Develops, designs and executes critical aspects of the Enterprise Security Risk Management function. Identifies, analyzes, tracks & reports security risks via maintenance of a security risk register. Partners with the business and technology teams to understand the business technology landscape in order to facilitate discussions based on security risk. Partners with security risk assessment teams to build out risk assessments and manage findings from various security risk assessments to closure.
- Build out and maintain a security risk register that enables security risks to be identified tracked and managed at both a Business Unit & Enterprise level.
- Analyzes results from various security risk and control assessments to aggregate security risks and adjust risk ratings on a periodic basis.
- Provides process governance for findings management.
- Manages security findings from various security risk assessments as well as security findings reported by various business units.
- Communicates security risks with teams across the organization in business-friendly language.
- Mentor/coach and give work direction to Analysts & Sr. Analysts.
- Develops and gives presentations appropriate for senior level audiences.
- Bachelor’s degree or higher with a concentration in computer science, technology, or business, or equivalent combination of education and experience.
- Minimum of 8 years of experience working in security (physical or cyber).
- 3 years of experience with risk assessments, audit or control testing.
- Experience and expertise in security and lifecycle management, auditing methodology, and technology risk assessments.
- Self-starter; adaptable to change; motivated to set personal and program goals and proactively track performance against goals and initiatives.
- Ability to document and explain risks and vulnerabilities to both business and technical stakeholders.
- Ability to influence peers and management; ability to team cross-functionally and form relationships to achieve objectives.
- Solid understanding of information security policies, standards, industry best practices, and framework (ISO 27K, NIST 800-53, FISMA, BITS etc.).
- Strong business acumen with the proven ability to bridge the gap between business and technology.
- Experience with cloud technology