Cybersecurity Analyst - Governance, Risk, and Compliance (GRC)

About The Position

Requirements

• Bachelor's Degree in Computer Science, Information Technology, or equivalent relevant work experience.
• 4+ years' experience in Information Security, Cyber Security, or relevant roles.
• 2+ years' experience managing Governance, Risk, and Compliance of an organization with a complex Information Technology environment.
• Proven experience in cybersecurity awareness program design and delivery, including phishing simulations and behavioral risk reduction strategies
• Strong communication and content development skills to engage non-technical audiences effectively
• Strong understanding of security contract management and legal requirements.
• Ability to implement global regulatory requirements surrounding data security & privacy (e.g., GDPR, CCPA, CRPA etc.).
• Understanding of relevant cybersecurity regulations and agencies pertinent to utility environments.
• General understanding of cyber security operations functions, in areas such as incident response, security monitoring, threat and vulnerability, SOC and SOC service.
• General knowledge of OT network infrastructure, SCADA/DCS systems, data/communication systems, and management systems.
• General knowledge of security software architecture/programing concepts and security integration into SDLC.
• Ability to manage a diverse technical workforce in multiple locations; ability to coach.
• Personal drive and energy level to achieve superior results individually and through others.

Nice To Haves

• Bilingual in Spanish/English is a plus
• Knowledge of adult learning principles and experience leveraging e-learning platforms or gamified training tool
• Hands-on experience of enterprise GRC tools (e.g., ServiceNow, Archer etc.).
• Standard certifications in Information Security (CISSP, CISM, CISA, or equivalent)
• Technical certifications (GRC related e.g. ISACA CRISC)

Responsibilities

• Supports the implementation of the governance & risk frameworks, policy creation & management, IT control management, and security audits & assessments️.
• Manages issues and corrective actions plans identified in risk assessments through closure.
• Reviews cybersecurity clauses in contracts, applicability criteria, exceptions requests and mitigating controls in accordance with company policies and industry standards.
• Conducts SOC II reviews and audits.
• Monitors Cyber Threat Intelligence resources (such as Sempra, CISA, FBI, and others).
• Proposes and implements innovative ways to establish adequate controls, optimize risk management, and improve continuous monitoring.
• Coordinates cybersecurity assessments (such as maturity, risk, and penetration testing).
• Develops and monitors cybersecurity KRIs and KPIs.
• Increases the level of maturity in risk management and controls.
• Designs, implements, and manages a comprehensive Cybersecurity Awareness Program, including phishing simulations, threat education campaigns, and targeted training for high-risk roles.
• Develops engaging content (videos, newsletters, infographics) to promote security best practices and reduce social engineering risks.
• Coordinates Cybersecurity Ambassadors Community and champions cultural change initiatives across business units.
• Acts as the primary point of contact for awareness-related metrics and reporting to leadership, ensuring visibility into human risk trends and program effectiveness.
• Maintains good operational relationships with 3rd party risk assessment managed service providers to perform risk assessments, develop mitigation plans, and ensure appropriate service levels.
• Ensures team works closely with System Engineers to implement security controls and patches based on capability and need.
• Contacts and coordinates vendor, carrier, and remote support when necessary to resolve high-impact security issues.
• Document problems and report to management, engineers and/or peers.
• Performs other duties as assigned (no more than 5% of duties).