· Lead technical information risk and security assessments on organization processes and controls to accurately reflect associated organizational risk pertaining to internal and external security requirements. Interface directly with technical application security and security engineering teams to refine an established approach for managing information security risks.
· Analyze, review, monitor, and reassess the adequacy of information security controls across the organization. Work with GRC leadership to manage risks to an acceptable level.
· Execute technical risk assessments using NIST SP 800-30 methodology against a variety of organization units, entities, business units, technologies, data centers, etc. Summarize and present residual risks identified from assessments for an executive-level audience.
· Perform security audits, internal security assessments, risk assessments, and support the management of independent external security audits.
· Document risk and security assessment results in an existing GRC tool to accurately reflect organization compliance and risk. Develop alternative methods of reporting assessment results to meet executive leadership requirements.
· Identify, analyze, and translate security observations into actionable, timely, and risk-based remediation plans.
· Interface directly with a variety of business units and stakeholders to clearly communicate risks and develop action plans to reduce risks to acceptable levels.
· Lead the on-going maturation and development of the organization’s risk assessment function by providing expert-level recommendations and guidance to stakeholders.
· Report to senior management about the effectiveness of data security, and make recommendations for the adoption of new procedures, controls, and/or technologies.
· Expertise in translating applicable industry best practices and international laws and regulations into control requirements.
· Effectively communicate security requirements, assessment results, and remediation efforts to senior management.
· Provide expert-level support for team responsible for short-turnaround tasks related to managing an enterprise-wide security governance, risk, and compliance programs.
· Serve as a subject matter expert to internal security, privacy, and compliance stakeholders on specific topics/issues to enhance the establishment of the overall security control framework.
· Act as an advocate for internal customers and business units to enable success while managing security risks.
· An ability to quickly complete assigned tasks from senior management with little or no supervision.
· Manage multiple projects simultaneously across many areas related to information security.
· Expert knowledge of information security standards, assessments and risk frameworks.
· Thorough understanding and knowledge of:
o NIST SP 800-53 Controls.
o SOC Audits and associated AICPA Trust Services Principles.
o Performing risk assessments based on NIST SP 800-30 methodology.
o CIS Critical Security Controls.
o NIST Cybersecurity Framework.
· Excellent written and oral communication skills are required.
· Strong attention to detail and ability to create high quality work products suitable for executive-level review.
· Must be able to summarize and communicate technical data to a non-technical audience.
· Must be highly-motivated, with a strong work ethic, and able to work effectively under minimal supervision.
· Professional security management certification, such as a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), or Certified in Risk and Information Systems Control (CRISC).
· Certified Cloud Security Professional (CCSP), Certified Authorization Professional (CAP), Systems Security Certified Practitioner (SSCP), systems (Windows/Linux/Unix) security engineering, and/or network security engineering experience are a plus.
· Bachelor's degree in computer science, or related field required.
· 8+ years progressively responsible experience in information security governance, risk, compliance, and project management.
· 2+ years of experience leading teams in a matrixed environment.