At Mondelēz International, our purpose is to empower people to snack right by offering the right snack, for the right moment, made the right way. That means delivering a broad range of delicious, high-quality snacks that nourish life's moments, made with sustainable ingredients and packaging that consumers can feel good about.
We have a rich portfolio of strong brands globally and locally including many household names such as Oreo, belVita and LU biscuits; Cadbury Dairy Milk, Milka and Toblerone chocolate; Sour Patch Kids candy and Trident gum. We are proud to hold the top position globally in biscuits, chocolate and candy and the second top position in gum.
Our 80,000 makers and bakers are located in more than 80 countries and we sell our products in over 150 countries around the world. Our people are energized for growth and critical to us living our purpose and values. We are a diverse community that can make things happen—and happen fast.
Mondelēz International is an equal opportunity employer and all qualified applicants will receive consideration for employment without regard to race, color, religion, gender, sexual orientation or preference, gender identity, national origin, disability status, protected veteran status, or any other characteristic protected by law.
Job Type
Regular
Information Security
Technology & Digital
Company benefits
Working at Mondelēz International
Company employees:
Gender diversity (m:f):
Hiring in countries
Austria
Belgium
Brazil
Bulgaria
Croatia
Czechia
Finland
France
Georgia
Germany
Greece
Hungary
India
Awards & Accreditations
Other jobs you might like
Head of Platform Security
Welwyn Garden City, UK
#2 MOST INCLUSIVE COMPANYSecurity Engineering Manager - Workplace Technology
Welwyn Garden City, UK



