Lead IT Security Risk Analyst

Responsibilities:

The Information Security Office has an opportunity for a Lead IT Security Risk Analyst (Analyst 3) within the Governance, Risk and Compliance organization. In this role you will directly influence the organization’s security posture being primarily responsible for performing technical security risk assessments and supporting the security risk management program. A successful candidate will be highly analytical, inquisitive, driven and organized with a robust, broad technical background. An effective communicator both verbally and in-writing. A highly collaborative adaptable individual who is comfortable dealing with changes based on new information and can translate technical requirements into common terminology. An individual capable of identifying vulnerabilities and threats, determine applicability and effectiveness of security controls, and summarize in a straightforward risk story.
 
As a Lead IT Security Risk Analyst on the GRC team, you will:

• Maintain a thorough understanding of the company’s security policies and capabilities, how varying technologies are in use in the organization, how security controls are implemented, and the stakeholders responsible for them.
• Understand, periodically assess, and communicate external threats and their applicability to the Enterprise Holdings environment. Map threat events to security capabilities and technical controls.
• Perform risk assessments of IT applications, systems, solutions, and environments. Assessments range in scope from focused technical controls and solution design to broad, environment-wide risks.
• Define assessment scope by identifying applicable threat events, systems, and controls.
• Identify, analyze, and provide guidance to help others understand vulnerabilities, how actors could attempt to exploit them, what security controls are applicable to the threat event, the level of protection expected from them, and the potential impact if the risk were to be realized.
• Review network / solution diagrams and system configurations and gather supporting data to validate design and implementation of technical controls.
• Identify Subject Matter Experts and define interview questions to conduct assessments.
• Conduct interviews and adjust the line of questioning, based on information provided and your understanding of the risk.
• Perform analysis and evaluate the current state of controls based on evidence provided.
• Develop and deliver reports and summaries for varying audiences, including executive decision makers.
• Exercise technical leadership that demonstrates self-motivation and drive while providing guidance and specific feedback to help team members strengthen their knowledge, skills, and abilities to accomplish tasks and solve problems.
• Conduct peer reviews, provide subject matter expertise, and mentor others as they conduct risk analysis and assessments.
• Contribute to the development and maintenance of security assessment methodologies and operational processes.
• Apply fundamental cybersecurity and privacy principles (relevant to confidentiality, integrity, availability, authentication, and non-repudiation) to team and department level requirements; apply security policies and frameworks into operational processes.
• Provide subject matter expertise for policy content, intent, and applicability of security requirements.
• Protect our customers, our employees, and our brands by incorporating security and compliance in all decisions and daily job responsibilities; follow security policies and procedures and continuously identify and recommend opportunities for improving security.

Qualifications: Required

• Must be presently authorized to work in the U.S. without a requirement for work authorization sponsorship by our company for this position now or in the future
• Must be committed to incorporating security into all decisions and daily job responsibilities.
• 5 years of related experience; can include any combination of experience in Information Technology and Information Security.
• 5 years of experience in Information Security performing comprehensive technical risk analysis or assessments of IT applications or systems across multiple technology domains.
• Security related certification, such as CISSP, or equivalent breadth and depth of technical knowledge.
• Experience performing threat analysis or assessing control effectiveness related to the following technologies: firewalls, web application firewalls, operating system hardening, server configurations, network infrastructure & design, endpoint and network detection & response tools, and secure application development.
• Knowledge of cybersecurity frameworks including CIS Critical Security Controls and MITRE ATT&CK / D3FEND.
• Excellent problem solving and analytical skills, including the ability to independently define problems, collect data, establish facts, and draw valid conclusions.
• Must be able to work independently with a sense of ownership to accomplish department and project tasks.
• Must be detail oriented, with the ability to organize and prioritize multiple assignments and tasks, ensuring deadlines are met.
• Ability to be flexible and adaptable to changing requirements and responsibilities and deliver high quality results.
• Exceptional communication skills, including ability to communicate in a clear and concise manner.
• Advanced proficiency with Microsoft Excel; proficiency with other Microsoft Office applications including PowerPoint, Word, and Outlook.

Preferred

• Bachelor's degree in Computer Science, Computer Information Systems, Management Information Systems.
• Working knowledge of assessing cloud computing controls.
• Scripting automation or application programming experience.
• Experience developing security requirements in policy or standards.
• Functional knowledge of productivity, documentation, and collaboration tools such as Jira, SharePoint, and Confluence.