Cybersecurity - Risk Analyst

About The Position

Requirements

• 5 to 10 years of information system/cybersecurity risk and control management experience, including risk identification and analysis, response and remediation
• Relevant certification desired: CISA, CISM, CISSP, CIA, CIPP, or related
• Practical experience of assessing risks associated with third-party suppliers and reviewing assurance documents relating to security and IT controls provided by third parties (e.g. ISO 27001, SOC2 certifications, etc.)
• Practical experience of managing an IT exception handling process
• Ability to influence and engage with risk owners, and senior management
• Ability to adapt quickly to changing priorities and demands
• Demonstrate good learning attitude and attention to detail
• Good communication skills, team player and a continuous improvement mindset
• Ability to communicate in a clear, concise, and persuasive manner to all levels of audience
• University degree in computer science, management information system, business administration or a related field of study required
• At least 5 years experience in deployment or support of application software implementing systems and modules with experience of multiple full lifecycle implementations

Nice To Haves

• Working knowledge and/or hands on experience with information security policy, procedures and standard development and improvement
• Experience with GRC (Governance, Risk and Compliance) tools such as OneTrust, ServiceNow, Archer is considered an asset

Responsibilities

• Maintain and improve the third-party risk management framework, which includes the supplier security onboarding, ongoing monitoring and offboarding requirements
• Support the activities of the second line of defense (2LoD), monitoring the organization's operational risks and escalating any concerns about control weaknesses or exposures that exceed agreed business risk tolerance limits
• Work with risk owners to ensure that operational risk templates and procedures are implemented correctly (e.g. providing training, advocating, socializing, coaching, etc.)
• Support the cybersecurity exception handling process, including the objective review of the risk owner progress to achieve compliance with SITA policies and standards
• Support risk management KPIs/KRIs identification, trends analysis and reporting
• Document key findings, analysis, and recommendations in clear and concise reports for both technical and non-technical stakeholders
• Act as a challenger to the first line by validating the adequacy and effectiveness of controls
• Oversee and guide the first line's activities while ensuring that risks are properly identified, assessed, and mitigated
• Develop and maintain an overarching cybersecurity risk management framework (processes, methods, and tools), provide constructive feedback and recommendations for improvement
• Support compliance with legal, regulatory, and industry standards (e.g., ISO 27001, NIS2), including supporting regulatory reporting and audits by providing accurate and timely risk information
• Facilitate risk record communication, quality, completeness between the first and second lines of defense by leveraging established risk templates, risk rating criteria and intersects
• Navigate and work effectively across a complex, geographically dispersed organization
• Promote a culture of risk awareness and share responsibility across the organization
• Gather, manage and analyze requirements to design new application changes for own areas of responsibility ensuring sufficient effort is made to promote 'vanilla' functionality
• Assist in and take ownership of estimates developed by less experienced staff and/or offshore providers
• Coordinate the delivery testing and support of application changes related to own area of responsibility
• Ensure quality solutions are delivered to business users on time and budget
• Contribute to the development of application and process best practices and using a consultative approach gets buy-in from all stakeholders

Benefits

• Flex Week: Work from home up to 2 days/week (depending on your team's needs)
• Flex Day: Make your workday suit your life and plans
• Flex-Location: Take up to 30 days a year to work from any location in the world
• Employee Wellbeing: Employee Assistance Program (EAP) for you and your dependents 24/7, 365 days/year
• Professional Development: Training platforms, including LinkedIn Learning
• Competitive Benefits: Competitive benefits that make sense with both your local market and employment status