Title:  Senior Risk Lead

Job Summary

The Senior Risk Lead provides technical governance to supplier risk management programs in the governance, risk and compliance functions. Responsible for reviewing security compliance in terms of SaaS configuration, compliance sets such as SOC2 and performing risk assessments.  Accountable for security frameworks and adherence to industry best practices and standards. Works with application and infrastructure teams to ensure that policies and standards are integrated and applied appropriately across the environment.
The Analyst is expected to have a thorough understanding IT system, experienced in enterprise systems integration and stays up to date with the latest security standards, emerging security technologies, as well as security best practices.
The Senior Risk Lead will also assist with facilitating the identification, documentation, review, and mitigation of information security risks to support organizational strategic objectives. This role will analyze information security risks and controls based on established risk criteria and methodology, conduct security risk assessments of information systems to identify vulnerabilities associated with critical assets, recommend controls to mitigate security risks identified through the risk assessment process, and communicate results that are clear and actionable to business stakeholders. 

The Senior Risk Lead will monitor the risk landscape through emerging threat intelligence, actionable situational awareness, and other sources. While working with the overall Global Security GRC team and other internal business units, the analyst will ensure proper documentation and reporting analytics, including KPIs, through the development and maintenance of appropriate records related to risks, controls, and assessments in the GRC system of record.

Duties and Responsibilities

• Conducts reviews for projects related to infrastructure and general information security to ensure they meet requirements and target-state architecture.
• Participates in risk assessment activities as subject matter expert for infrastructure and general information security concerns
• Determines security requirements by evaluating business strategies and requirements; researching information security standards; evaluating risk assessments; studying architecture/platform and identifying integration issues
• Ensures all risks are documented and updated according to Global Security policies, standards, and processes
• Engages with technical and security teams to identify and assess risks, driving towards appropriate risk mitigation activities aligned with the enterprise risk appetite
• Monitors identified risks, reassessing as needed and/or as directed by management
• Reports on risk remediation status through facilitation of risk metrics, analytics, and scorecards
• Helps facilitate the annual enterprise information security risk assessment
• Manages issue resolution due to control breaks and audit findings
• Analyzes business problems through software, analytical tools and techniques, business processes and technical knowledge to guide in risk-based decisions
• Organizes and leads GRC-related meetings, prepares meeting agendas, sends out meeting minutes and coordinates follow-up activities as appropriate
• Manages exceptions to policy and standards
• Communicate with all levels of technical and executive staff in matters related risk identification and remediation
• Works with GRC Compliance, Internal Audit, and outside consultants as appropriate on required security assessments and audits

Minimum Qualifications

• Bachelor's degree in business, accounting, finance, computer science, information systems, engineering, or a related field strongly preferred; equivalent combination of education and experience may be substituted in lieu of degree
• At least eight (8) years of GRC (governance, risk, compliance) experience with methodologies, activities, tools, and enablers in a technology related industry including experience in business process analysis, project methodology, or systems development life cycle through education or on-the-job experience, required
• Knowledge in creating architectures (IaaS, SaaS, PaaS) for public, private and hybrid cloud services
• Ability to demonstrate a strong understanding of various compliance and regulatory areas (e.g., ISO27001, SOC2, DORA)
• Experience with risk management and managing the risk lifecycle
• Working knowledge of configuration management, change control, security baselines and frameworks (NIST CSF, NIST 800-171, CIS)
• Identify gaps in existing and proposed architectures and security controls and provide recommendations for risk resolution
• Ability to develop security policies and standards and guidelines based on best practices and industry standards
• Strong oral and written communication skills; including presentation skills
• Strong analytical and problem-solving skills
• Ability to work both independently and as part of a team to deliver quality work products in a timely fashion in a fast-paced environment
• Ability to multi-task and prioritize tasks with little supervision
• The ability to work well with people from many different disciplines with varying degrees of technical experience
• The ability to adapt to a dynamic, rapidly changing business and technical environment
• Ability to exercise skilled professional judgment
• Ability to maintain confidentiality
• Ability to oversee all aspects of projects and manage projects through the entirety of the life cycle 

Preferred Qualifications

• Information security related training or certifications such as CISSP, CSSP, CRISC or CISA
• Knowledge of Vulnerability management topics: Common Vulnerability Scoring System (CVSS), Common Vulnerabilities and Exposures (CVE), and Open Web Application Secure Project (OWASP)
• Experience with AI standards (e.g. ISO 42001) and assessing AI risks
• Experience performing information security risk assessments
• Experience with KPI/KRI metrics analysis and management
• Proven ability to drive process improvement through strategic thinking, plan development and implementation