Job Description

We are looking for:

A Security Risk Analyst to ensure transparency, due diligence, and deliberate actions regarding both cyber and physical security risks which could cause life-safety, financial, regulatory, or reputational harm to the Company. Due to the complex and rapidly evolving nature of cyber and physical security risks, this role requires the candidate to be agile, think conceptually, communicate effectively, build partnerships, navigate tough, often politically driven, company issues and negotiate with stakeholders a mutually acceptable outcome.

With an emphasis on quality and continuous improvement, the major responsibilities of this role include:

Design and operate Risk Management governance processes
Ensure vendor contracts comply with Security requirements
Facilitate the planned and unplanned review of Security policies and act as a liaison to the Company’s Enterprise Risk Management function.
Establish effective working relationships with various stakeholders; including IT and lines of business throughout the Company.
Customer service oriented; act as a partner and leverage documented processes and standards to provide our internal customers with direction on a secure and pragmatic path to achieve all stakeholders’ objectives.
Excellent written and oral communication skills; candidate must be confident communicating with stakeholders at various levels of the organization, including c-suite. 

We encourage you to apply if you have: equivalent combination of education and experience will be considered and reviewed.

At least 2 years of combined work experience focused in either information security or business management disciplines.
A bachelor’s degree preferably in an Information Technology field.
Relevant certifications (CISA, CISM, CISSP, etc) preferred but not required.

In this role, you will:

General:

Establish cross-team working relationships with key stakeholders both inside and outside of the Security Organization.
Develop, document, operate and continuously improve key risk management processes, including but not limited to: Vendor/Third-Party Risk Management, Enterprise Risk Management, Security Policy Governance, Oversight of Security Risks, and exception processes.
Develop and track key performance metrics on Security risk to be consumed by various levels of management, including company officers.
Administration and primary power user of the Security risk register application.
Act as the Security liaison to complete the annual cyber insurance application process.
In alignment with leadership and stakeholders, develop and implement a multi-year capability roadmap for the Security risk management function.   

Vendor/Third Party Risk Management

Partner with supply chain, relevant business partners and stakeholders to ensure the that not only the objectives of Security's contract/vendor risk management process are being met but also business objectives are met.
In coordination with stakeholders (including Security, Supply Chain and Legal) to establish and maintain Security contract language requirements.
Engage in contract negotiations with vendors to ensure Security contract requirements are included and where there is disagreement, negotiate the most favorable position for the Company.
When possible, use discretion and when necessary, consult with Security subject matter experts, contract requirement owners and leadership to ensure Security objectives are met for contracts.
Establish and maintain an exception process to ensure where contract requirements cannot be met, the proper approvals and visibility is given to these exceptions.  

Risk Management Governance

Collaborate with stakeholders on all risk-related activities of the Security organization, including, reporting, remediation planning, testing/validation, and recommending appropriate mitigation measures.
Monitor the legal and regulatory environment for developments that could require changes to the Company’s risk posture, including policies and practices.
Research and apply national standards, regulations, technical cyber issues and diverse corporate requirements.
Provide oversight, monitoring and reporting of risk mitigation activities relating to security risk assessments.
At the direction of Security leadership and stakeholders, ensure mitigation plans are developed, documented, and implemented by risk owners.
Train and coach stakeholders and business units on risk management processes and methodology to enable them to properly assess the risk of the business initiatives (including technology projects).

Enterprise Risk Management

Act as the Security organization liaison to the Enterprise Risk Management group by ensuring changes to the ERM methodology are propagated to key Security stakeholders.
Facilitate annual Enterprise Risk Mapping process by collaborating with subject matter experts on enterprise cyber and physical risks and mitigating circumstance. Using the information obtained to quantify and qualify the level of risk to the company.

Policy Governance

Maintain Security Privacy policies, processes, and standards in accordance with established frameworks.
Monitor and report out on non-compliances.
Work with Security Leadership, policy owners, technical teams, and Corporate Compliance department on policy compliance issues.