Sr. Analyst, Cybersecurity

About The Position

Requirements

• Bachelor's degree in Business/Computer Science/Information Systems with IT audit, risk or compliance experience or equivalent military experience.
• Industry certification required, i.e. Certified in Risk and Information Systems Control (“CRISC”), or in the process of obtaining the CRISC, CISA, CISM, BCBP, CIA, PCI, CISSP.
• Knowledge of information security, risk management industry frameworks and standards NIST, COSO, OWASP, ISO-27001/2, SANS, Cobit and ITIL.
• 5+ years working experience with enterprise and technology risk management programs, privacy, data security and control issues with technologies.
• Previous working experience and/or knowledge of two or more security functions (IT Risk Assessor, QSA, Security Specialist, IT Auditor).
• Ability to understand the business requirements as well as provide a proposal of the appropriate information risk resolution to computer threats.
• Ability to understand the business processes supported across all team’s environments.
• Understanding of key compliance regulations such as Sarbanes-Oxley, GLBA, HIPPA , CFPB, and Payment Card Industry (PCI), plus external Cybersecurity and privacy regulations.
• Experience in execution of an enterprise and technology risk framework, including the identification, assessment, and mitigation of risk: understanding how to balance the company’s risk appetite and its overall impact.
• Understanding of network controls, cloud controls, user administration, authentication methods, file permissions, groups, and domain concepts.
• Demonstrated ability to compare alternative information security risk approaches and methodologies while assessing risk both quantitatively and qualitatively to meet the business needs.
• Excellent communication skills to include but not limited to verbal and written communication; delivering organized presentations; able to tailor message to the audience; and facilitate group discussions with diplomacy and seek diverse opinions.
• Excellent analytical, troubleshooting, and problem-solving skills and performs well under fast paced, high pressure or stressful situations.
• Ability to learn the business processes implemented in the team's applications.
• Demonstrated flexibility.
• Proven ability to effectively communicate remediation and prevention approaches via leading practices.
• Ability to help develop and deliver information security awareness training and business understanding for business partners, engineers, developers, and analysts.
• Ability to drive through obstacles and time constraints to successfully deliver to completion.
• Dedication and commitment to world class service and to exceeding customer expectations.
• Desire to learn and keep current with technology and emerging technology risk trends.
• Possess strong organization and time management skills.
• Demonstrated flexibility in a fast paced and agile environment.
• Expertise solving technical problems and presenting solutions which impact all areas of their team’s systems environments.
• Excellent analytical, troubleshooting, and problem-solving skills.
• Ability to evaluate long term impacts when making recommendations and decisions.
• Applicants must be currently authorized to work in the United States on a full-time basis.

Nice To Haves

• In-depth technical knowledge and be the subject matter expert in technology governance, risk management, compliance, and audit requirements.
• Experience in the areas highlighted below.
• Ability to help design and implement industry standard technology risk management practices across the enterprise.
• Champion the information risk management methodology by demonstrating ownership of the design aspects of the operations lifecycle.
• Passionate about support & ownership of threat areas of Cybersecurity.
• Driver of security awareness type activities with proven results.

Responsibilities

• Support, execute, and maintain a framework for information risk management, including validation, weighting, and classification methods.
• Perform information security risk assessments, understanding threats, vulnerabilities, and exposures related to the confidentiality, integrity, and availability of information.
• Help develop related processes and procedures to ensure and enforce compliance with company policies, applicable laws, and regulatory requirements regarding information security, privacy, and data integrity, as well as reducing vulnerabilities.
• Assist with the development and delivery of information security risk-related training and awareness programs.
• Assist with analysis of security vulnerabilities, developing risk-based business recommendations.
• Administer governance, risk, and compliance systems and processes owned by the department.
• Assist in the preparation of accurate and timely communications of risks, recommendations, and conclusions, as well as evaluating management mitigation plans.
• Assist in developing automated risk assessment tools and processes.
• Gather data, conduct analyses, and prepare related risk reporting.
• Exhibit ownership, follow-through, initiative, awareness, and effective communication with peers and management.
• Ability to speak to details of information risk management.
• Help design and implement industry-standard technology risk management practices across the enterprise.
• Champion the information risk management methodology by demonstrating ownership of the design aspects of the operations lifecycle.
• Support and ownership of threat areas of Cybersecurity.
• Understand the level of risks and exposure as it relates to systems, services, and networks.
• Drive security awareness type activities with proven results.
• Understand business requirements and provide proposals for appropriate information risk resolution to computer threats.
• Understand business processes supported across all team's environments.
• Compare alternative information security risk approaches and methodologies while assessing risk both quantitatively and qualitatively to meet business needs.
• Communicate remediation and prevention approaches via leading practices.
• Help develop and deliver information security awareness training and business understanding for business partners, engineers, developers, and analysts.
• Drive through obstacles and time constraints to successfully deliver to completion.
• Evaluate long-term impacts when making recommendations and decisions.

Benefits

• CarMax is recognized for its commitment to training and diversity and is one of the FORTUNE 100 Best Companies to Work For®.
• CarMax is committed to bringing together people from different backgrounds and perspectives, providing employees with a safe, welcoming, and inclusive work environment.
• CarMax is an equal opportunity employer, and all qualified candidates will receive consideration for employment without regard to age, race, color, religion, sex, sexual orientation, gender identity, gen
• Upon an applicant's request, CarMax will consider reasonable accommodation to complete the CarMax Job Application.