Cyber Risk Analyst

About The Position

Requirements

• Experience: 5+ years of relevant experience in Information Security, IT Risk Management, IT Audit, or GRC, with a heavy focus on technology risk.
• GRC Expertise: Deep working knowledge of key GRC concepts, risk assessment methodologies, and industry frameworks (e.g., NIST SP 800-53/CSF, ISO 27001).
• GRC Tooling: Proven, hands-on experience using and configuring modern GRC platforms for risk management, policy management, and compliance automation.
• Technical Proficiency : Experience with IT and Security tools, SaaS / other Cloud technologies and/or software development. Understanding of Security Controls, and cross-discipline cybersecurity, endpoint, network, data, identity, access management, privacy, accessibility, etc. concepts. Clear understanding of foundational Information Protection concepts is required.
• Analytical Skills: Exceptional ability to analyze complex technical vulnerabilities and control failures/gaps, translating them into measurable business risk, with detailed quantitative assessment skills to support findings & recommendations.
• Communication: Excellent written and verbal communication skills, including the ability to communicate technical risk concepts effectively to both technical and executive audiences.
• Certifications: CRISC, CISM, CISA, or similar recognized security and risk management certifications.
• Education: Bachelor’s degree in computer science, Information Security, or a related field.

Nice To Haves

• Experience in configuring and using tools such as Archer, ServiceNow, MetricStream or Vanta preferred.

Responsibilities

• Risk Management Risk Identification & Assessment: Conduct technology risk assessments across new and existing applications, Review submitted risk exception requests, validate technical necessity, evaluate proposed compensating controls, and assign residual risk ratings (High, Medium, Low).
• Documentation: Ensure comprehensive, auditable documentation is maintained for all approved, denied, and conditionally approved exceptions, including mandatory review dates and resolution plans.
• Data Analysis and Modeling : Collect, process, and interpret multiple sources of data to model Cyber Risk scenarios, forecast potential outcomes, and evaluate Cyber Risk exposure. Translate technical findings into clear, measurable business risk statements for audience in multiple disciplines including leadership, customers and technical delivery teams.
• Monitoring: Track risk plan milestones and drive issue management initiating timely follow-ups with Business Owners to ensure our controls are adequate, compliance is assured and overall risk goals are met.
• Remediation Support: Develop mitigation strategies, recommend strategies to reduce, transfer, or avoid identified Cyber Risks - such as implementing new policies, controls, or processes. Collaborate with other teams to define and prioritize remediation efforts based on risk severity and business impact.
• Process improvement: Improve and automate Risk management process, working with the security and risk leadership teams.
• Third party Risk Management (VRM) 3rd party Due Diligence: Perform security assessments of new and existing third-party vendors and service providers, reviewing security attestations (e.g., SOC 2, ISO 27001) and security questionnaires.
• Risk Analysis: Assess incoming compliance artifacts provided by third parties and research external sources to develop comprehensive risk assessments including risk scoring metrics.
• Risk Reporting: Document and communicate inherent and residual risks associated with vendor reliance and data handling practices. Prepare detailed reports, summaries, and presentations for management and stakeholders to communicate findings, recommendations, and trends.
• GRC Automation & Process Improvement Tooling: Utilize and manage the corporate GRC platform and risk management tools to streamline risk workflows, automate control monitoring, and improve reporting efficiency.
• Automation: Identify opportunities to automate manual GRC tasks, specifically integrating risk tracking and control evidence gathering into GRC tools.
• Policy, Compliance & Customer Support Respond to customer, partner or compliance questionnaires related to product security. This will involve Liaoning with product teams and other knowledge sources to maintain a knowledge library, utilizing a combination of AI, manual & automated process to prepare SQ responses according to SLA expectations.
• Standard Maintenance: Support the Risk & InfoSec team in reviewing, updating, and aligning IT Security Policies, Standards, and Procedures with regulatory requirements and industry best practices.
• Audit Readiness: Assist in gathering evidence and documentation required for internal and external security audits and compliance reviews. Stay updated with industry trends, regulatory changes, and compliance standards to ensure the organization adheres to all legal and regulatory requirements