Cybersecurity Application Risk Assessment Analyst, Lead

About The Position

Requirements

• 3–7+ years of experience in cybersecurity risk assessments, IT risk management, control testing, audit, or information security.
• Strong technical understanding of: Identity and Access Management (IAM) Authentication and authorization controls (MFA, SSO) Logging and security monitoring Encryption standards and key management Application security fundamentals
• Experience identifying control deficiencies and driving remediation efforts across cross-functional teams.
• Working knowledge of cybersecurity frameworks and regulations such as, NIST Cybersecurity Framework (CSF), NYDFS 23 NYCRR 500, CIS Controls, SOC 2.
• Experience preparing documentation suitable for regulatory and audit review.
• Strong analytical and critical thinking skills with the ability to assess technical risk within a business context.
• Excellent written and verbal communication skills, including the ability to explain cyber risk to non-technical stakeholders.
• Ability to manage multiple assessments simultaneously in a structured and organized manner.

Responsibilities

• Perform comprehensive cybersecurity risk assessments of applications in accordance with a defined risk-based assessment schedule.
• Validate that security controls are appropriately designed and implemented in alignment with assigned risk ratings.
• Identify control gaps and partner with technology, identity and access management, infrastructure, and business teams to develop and implement remediation plans.
• Evaluate and assess controls related to: Identity and Access Management (IAM), including MFA, SSO, privileged access, role-based access controls, and access certifications Logging, monitoring, and audit trail capabilities Encryption in transit and at rest
• Communicate risk findings and recommendations to stakeholders at varying levels of technical expertise, including senior leadership.
• Contribute to continuous improvement of the application risk assessment methodology, tooling, metrics, and reporting.
• Develop and maintain metrics to measure program effectiveness and risk trends.
• Prepare clear, defensible, and audit-ready risk documentation suitable for regulatory review (e.g., NYDFS, NIST, SOC 2).
• Support internal and external audits by providing evidence, documentation, and subject matter expertise.
• Maintain application risk assessment program procedures and documentation.
• Stay current on evolving cyber threats, regulatory expectations, and industry best practices.

Benefits

• Health and wellbeing options including medical, prescription, dental, vision, hearing, accident, hospital indemnity, and life insurances
• Up to 4% matching 401(k)
• Employee Stock Purchase Plan (10% share discount)
• Tuition reimbursement
• Paid time off (15 days’ vacation per year, plus 2 personal days, prorated based on start date)
• Paid sick leave as determined by state or local ordinance, prorated based on start date
• Paid holidays (7 days per year, based on start date)
• Paid volunteer time (3 days per year, prorated based on start date)