Information Security Risk Analyst

Risk Identification & Assessment
Conducting security related risk assessments within the organizational guidelines of Enterprise Risk Management.Perform in-depth risk assessments for internal systems, cloud services, third-party vendors, and emerging technologies.Conduct business impact analyses to evaluate the consequences of security incidents and define criticality levels for systems and data.Utilize industry-standard frameworks (NIST RMF, ISO 27005, FAIR, etc.) to quantify and communicate risk posture.Analyze threat intelligence feeds and integrate them into risk models to better anticipate and respond to future risks.Risk Mitigation & Treatment PlanningDevelop and maintain a formal risk register that tracks identified risks, treatment plans, and residual risk.Collaborate with asset owners and IT teams to recommend and validate risk mitigation measures.Support decision-making by preparing cost-benefit analyses of remediation strategies vs. accepted risk.Policy, Compliance/Assurance & Governance SupportEnsure that internal policies and procedures reflect risk tolerance and evolving legal/regulatory obligations (e.g., GDPR, HIPAA, SOX, PCI DSS).Assist in conducting gap analyses against compliance standards and frameworks.Partner with audit teams to ensure security risks are tracked through issue management lifecycles.Third-Party & Vendor Risk ManagementConduct due diligence on vendors and partners during onboarding and periodically thereafter.Leverage security questionnaires, SOC 2/ISO 27001 reports, and penetration test results to validate vendor risk posture.Track and report third-party risks and collaborate on vendor exit and contingency planning.Reporting & MetricsCreate risk dashboards and executive-level reports showing trends, key risk indicators (KRIs), and remediation progress.Present findings to stakeholders, boards, or governance committees, translating technical risk into business context.Use GRC tools to automate risk scoring, control tracking, and evidence collection.Awareness & TrainingCollaborate with security awareness teams to align training programs with risk findings and trends.Educate internal stakeholders on security risk management practices, control expectations, and emerging threats.

Education & Credentials
Bachelor's degree in Information Security, Cybersecurity, Computer Science, Risk Management, or related field.Preferred certifications: - CRISC (Certified in Risk and Information Systems Control) - CISSP (Certified Information Systems Security Professional) - CISM (Certified Information Security Manager) - CISA (Certified Information Systems Auditor)Professional Experience36 years in information security, IT risk, audit, or compliance roles.Proven experience conducting risk assessments and applying controls across complex technical environments (on-prem, cloud, hybrid).Exposure to security tools and platforms such as: - GRC suites (e.g., Archer, ServiceNow GRC, LogicManager) - SIEMs (e.g., Splunk, QRadar) - Vulnerability scanners (e.g., Qualys, Tenable) - Identity & Access Management platforms (e.g., Okta, Azure AD)Success Criteria & Soft Skills Analytical Thinking: Able to balance qualitative and quantitative risk approaches; excels in root cause analysis.Communication: Can convey risk issues in plain language to technical and non-technical audiences.Collaboration: Effectively builds relationships with cross-functional stakeholders.Adaptability: Thrives in a fast-paced, evolving regulatory and threat landscape.Integrity: Maintains impartiality and protects sensitive information with discretion.Optional/Preferred ExperienceFamiliarity with:Data privacy laws and data protection impact assessments (DPIAs)Cloud security (e.g., AWS Well-Architected Framework, Azure security benchmarks)Emerging Technologies (Artificial Intelligence, Quantum Computing, etc.)Hands-on experience with quantitative risk analysis methodologies (e.g., FAIR)