Risk Specialist 2 or 3

About The Position

Requirements

• Associate degree in Cybersecurity, Information Technology, Business, Public Administration, or a related field; AND 2 years of experience in cybersecurity risk management, information security, compliance, audit, security assessment, or a closely related field (Specialist 2)
• Associate degree in Cybersecurity, Information Technology, Information Assurance, Business, Public Administration, or a related field; AND 4 years of experience in cybersecurity risk management, information security, compliance, audit, security assessment, or a closely related field (Specialist 3)
• Knowledge of cybersecurity risk management frameworks and standards, including NIST RMF, NIST SP 800-30, NIST SP 800-37, NIST SP 800-53, NIST CSF 2.0, and their practical application in a state government environment
• Knowledge of Information technology (IT) cybersecurity principles and methods such as confidentiality, integrity, availability, authentication, authorization, accountability, encryption, configuration, etc.
• Knowledge of common cyber threats, vulnerabilities, attack vectors, and how technical issues translate into business, mission, legal, and reputational impact
• Knowledge of information technology platforms, including hardware, software, network, data storage, cloud service virtualization, security, end-user platforms, etc.
• Skill in planning and executing structured risk assessments, including asset identification, threat and vulnerability analysis, likelihood and impact estimation, and residual risk determination
• Skill in evaluating the design and effectiveness of security controls and interpreting assessment, audit, and scan results
• Skill in leading complex risk assessments, including multisystem and cross agency scenarios, and resolving conflicting stakeholder perspectives
• Skill in using GRC platforms, vulnerability management tools, spreadsheets, and ticketing systems to document and track risk work
• Ability to communicate risk in plain language
• Ability to operate effectively in a federated state environment, balancing centralized standards with agency autonomy and relationship management

Nice To Haves

• Bachelor's degree in Cybersecurity, Information Technology, Information Assurance, Business, Public Administration, or a related field
• Advanced cybersecurity certifications such as CRISC, CISA, CISM, CISSP, etc.

Responsibilities

• Executing cybersecurity risk management processes
• Conducting risk assessments
• Documenting risk conditions
• Maintaining risk documentation
• Evaluating control effectiveness
• Helping customers translate technical findings into actionable treatment decisions
• Assessing risk across a federated state environment
• Maintaining risk records, registers, and reports
• Supporting policy and compliance alignment
• Providing practical guidance that references statewide standards while considering agency business needs
• Leading risk assessments, complex control assessments, or audits (Specialist 3)
• Communicating risk in plain language, including providing clear explanation of scenarios, likelihood, impact, and treatment options
• Exercising independent, expert judgment in ambiguous and high impact situations, including advising on risk acceptance when standards and precedents are limited
• Identifying control gaps, inconsistencies, and emerging issues in complex technical, procedural, and architectural documentation
• Mentoring, coaching, and providing informal leadership to team members in risk techniques, documentation standards, and stakeholder communication
• Operating effectively in a federated state environment, balancing centralized standards with agency autonomy and relationship management

Benefits

• Work/life Balance
• Health Coverage
• Retirement plans
• Paid Vacation and Sick Leave and Holidays
• Public Service Loan Forgiveness (PSLF)