Principal, Cybersecurity Risk

About The Position

Requirements

• Minimum 3-5 years of risk experience quantifying cyber risk scenarios and presenting data in a meaningful and insightful way to senior leaders.
• Demonstrated experience in cybersecurity risk management, assessment frameworks, and metrics reporting.
• Experience managing projects end-to-end, from initial stages of acquiring data from multiple sources and subject matter experts to the tracking, maintenance, and closure of a project, with proven ability to integrate data into risk analysis tools and communicate progress effectively across multiple lines and levels.
• Use and understanding of governance, risk, and compliance tools.
• Advanced understanding of NIST 800-53 Cybersecurity Framework, Cybersecurity Risk Institute (CRI), and FAIR.
• Effective communication and excellent presentation skills to senior leaders.
• Ability to deep dive into metrics that will both (1) quantify the work being done and (2) quantify how cyber risk position has improved.
• Critical thinking skills to ask detailed questions and fully vet answers to uncover discrepancies and gaps others may not have found is a must.
• Ability to work across business lines to influence change and help mitigate cyber risk.
• Intermediate understanding of risks pertaining to the following: cloud security, access controls, encryption, vendor security, data exfiltration, application security, perimeter security, customer protection, privileged access, denial of service, unpatched vulnerabilities, and end of life software.
• Ability to operate in a fast-paced environment and can complete analyses quickly and accurately integrating new cybersecurity data into risk models as it emerges.
• Possess an investigator mindset to deep dive into metrics to understand and communicate actionable risk to business and technology groups.

Nice To Haves

• CRISC, CISSP, or CISM certifications are preferred.

Responsibilities

• Lead in the creation of cyber risk analysis pertaining to ECS.
• Understand current and emerging cybersecurity risks and determine key risk scenarios for the ECS Product Areas.
• Participate in risk / threat modeling sessions to prioritize top risks.
• Advise on both exceptions and audit finding risk levels to drive down the number of exceptions and accurately risk rate audit findings.
• Quantify cyber risk and present analyses at the technical and executive level.
• Determine the appropriate controls for cybersecurity risks.
• Work with asset inventory and asset management.
• Evaluate multiple sources, reports, industry trends to compare risk related findings to existing ECS policies and uncover gaps and opportunities for process improvement.
• Determine what, who, and where changes are warranted to close gaps, working with appropriate contacts to draft policy enhancement ensuring continued progress.

Benefits

• Comprehensive health care coverage
• Emotional well-being support
• Market-leading retirement
• Generous paid time off
• Parental leave
• Charitable giving employee match program
• Educational assistance including student loan repayment
• Tuition reimbursement
• Learning resources to develop your career