Corporate Information Security Risk & Vulnerability Analyst

Glacier Bancorp, Inc.•Bozeman, MT

9h•Hybrid

About The Position

The Risk and Vulnerability Analyst I supports the organization’s security risk and vulnerability management efforts. This role assists with identifying, analyzing, and tracking security vulnerabilities and risk exceptions, while contributing to the organization’s compliance with regulatory and industry frameworks such as GLBA, NIST, and CIS Critical Security Controls (CIS CSC). The Analyst I collaborates with IT teams, supports the CIS CSAT process, and helps maintain the vulnerability management program. This position reports to the Risk and Vulnerability Manager and plays a key role in executing foundational tasks, conducting data analysis, and contributing to broader governance initiatives. This is a Corporate position which may be located in an available bank division across our nine-state footprint in AZ, CO, ID, MT, NV, TX, UT, WA, or WY. The entry rate for this position is $34.14 + / hour (calculated for Kalispell, MT). Click here to learn more about our bank divisions. All compensation offers are analyzed individually and take into consideration multiple factors including but not limited to geographic location, years of experience, and educational background. WA Applicants ONLY: Spokane, WA range $38.14 to 57.20 an hour. Wenatchee, WA $38.66 to $58.01 an hour.

Requirements

High School Diploma / GED
1 year Hands on experience with vulnerability scanning tools (e.g., Qualys, Tenable, Rapid7).
1 year Experience in supporting and executing tasks within a vulnerability management program, particularly in financial or other regulated industries.
Beginner Experience collaborating with IT teams to ensure timely patching of security vulnerabilities across diverse environments.
Beginner Experience working with regulatory compliance and security frameworks (e.g., CIS, NIST, ISO 27001).
Beginner Experience developing and presenting security reports, dashboards, and metrics to leadership and stakeholders.
One entry-level certification such as: CompTIA Security+ or GIAC Security Essentials (GSEC).
Vulnerability Management & Risk Analysis: Proficiency with scanning tools (e.g., Qualys, Nessus), CVSS scoring, TruRisk, QDS, and remediation tracking.
Security Frameworks & Compliance: Knowledge of CIS Controls, NIST 800-53, FFIEC, and regulatory requirements for financial institutions.
Patch & Remediation Coordination: Experience working with IT teams to implement security patches and mitigate risks.
Threat Intelligence & Risk Assessment: Ability to analyze emerging threats, assess business impact, and prioritize vulnerabilities accordingly.
Reporting & Metrics: Strong skills in interpreting scan results, generating executive reports, and tracking key risk indicators (KRIs).
Cross-Team Collaboration: Work effectively with IT, development, compliance, and vendors to ensure vulnerabilities are addressed.
Security Awareness & Training: Educate teams on secure configurations and vulnerability mitigation best practices.
Policy & Procedure Development: Ability to draft and maintain security policies, standards, and guidelines.
Project Management & Organization: Ability to track multiple remediation efforts, meet SLAs, and ensure timely risk resolution.
Communication & Leadership: Clearly convey technical security risks to non-technical stakeholders and support continuous program improvements.
Requires a proactive and analytical approach to security, working closely with technical teams to drive improvements in risk mitigation while ensuring compliance with internal policies and external regulations.
Employee must be capable of regular, reliable, and timely attendance.

Nice To Haves

Bachelor’s Degree in Information Technology (preferably in Information Assurance or Information Security) or related field.
1 year Experience conducting security risk assessments and providing mitigation recommendations.
GIAC Critical Controls Certification (GCCC)
One or more of the following advanced certifications: CISSP (ISC2), CISM (ISACA), CISA (ISACA), CRISC (ISACA), CGRC (ISC2)

Responsibilities

Assist in the scanning, identification, and tracking of vulnerabilities. Help analyze scan results, document findings, and follow up with IT teams to ensure timely remediation aligned with security policy and SLAs.
Assist in the tracking and documentation of vulnerability and configuration exceptions, audit findings, and policy deviations. Verify false positives and assist in maintaining exception records through their lifecycle.
Assist in the administration of the CIS Critical Security Controls Self-Assessment Tool. Help gather evidence, track assessment progress, and support control improvement planning.
Track remediation progress for open vulnerabilities, risk exceptions, and audit items. Work with the Risk and Vulnerability Manager to prepare status updates and monitor compliance timelines.
Maintain spreadsheets, dashboards, and other reporting tools to summarize key risk indicators (KRIs), scan results, and remediation trends. Assist with preparing reports for management review.