Role Overview
Overview The Business Information Risk role supports the alignment of cybersecurity, risk management, and compliance activities with Enterprise business objectives. This role partners with Enterprise teams, business stakeholders, and the Information Technology Risk Management Security (ITRMS) organization to identify, assess, and mitigate information security and compliance risks across technology. The position acts as a trusted subject-matter expert, translating technical risk into business context and supporting the implementation of practical, risk-based controls that enable safe business operations and innovation.
Primary Responsibilities
Business Partnership Advisory
-
Serve as a primary risk advisor to Enterprise teams on assigned programs, products, or technology areas, helping translate security risks into business impact and practical recommendations.
-
Translate enterprise security policies into practical, business-aligned implementation guidance and manage exceptions handling for the business unit.
-
Participate in business planning forums, product roadmaps, and program governance to ensure security is included early (shift-left).
-
Support business stakeholders by providing clear, actionable guidance for embedding security and privacy considerations into projects, digital transformations, and operational processes.
-
Prepare and present risk findings, assessments, and mitigation proposals to IT and business stakeholders; escalate material risks to ITRMS or Enterprise leadership as appropriate.
Risk Assessment Governance Support
-
Maintain a prioritized risk register for the business unit and drive risk acceptance decisions with business owners and delegated risk approvers.
-
Conduct and document risk assessments (e.g., application, cloud, third party) and gap analyses aligned to Enterprise policies and relevant regulatory requirements.
-
Recommend and help implement risk-based security controls , compensating measures, and remediation plans tailored to Enterprise operational contexts.
-
Assist in maintaining risk registers and tracking remediation and compliance activities; contribute to periodic risk reporting.
Technical Risk Management cybersecurity
-
Work closely with Enterprise Value Teams and solution owners to review architecture, design, and operational controls for systems, applications, and cloud environments.
-
Identify opportunities to strengthen cyber resilience (detection, response, recovery) and support implementation of monitoring and control improvements.
-
Support incident investigations and coordination with the Cyber Fusion Center for Enterprise-related security events; help identify root causes and remediation actions.
Program Execution Standards
-
Support development and operationalization of security standards, policies, and guidelines relevant to Enterprise.
-
Participate in assurance activities such as control testing, audits, and compliance assessments and support remediation efforts.
-
Stay informed of emerging technologies (e.g., AI, cloud services) and regulatory changes; evaluate their potential security and compliance impacts and escalate concerns.
Stakeholder Engagement Awareness
-
Collaborate with risk, technology, and business stakeholders to promote a risk-aware culture and practical security behaviors.
-
Contribute to targeted security awareness initiatives and training for Enterprise teams, tailored to role and business processes.
-
Act as a subject-matter expert in cross-functional working groups or project teams.
Qualifications
Education Certifications
-
Bachelor s degree in information technology, cybersecurity, computer science, business administration, or related field (or equivalent experience).
-
Relevant security or risk certifications preferred (CISSP, CISM, CISA, CRISC, GSEC) but not required.
Experience
-
Experience in cybersecurity, IT risk management , IT compliance, IT audit, or related fields.
-
Experience performing risk assessments and advising technical and business stakeholders on security controls and remediation.
-
Practical experience with cloud, application, or operational technology security is highly desirable.
-
Prior experience supporting regulated industries (healthcare, life sciences, or manufacturing) is preferred but not mandatory.
Skills Competencies
-
Technical depth in cybersecurity controls, threats, vulnerabilities, and mitigation strategies across technology.
-
Strong business acumen and ability to explain technical risk in business terms.
-
Proven problem-solving and analytical skills; able to produce clear, actionable recommendations.
-
Good stakeholder management and communication skills; able to influence without formal authority.
-
Comfortable working independently and as part of cross-functional teams; adaptable in a fast-paced environment.
-
High emotional intelligence and collaborative mindset.
