Position Overview
As a Senior Manager, Vulnerability Management and Application Security, you will lead CarMax’s enterprise vulnerability management and application security programs and serve as a trusted subject matter expert responsible for strengthening the organization’s security posture. You will mentor and guide a high-performing team, streamline processes, optimize program operations, and deliver actionable insights that influence decision-making across all levels, including executive leadership. This role is ideal for a collaborative, results-driven leader with a passion for building effective programs and improving the security, resilience, and reliability of technology environments and software delivery practices.
Why CarMax?
At CarMax, we are the nation’s largest retailer of used cars with stores from coast to coast, and we are still growing. We’re rethinking the way people buy cars – and it’s our associates that help us do just that. We believe work should feel meaningful and rewarding, with opportunities to make an impact every day. This is where innovation meets passion – be inspired and supported to take us to the future.
Team Overview
The Vulnerability Management and Application Security team guides enterprise strategy for identifying, analyzing, and prioritizing remediation of risks across CarMax’s systems, infrastructure, and applications. As the Senior Manager, you will shape program strategy, strengthen integration with cybersecurity and engineering partners, and enable teams to build and operate secure technology through clear communication, effective governance, thorough reporting, and trusted leadership.
Role Responsibilities
Oversee and continuously improve the enterprise vulnerability management and application security programs, ensuring effective alignment of processes, tools, and assessments.
Develop and manage program roadmaps, budgets, and priorities for security assessments across infrastructure, networks, cloud services, and applications.
Create and deliver executive-ready reporting with clear documentation, risk insights, program metrics, and prioritized mitigation recommendations.
Define and maintain vulnerability management and application security standards, SLAs, and governance practices in partnership with cybersecurity and technology leaders.
Lead risk-based remediation prioritization and ensure consistent progress across infrastructure, engineering, and product teams and partners.
Coordinate and communicate responses to emerging threats, zero-day vulnerabilities, and critical application security findings to drive timely remediation.
Lead the application security program, including secure development lifecycle practices, application security testing, and risk-based remediation strategies.
Partner with engineering, architecture, and product teams to embed security requirements, threat modeling, code scanning, and security reviews into the software development lifecycle – foster a culture of security.
Mature application security capabilities such as SAST, DAST, software composition analysis, secrets detection, and security testing for internally developed and third-party applications.
Provide guidance on secure coding practices, common vulnerabilities, and remediation approaches.
Adapt to and apply technology innovation, including AI, to the role and program overall.
Adapt the team and programs to ever-changing threat and regulatory landscape.
Required Qualifications
8+ years of cybersecurity experience with emphasis on vulnerability management, application security, risk analysis, and security assessment practices.
5+ years of experience designing, implementing, or supporting secure information systems and application security practices.
3+ years in a security leadership or management role guiding teams or programs.
One or more certifications such as CISA, CISM, CEH, CISSP, or SANS.
Experience with enterprise security technologies and application security tooling such as vulnerability scanners, SAST, DAST, software composition analysis, SIEM platforms, and network devices - firewalls, IDS/IPS, routers, and switches.
Strong ability to analyze complex security findings, communicate risk clearly to diverse audiences, and drive remediation across infrastructure, engineering, and business teams or partners.
Bachelor’s Degree in a technology-related field or equivalent experience in Cybersecurity and Risk Management, preferred.
Work Location and Arrangement: This role will be based out of the CarMax Home Office in Richmond, VA and Associates will work onsite 4 days per week.
Work Authorization: Applicants must be currently authorized to work in the United States on a full-time basis. Sponsorship will not be considered for this specific role.
About CarMax
At CarMax, we revolutionized the used car buying experience over 30 years ago by introducing transparency and integrity into the process. Our commitment to customer experience, innovation, and community has made us the nation’s largest used car retailer. With over 250 store locations and over 30,000 associates, we are proud to have been recognized as one of the Fortune 100 Best Companies to Work For® and are committed to helping our communities thrive.
As an associate, you are part of an innovative movement to empower the modern customer and drive progress. Your work fuels change—sparking ideas, overcoming challenges, and shaping what’s next. Join us in creating a better future– for our company, our customers, and the communities we call home.
CarMax is an equal opportunity employer, and all qualified candidates will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, genetic information, national origin, protected veteran status, disability status, or any other characteristic protected by law.
Upon an applicant's request, CarMax will consider reasonable accommodation to complete the CarMax Job Application.
Based on 1,611 disclosed Security salaries on RoleSuite, the role pays a median of $142K/year, with most offers between $114K and $181K (10th–90th percentile: $93K–$216K).
See the full Security salary breakdown →