Cybersecurity Senior Analyst GRC

Summary

As the Senior Cybersecurity Analyst, GRC, you will be an integral member of the Governance, Risk and Compliance team within the Cybersecurity Department.

Essential Functions:

• Develop and maintain core Governance, risk and compliance artifacts, including GRC program charter, cybersecurity service catalog and related documentation 
• Establish and mature a cybersecurity metrics and reporting program, including cybersecurity metrics program charter, process, governance, and structure for metrics and data collection, developing reports and dashboards, and partner with control owners to analyze and report metrics 
• Provide subject matter expertise on common control frameworks and lead efforts to create, improve, and monitor cybersecurity controls.  
• Develop and maintain standards and SOPs (standard operating procedures) for third party risk management, solution risk assessments, exception management, and other GRC processes 
• Conduct detailed security risk assessments (vendor and solution), and mature security risk assessment process including questionnaire development, workflow optimization in ServiceNow, risk analysis, and issue identification 
• Produce high quality risk assessment reports and deliver readouts to business unit leaders, translating technical risks to clear business impacts and recommendations 
• Review and analyze vendor cybersecurity documentation, including SIG questionnaires, SOC2 Type II, and other assurance artifacts 
• Lead the end‑to‑end cybersecurity exception management process, including intake, validation, risk analysis, documentation, and routing for approval. 
• Lead the design, development, and implementation of a consistent cyber risk treatment and monitoring process, including defining workflows, documenting standard and SOP, treatment plan requirements, and governance routines. 
• Lead the risk treatment and monitoring activities, including maintaining the cyber risk register, validating risk scoring, tracking remediation progress, and ensuring risks are updated, reviewed, and closed in alignment with governance requirements. 
• Work with control owners, system owners, SMEs, other internal and external resources to gather data, develop and oversee risk treatment options and action plans, to help drive and achieve results for technology related assessment findings and exception requests. 
• Lead cybersecurity projects and initiatives, including project planning, stakeholder engagement, and progress reporting to leadership. 
• Leverage and expand ServiceNow GRC capabilities to automate workflows, improve data quality, and enhance reporting 

Responsibilities:

• Strong understanding of information security risk management methodologies, third party risk management, and solution risk assessments
• ServiceNow GRC experience strongly preferred
• Promotes productivity and teamwork in assigned areas with open communication, timely decision making, and use of personal leadership skills to set high standards of performance while providing the direction necessary to achieve that performance.
• Develop “Trusted Advisor” relationship with business leaders to understand business and technical risks
• Identification of new or emerging risks and develop mitigation plans.
• Provide technical leadership and GRC subject matter expertise around use of technologies and business initiatives.
• Driven, energetic, team player with exceptional written and verbal communication skills with the ability to create clear, concise, and executive‑ready documentation.
• Superior customer service and interpersonal skills to effectively relate to end user experience and needs; ability to build working relationships and promote information-sharing.  Possess a high degree of originality, creativity, initiative requiring minimal supervision.
• Proficiency with Microsoft Office (Word, PowerPoint, and Excel) and performing data analysis.
• Able to assess complex technologies and vendor risks/issues that require sophisticated analytical or problem-solving techniques to identify cause
• Able to provide professional input to complex assignments/projects as well as direction to more junior professionals 
• Able to adapt to change, and sometimes competing priorities
• Able to prioritize and schedule tasks, pay attention to detail, and demonstrate good organizational skills.

Able to proactively follow up on action items and outstanding tasks

Education:

Bachelor’s Degree in a business or technical discipline from an accredited college or university is required.

Experience:

• A minimum of 5 years’ experience in cybersecurity, Governance, Risk and Compliance, security auditing, or relevant IT role working with cybersecurity concepts and tools is required.
• Experience in data processing and analytics preferred.
• CISSP, CRISC, or other relevant cybersecurity certifications preferred.
• In-depth knowledge and experience in technology risk assessments and information security risk management preferred.
• Demonstrated program and project management planning/execution skills
• Experience working with common information security standards, such as NIST Cybersecurity Framework (NIST) preferred and a plus

Physical Requirements

Working Conditions