Information Security Risk Analyst
About The Position
The Security Risk Analyst supports the organization’s cybersecurity program by identifying, analyzing, and tracking technology and business risks. This role plays a key part in enabling risk-informed decisions, ensuring that cybersecurity threats are assessed and mitigated in alignment with internal policies and regulatory frameworks. This role is eligible for our Flex Persona. For candidates local to our Boston, MA and Hingham MA offices. Blue Cross Blue Shield of Massachusetts (BCBSMA) is looking for a Security Risk Analyst to join the Cybersecurity Governance and Assurance Team. The Security Risk Analyst supports the organization’s Cybersecurity program by assisting in maintaining its information security and compliance posture. This involves: Supporting governance, risk management, and control assurance activities. Enabling risk-informed decisions under the direction of senior security professionals Ensuring that cybersecurity threats are assessed and mitigated in accordance with internal policies and regulatory frameworks.
Requirements
- Education: Bachelors in Cybersecurity, Information Systems, or Risk Management.
- Experience: 2–5 years in cybersecurity, risk analysis, or compliance
- Detailed-oriented with strong sense of accountability
- Eagerness to learn information security and governance practices
- Ability to analyze complex data, identify patterns, and assess risks.
- Ability to communicate (written & verbal) and collaborate with various business partners to manage enterprise security risks.
Nice To Haves
- Certifications: CRISC, CISA, or Security+ preferred
- Tools Knowledge: Archer, LogicGate, ServiceNow GRC, RiskRecon, Splunk, Tenable, Excel/Power BI
Responsibilities
- Cyber Risk Assessments: Conduct risk assessments on applications, systems, business processes, and third parties using structured methodologies (e.g., NIST 800-30, FAIR).
- Risk Register Maintenance: Document and track identified risks, vulnerabilities, and findings in the security risk register with appropriate severity and ownership.
- Threat and Vulnerability Correlation: Collaborate with threat intelligence and vulnerability management teams to map technical exposures to business risks.
- Risk Scoring and Reporting: Use qualitative and quantitative risk models to assess likelihood and impact; support risk dashboards and executive summaries.
- Residual Risk Analysis: Work with system and control owners to evaluate control gaps, proposed mitigation plans, and residual risk acceptances.
- Business Impact Analysis (BIA) Support: Contribute to BIAs by identifying cybersecurity risks affecting mission-critical business functions and services.
- Security Consultation: Participate in project and change review processes to identify and advise on emerging risks before go-live (e.g., cloud migrations, new vendors).
- Policy & Framework Mapping: Assist in mapping identified risks to NIST CSF, HIPAA, ISO 27001, and other frameworks to ensure controls are adequate.
- Support for Internal/External Audits: Provide risk documentation and evidence in support of internal audit and external compliance obligations (e.g., SOC 2, HITRUST).
- Risk Review Coordination: Facilitate recurring risk review meetings with IT, business units, and security leadership to track and update mitigation efforts.
Benefits
- comprehensive package of benefits including paid time off, medical/dental/vision insurance, 401(k), and a suite of well-being benefits to eligible employees
Stand Out From the Crowd
Upload your resume and get instant feedback on how well it matches this job.
What This Job Offers
Job Type
Full-time
Career Level
Mid Level
