Information Security Lead Analyst

Job Summary:

The Information Security Lead Analyst is a seasoned professional that works independently with limited supervision and has responsibility in the enterprise Information Security program. This role works closely with Information Technology, Enterprise Risk Management (ERM), Legal, Human Resources, Audit & Compliance, and Procurement to ensure appropriate controls are in place to manage risk. This role also helps to ensure compliance with Information Security Policy, Standards, Guidelines, and regulatory frameworks (NIST CSF, CIS, FFIEC, NYDFS, and data privacy regulations).

The Information Security Lead Analyst is expected to be a subject matter expert (SME) in Information Security risk, having advanced knowledge of risk management strategies, frameworks, operations, etc. The Lead Analyst is expected to be proficient and have advance knowledge managing third-party information security risk. The Lead Analyst is expected to have advanced knowledge of Information Technology and Information Security terminology, concepts, practices, and requirements. The Lead Analyst is expected to be proficient with governance, policies, standards, exceptions, education, training, and awareness, and compliance initiatives.

The Lead Analyst is not expected to be a people leader but is expected to lead programs and/or initiatives, guiding work from resources and coordinating with stakeholders. The Lead Analyst is expected to exhibit advanced critical thinking, problem-solving, and solutioning skills with attention to detail and collaboration with peers and stakeholders.

Job Responsibilities:

• Working independently or with minimal supervision, is responsible for supporting, providing oversight, and/or leading a program function in any of the following areas:
  • Information Security Operations
  • Information Security GRC
    • Risk Management
    • Vendor Information Security Risk Management
    • Information Security Education, Training, and Awareness (SETA)
    • Enterprise governance (policy, standards, guidelines, program maturity, etc.)
    • Compliance (legal, contractual, regulatory, etc.)
• Design and administer security compliance assessments on new and existing systems, processes, and technology.
• Design, build, and establish enterprise security policies, standards and guidelines.
• Build and administer controls assessments and determine adequacy, appropriateness, and effectiveness.
• Responsible for working on and resolving complex information security issues utilizing a high degree of integrity and trust. 
• Responsible for supporting and/or leading the Vendor InfoSec Risk Management effort. This includes defining and monitoring the security risk profiles of third-party vendors and identifying appropriate risk management activities.
• Design and perform risk assessments, gap analysis, and management of a Risk Register.
• Able to function as a Subject Matter Expert (SME) for internal and external security audit and compliance efforts.
• Promotes a strong security culture throughout the organization.
  • Maintains knowledge of best practice security frameworks, industry-recognized information technology control standards, and other industry resources and translates them into educational formats.
  • Acts as a security risk management ambassador to internal customers. 
  • Actively participates and leads in security related planning meetings, project teams and workgroups.
  • Develops, leads, coordinates, and presents security education training and awareness program materials.
  • Trains and onboards new employees on GRC roles and responsibilities.
• Supports leadership in establishing and maintain security metrics and reporting.
• Research IT security issues and products.
• Develops and manages internal GRC projects and initiatives. 
• Stays informed on developing regulatory and industry requirements and information security trends.
• Travels occasionally to participate in special assignments, training, and/or travel between office locations.

Job Qualifications:

• 7+ of years of information security experience 
• Bachelor’s degree in computer science, information technology, security, a related field, or equivalent work experience.

Licenses and Certifications: 

• Must hold one or more industry recognized certifications, such as: Security+, Network+, CISSP, CRISC, CISA, CCSK, etc.

Behavioral Competencies:

• Collaborates
• Communicates Effectively
• Customer Focus
• Decision Quality
• Nimble Learning
• Builds Effective Teams
• Business Insight
• Develops Talent
• Directs Work
• Ensures Accountability
• Manages Complexity
• Drives Vision and Purpose
• Strategic Mindset

Technical Skills:

• Network Security
• Incident Response
• Security Monitoring
• Vulnerability Management
• Threat Intelligence
• Identity Management
• Encryption Techniques
• Security Assessments
• Troubleshooting
• Dynamic Application Security Testing
• Data Security