The Risk Analyst is responsible for ensuring that the Firm assesses risk in a consistent manner, and for sustaining a culture of risk awareness. Reporting to the Director of Risk Operations, the Risk Analyst operates a focused, thematic risk and control program for assessing cyber, technology and operational risks rigorously, registering and tracking issues to completion, and reporting these issues to the CISO and other stakeholders. The Risk Analyst also implements the Firm’s security awareness and training program. This role requires hands-on, collaborative work with stakeholders and IT implementers.
- Bachelor's degree in Computer Science or Engineering preferred; advanced degree and CISSP certification preferred.
- Requires 5+ years' experience in cybersecurity, conducting technology audits, and third party security risk assessments.
- Strong working proficiency using risk assessment software such as ServiceNow, Archer, IBM® OpenPages® or C2C MyRiskAssessor; and/or using security learning and training software such as Proofpoint, Skillsoft or KnowBe4.
- Superior time-management skills, relentless follow-through, and metronomelike, consistent delivery.
- Effective written and oral communications skills.
- Big 4 experience preferred.
Duties and Responsibilities:
- Define, document, and manage the Firm’s Risk Management program, including processes for identifying, categorizing, assessing, and registering risks; assigning owners; determining dispositions; and tracking issues to completion.
- Tier, assess, and monitor risks associated with vendors.
- Manage vendor risk program. Review assessment alongside SOC 2 reports and ISO certs. Confirm vendors controls and advise on any gaps.
- Research security controls and translate to actionable insights and strategy.
- Define, document, and manage the Firm’s Security Awareness and Training program, ensuring that training content is up-to-date, fit-for-purpose, and consistently delivered.
- Regularly report on program progress to the CISO and other senior stakeholders as appropriate, using defined Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) to highlight control adoption gaps, identify areas of strong or weak performance, or quantify risks, respectively.
- Perform other duties as assigned.