Sr. Security Risk Analyst

Responsibilities:

• Assist in the establishment and development of a Cybersecurity Risk Management (CSRM) program that will bring transparency and visibility to IT and security risks across the enterprise.
• Assist in the overall identification of the top risks to ABM and what needs to be changed from a control perspective to mitigate those risks.
• Assist in the categorization of any identified outstanding security risks and provide guidance on prioritization of remediation activities following industry standards and best practices.
• Maintain and update the IT Security Risk Register with identified risks.
• Lead the completion of risk assessments on projects, processes, systems, and the full enterprise IT program.
• Facilitate the risk acceptance process by meeting with key stakeholders and validating that the cybersecurity risk assessment process and framework are being followed.
• Consult with project and system owners within the Information Technology (IT) organization and the business to identify their most pressing cybersecurity risk issues.
• Continuously keep up on industry trends, direction, opportunities, threats, and applicability as it pertains to the organization.
• Assist in the development and implementation of a Third-Party Risk program that supports the ongoing initiatives and new partnerships across the organization.
• Develop risk scorecards for internal cybersecurity risk and third-party risk. Facilitate the presentation of these scorecards to IT leadership.
• Establish strong relationships with vendors that support our security risk management efforts.
• Build a working relationship with procurement and legal to perform risk assessments of contracts or service agreements that the company enters into with third parties.
• Good working knowledge of a broad range of standards and frameworks — for example, NIST Cybersecurity Framework, International Standards Organization (ISO) 27001, IT Infrastructure Library and ISO 20000, Capability Maturity Model Integration and Six Sigma, etc. and relation application or controls.
• Proven teaming skills to driven completion of organizational objectives.
• Ability to set and manage priorities judiciously to meet tight deadlines.
• Ability to present ideas in business-friendly and user-friendly language.
• Exceptionally self-motivated, directed and detail oriented.
• Excellent communicator.
• Performs other job-related duties as assigned.

Required Qualifications:

• Bachelor’s degree in Business, Information Systems, or related field of academic study.
• 10+ years of work experience with a minimum of 5 in IT security risk management.
• Broad working knowledge of NIST Cybersecurity Framework, International Standards Organization (ISO) 27001 and 27002, and overall best business practices associated with IT Security.
• In-depth knowledge of information security risk concepts and related business needs to security controls.
• Interpersonally effective and comfortable interacting with colleagues, partners and various leaders and managers throughout the organization through relationship building and networking.
• Demonstrated understanding of and experience with various risk assessment and management methodologies and their accepted use across companies.
• Knowledge of approaches, tools, and techniques for gaining the cooperation and support of others; ability to encourage, motivate, and guide individuals and teams.
• Ability to plan initiatives that have both short-term, tactical impact, while also moving the organization forward toward longer-term strategic goals.
• Multi-task orientation to handle multiple competing tasks at once while remaining flexible to changing requirements and priorities.
• A metrics and results driven approach and focus to the role.
• Strong ability to think creatively when approaching issues, strong critical thinking, and problem-solving skills.
• Must have desire to continuously learn and apply learning in application of day-to-day activities.
• Exceptionally self-motivated, directed and detail oriented.
• Ability to establish credibility and working relationships with a wide range of corporate personnel, including operations, management, executive and legal staff as well as external personnel.
• Excellent communicator, who can tailor a message to the audience. (E.g., technical conversations vs. Leadership conversations)

Preferred Qualifications:

• One or more of the following certifications in area of specialty are preferred. Examples include CISSP, CRISC, CISM, GIAC.
• Preferred; 5+ years of experience in a Cybersecurity Risk Management role.