Senior Risk Analyst, Information Security and Technology Risk

About The Position

Requirements

• College or university certificate/diploma/degree in Computer Science, Business, Information Systems/Technology, Cyber Security or related fields.
• Minimum five (5) years’ combined experience in technical GRC, IT architecture/engineering and/or cyber-security roles demonstrating work experience with cyber security processes and controls or equivalent experience in a first- or second-line role.
• Strong knowledge of some information security domains, which may include GRC (risk assessment governance, processes and technologies), identity and access management, security architecture/engineering, DevSecOps, cloud security, business continuity and disaster recovery, and security operations.
• Knowledge of information technology domains including enterprise architecture (COBIT, TOGAF or SABSA), cloud computing (GCP) and networking.
• Knowledge of AI/ML concepts including machine learning algorithms/models, deep learning concepts (i.e. neural networks, large language models, etc.), AI governance (i.e. NIST AI Risk Management Framework, Cloud Security Alliance AI Controls Matrix, etc.) and AI regulatory landscapes.
• Knowledge of industry security frameworks, standards, laws, regulations including PIPEDA, NIST/CSE, SOC 2, and/or ISO 27001.
• Strong communication skills, to effectively brief leadership on risk analysis outcomes to facilitate risk-informed decision-making.
• Cross-functional stakeholder management skills, essential for guiding projects and initiatives to comply with risk lifecycle management requirements.
• Eligibility to obtain and maintain a Government of Canada Reliability Status Clearance and can successfully complete enhanced background checks that may be carried out by Payments Canada.

Nice To Haves

• Information security certifications, both GRC or technical practitioner focused, are assets including those offered by EC-Council, GIAC/SANS, ISACA or ISC2.
• Information technology certifications are considered assets including TOGAF or cloud/technology specific practitioner certifications.
• AI risk/safety certifications are assets including AAIR, CAISR, RAI, AIGP or TAISE.

Responsibilities

• Executing and managing information security and technology focused risk assessments for payment systems, enterprise technologies, and third parties.
• Challenging first-line risk inputs and reporting on risk trends to senior leadership.
• Supporting the continuous improvement of risk assessment methodologies and processes.
• Accountable for executing information security and technology risk assessments for payment systems, complex enterprise technologies, and third-parties using established methodologies and frameworks.
• Responsible for the quality and integrity of risk assessments and associated lifecycle management, ensuring risks are accurately documented with actionable treatment plans.
• Conducts targeted assessments when high inherent risks and/or new strategic threats are identified and mentors junior staff and cross-functional stakeholders on methodology and tooling.
• Provides review and challenge over the first-line (1LOD) risk management activities such as identified mitigation strategies and control effectiveness or when there are deviations from standards and policies.
• Ensures overall risks and treatments are appropriately right-sized and escalates issues to leadership as necessary.
• Supports the development of reporting and conducts briefs for senior leadership and external stakeholders on systemic, emerging, and trend-based risks.
• Serve as a conduit between the operational risk level and the enterprise risk level.
• Executes risk assessments using established methods and frameworks to ensure the integrity of risk lifecycle management activities.
• Contributes to the ISTR team’s consistent quality output and refined risk analysis by conducting peer reviews of assessments.
• Supports the continuous improvement of methodologies, templates, and processes by providing direct feedback on their effectiveness and by collaborating cross-functionally to drive operational process improvements.

Benefits

• Flexible, hybrid (remote/office) environment.
• Competitive compensation package, including annual variable bonus and defined contribution pension plan with employer matching percentage (if eligible).
• Comprehensive health and dental benefit coverage, including mental health coverage, life insurance and a health spending account for you and your dependents (Permanent and temporary employees with contracts 12 months and over).
• Paid time off: minimum four weeks paid vacation, sick and personal days, December holiday shutdown and cultural holiday observance days.
• 26 weeks of paid maternity and parental leave top-up (if eligible).
• Rewards and recognition program.
• Access to office gym facilities.
• Internal and external professional development opportunities.
• Fun team and organizational events.
• Monthly all staff forums led by our Executive Leadership Team.