Security Risk & Controls Engineer

About The Position

Requirements

• Demonstrated ability to operationalize FFIEC IT Handbooks and the CRI Profile into practical, auditable controls and testing procedures.
• Hands-on skill implementing proactive controls and automating control testing/evidence collection using APIs, various languages (Python, TypeScript, Bash, and/or PowerShell), and data pipelines/dashboards.
• Familiarity with Azure/Microsoft 365/Entra, Okta, Windows/Linux, networks, CI/CD, vulnerability management, EDR, logging/SIEM, and data protection.
• Experience with GRC platforms and workflow/ticketing systems.
• Strong understanding of FFIEC IT Examination Handbooks, NIST CSF, NIST SP 800-53, GLBA, SOX, and PCI DSS and ability to map and rationalize overlapping requirements.
• Excellent written/oral communication with proven ability to influence cross-functional teams and present to management and auditors.
• Bias for automation and measurable outcomes; comfortable in fast-moving, high-accountability settings.
• 8+ years in Cybersecurity Risk, Governance, Compliance, Security Operations, and/or risk engineering. Experience in regulated industries, especially financial services, strongly preferred.
• Bachelor's degree in Information Systems, Computer Science, Cybersecurity, or related field; equivalent experience considered.

Nice To Haves

• Certifications preferred: CRISC, CISA, CISSP, CISM, CCSK/CCSP, AZ-500 (or comparable).

Responsibilities

• Control Baseline & Governance
• Define, document, and maintain the enterprise control library mapped to the CRI Profile and FFIEC IT Examination Handbooks, aligning with GLBA, SOX, and PCI-DSS where applicable.
• Author and maintain control narratives, RACI, evidence requirements, testing procedures, and control objectives. Manage associated control versioning and approvals.
• Work with technical control owners to implement processes and automations appropriately aligned to written controls, policies, and standards.
• Security Program Operations
• Own the Security Program Calendar to ensure cyclical controls occur on schedule (e.g., user access reviews, network security reviews, vulnerability & configuration scanning, DR/BCP tests, incident response tabletop exercises, vendor re-assessments, policy reviews).
• Track status, remove blockers, and escalate risk of slippage for proper operation of both cyclical/scheduled and continuously operating controls. Maintain related reporting and KRIs/KPIs (on-time completion, pass rate, repeat findings).
• Capture and curate complete, audit-ready evidence with chain of custody using an automation-first approach.
• Internal Control Testing, Continuous Monitoring, & Automation
• Plan and execute Test of Design (TOD) and Test of Operating Effectiveness (TOE): walkthroughs, sampling, re-performance, and result documentation with clear workpapers.
• Partner with Security Engineering and IT to embed “policy as code” and guardrails (e.g., identity, configuration, network segmentation, logging/monitoring). Own implementation of policy-as-code and other proactive automations wherever possible.
• Automate evidence collection and control testing via APIs/queries/scripts (e.g., Azure/Microsoft 365/Entra, Okta, Intune, GitHub, CI/CD, endpoint protection, vulnerability management, ticketing/GRC platforms).
• Implement quality checks for completeness, accuracy, and timeliness of evidence.
• Risk Assessment & Issues Management
• Perform targeted cyber/IT risk assessments (technology changes, third parties, products) and recommend compensating controls with clear residual-risk statements.
• Log, track, and validate remediation of issues and control gaps. Verify sustainable fixes and prevent recurrences by updating baselines, standards, and automation.
• Regulatory Exams, Audits & Reviews
• Coordinate, prepare, and run responses to Internal Audit activities, regulatory examinations, independent audits, and customer/partner due diligence.
• Produce concise, defensible narratives, control maps, and evidence packages. Coordinate requests and brief stakeholders.
• Metrics, Reporting & Enablement
• Publish program health dashboards, KRIs/KPIs, and control maturity assessments to Enterprise Risk Management and management and risk committees.
• Coach control owners on expectations, testing methods, and evidence hygiene.
• Promote a culture of control excellence and continuous improvement.
• Operational Support
• Assist in root-cause analysis for control failures and security events; drive durable corrective actions into standards, IaC/policy-as-code, and Security Program Operations.
• Maintain clear documentation (runbooks, playbooks, standards, FAQs) and contribute to security awareness content.

Benefits

• Medical Coverage: Choose from three competitive medical plans to find the coverage that best fits your needs and lifestyle.
• Health Savings Account (HSA): Available with eligible medical plans, offering tax advantages and employer contributions.
• Flexible Spending Accounts (FSA): Options for healthcare and dependent care expenses to help you save on out-of-pocket costs.
• Dental and Vision Insurance: Plans to keep you and your family smiling and seeing clearly.
• Life Insurance: Company-paid basic life insurance with options to purchase additional coverage for yourself and your dependents.
• Long-Term (LTD)/Short-Term Disability (STD): Income protection in the event of a long-term illness or injury.
• Supplemental Benefits: Including Hospital Indemnity, Accident Insurance, and Critical Illness coverage to provide extra financial support when you need it most.
• 401(k) Retirement Plan: A competitive retirement savings plan with company matching to help you plan for the future.
• Paid Time Off: Generous vacation and sick leave policies to support your time away from work.
• Holidays: Enjoy 11 paid holidays throughout the year.