Senior Security Engineer (Risk) (Remote From Anywhere In Colorado)

Salary: $109,000.00 - $124,000.00 Annually
Location : Statewide, CO
Job Type: Full Time
Job Number: EGB92761
Department: Governor's Office of Information Technology
Opening Date: 06/17/2026
Closing Date: 6/28/2026 11:59 PM Mountain
FLSA: Determined by Position
Primary Physical Work Address: (Remote From Anywhere In CO)
FLSA Status: Exempt; position is not eligible for overtime compensation.
Department Contact Information:
Type of Announcement: This announcement is not governed by the selection processes of the classified personnel system. Applications will be considered from residents and non-residents of Colorado.
How To Apply: Please submit an online application for this position at Reach out to the Department Contact to apply using a paper application, including any supplemental questions. Failure to submit a complete and timely application may result in the rejection of your application. Applicants are responsible for ensuring that application materials are received by the appropriate Human Resources office before the closing date and time listed.

Department Information

Together, we innovate for a stronger Colorado

The work of employees at the Governor's Office of Information Technology (OIT) is challenging and diverse because the needs of agencies, customers and Coloradans constantly evolve. But our focus never changes: improve the lives of all Coloradans through innovation and collaboration. We're building one of the nation's leading government IT organizations by reimagining how we support agencies, building first-of-their-kind applications, and creating an inclusive, collaborative culture, together. Join us in the important work of providing equitable access to services.

Watch this to learn more about how we're Serving People. Serving Colorado.
Description of Job
IMPORTANT NOTE: Please review your application to ensure completion. For the most equitable applicant experience, OIT's hiring team considers only the contents of your application to review your qualifications. Please do not include any attachments (such as resume or cover letter) with your application as these items are not used by OIT's hiring team.
The Governor's Office of Information Technology (OIT) is seeking a Senior Security Engineer (Risk) to join the Office of Information Security (OIS). Our team is currently advancing a strategic transformation to modernize our Risk Management capabilities. We are evolving our security oversight into a highly integrated, automated maturity model designed to provide a data-driven view of the state's threat landscape.

As the Senior Security Engineer (Risk), you will serve as a technical leader and subject matter expert dedicated to the identification, quantification, and mitigation of technical risk across the organization. This role requires a seasoned professional with demonstrated leadership experience who can provide technical guidance to diverse stakeholders and offer strategic direction during complex security evaluations.

A primary function of this role is performing comprehensive technical risk assessments on diverse systems and services to ensure they align with the state's security posture. You will be a key contributor in driving the maturity of a Third-Party Risk Management (TPRM) program designed to scale significantly, performing assessments for a high volume of vendors with efficiency and precision.

You will act as a senior technical liaison between engineers, business users, and executive leadership, translating complex technical vulnerabilities into actionable risk narratives. Your work will directly support the risk management strategic roadmap, ensuring state technology remains resilient through consistent, expert-level evaluation.

While this role does not involve hands-on infrastructure or engineering deployment, it requires deep technical literacy to evaluate security documentation and direct experience configuring and operationalizing risk management tooling.
Key Job Responsibilities:

• Act as a key security advisor and collaborator for teams across the organization. You will partner with Service Delivery teams to provide technical guidance on risk mitigation. You will serve as an escalation point for cross-team alignment on enterprise remediation strategies.
• Execute deep-dive technical risk assessments for high-profile state systems. You will evaluate control implementations across a variety of environments, including on-premise, cloud, and hybrid, identifying critical gaps and developing technical remediation plans.
• Serve as a key member in designing and maturing a TPRM program capable of handling an enterprise volume of vendors. You will establish and support a scalable solution with automated workflows and collaborate cross-functionally to scale the program's reach.
• Support the execution and refinement of the risk management strategic roadmap. You will be responsible for driving milestones related to risk assessments, vendor risk management, continuous monitoring, TPRM program governance, and expanding risk services to state agencies and local government partners.
• Support the transition from manual workflows to automated processes and platforms. You will provide the technical expertise needed to ensure the platform delivers real-time, asset-level risk visibility for leadership.
• Partner with internal OIT teams to build TPRM dashboards that improve visibility for program governance and enterprise risk. You will contribute actionable insights that help leadership prioritize resources based on data-driven risk findings.

Minimum Qualifications, Substitutions, Conditions of Employment & Appeal Rights

A wide salary range is posted for this position and any job offer is based upon a salary analysis to comply with the Colorado Equal Pay for Equal Work Act. The salary analysis considers relevant experience, education, certifications, and state seniority as compared to others doing substantially similar work. While all offers are compliant with the Colorado Equal Pay for Equal Work Act, there is no guarantee an offer will be at the top of the posted range based on the salary analysis.

This is a skills-based job announcement. The required minimum qualifications and/or education (if substituting for the proven experience, knowledge, and skills), are as follows:
Minimum Qualifications:

• At least five (5) years of professional experience in security engineering, technical risk management, or high-level systems administration with a focus on security.
• Demonstrated experience in technical and people leadership capacity, such as serving as a team lead, managing project workstreams, or providing high-level technical guidance to other technical staff, with the skillset to build relationships across service delivery organizations.
• Proven experience in the full risk lifecycle, including performing risk assessments, identifying threats, and developing successful remediation strategies.

Substitutions:

• Additional appropriate education will substitute for the required experience on a year-for-year basis, but cannot completely substitute for these qualifications.
• Training or Certification (CRISC, CISSP, CISA) related to the work assigned to the position will be assigned credit towards substitution for experience and/or education, but cannot completely substitute for these qualifications.

Preferred Qualifications:

• Proven expertise applying security and compliance frameworks (NIST 800-53, NIST RMF 800-37/39/30, NIST CSF, CJIS, IRS Pub 1075) to conduct risk assessments, evaluate control effectiveness, and deliver engineering-level guidance for enterprise risk mitigation.
• Experience validating security controls in a variety of environments, including on-premise infrastructure and modern cloud architectures.
• Hands-on experience implementing or operationalizing a GRC/IRM platform to automate risk workflows, track control status, and support audit readiness.
• Previous experience working within or building a high-volume Third-Party Risk Management program.
• Ability to translate risk metrics into clear visualizations and executive-level reporting using SIEM or data analytics platforms.
• Ability to "hit the ground running" to meet aggressive roadmap goals while maintaining a focus on team-wide technical excellence.

Conditions of Employment:
OIT employees must comply with any screening procedures in place at state agency locations where they might perform work.

A pre-employment background check will be conducted as part of the selection process. Post-employment background checks will be required for specific agencies as business needs dictate, which may include a polygraph exam, fingerprint-based criminal history search, reference checks, and a drug test.

This position may require travel within the specified geographic area, and to locations across the state as needed.

Supplemental Information
If this posting indicates "remote from anywhere in CO" in the title, periodic reporting to the primary state work location designated for the position is required. All remote work must be performed in Colorado.

While candidates from out of state will be considered for this role, the candidate selected for the position must relocate and reside in Colorado on the first day of their new position. A reasonable timeframe for relocation will be established on an individual basis, while considering business needs, and determining a start date.
We know it's important to support each other, and that means having a healthy balance of work and personal time. Visit our benefits to learn more about some of our great offerings that allow us all to have fulfilling lives.

Visit our How to Apply webpage to learn more about our application process and what to expect after you apply.
The State of Colorado strives to create a Colorado for All by building and maintaining workplaces that value and respect all Coloradans through a commitment to equal opportunity and hiring based on merit and fitness. The State is resolute in non-discriminatory practices in everything we do, including hiring, employment, and advancement opportunities.
The Governor's Office of Information Technology is committed to the full inclusion of all qualified individuals. As part of this commitment, our agency will assist individuals who have a disability with any reasonable accommodation requests related to employment, including completing the application process, interviewing, completing any pre-employment testing, participating in the employee selection process, and/or to perform essential job functions where the requested accommodation does not impose an undue hardship. If you have a disability and require reasonable accommodation to ensure you have a positive experience applying or interviewing for this position, please direct your inquiries to our ADA Coordinator at or call .

This posting may be used to fill multiple vacancies based upon business need.
The Governor's Office of Information Technology does NOT offer sponsored Visas for employment purposes.
Please note that each agency's contact information is different; therefore, we encourage all applicants to view the full, official job announcement which includes contact information and class title. Select the job you wish to view, then click on the "Print" icon.
01

Please detail how your skills and experience align with the requirements of this position.
02

Describe your experience providing technical guidance or leadership on a security project that required collaboration with multiple different teams (e.g., Cloud, Dev, Ops). How do you ensure high-quality technical outcomes while fostering collaboration across the organization?
03

Describe your process for performing a technical risk assessment on a complex enterprise system. How do you move from identifying a vulnerability to ensuring a successful technical remediation is implemented?
04

This role aims to scale vendor assessments for a high volume of partners. Describe how you would scale a Third-Party Risk program designed for enterprise scale and efficiency.
05

Describe your hands-on experience with GRC, IRM, or risk management platforms. How have you leveraged this tooling to mature a risk or compliance process-for example, by transitioning from manual tracking to an automated model, improving reporting fidelity, or driving operational efficiency?
06

Please describe how you learned of this job opening.
07

The Governor's Office of Information Technology (OIT) complies with Colorado's Equal Pay for Equal Work Act. While a wide salary range is posted, specific criteria (experience, education, state seniority, etc.) will be used to determine any salary offer. While most salary offers are made within the posted range, occasionally an offer is made below or above the posted range based upon this salary analysis. It is this salary analysis, rather than any negotiation process, that determines any salary offer.

• Yes, I acknowledge that it is to my benefit to include ALL of my RELEVANT experience in my application work history and I have done that here.
• No, I do not wish to include ALL of my RELEVANT experience, and I understand that this may affect a potential salary offer.

08

All remote work must be performed from within the State of Colorado. If you live out of state and are selected for this position you must relocate to Colorado before commencing employment. There is no form of relocation assistance, financial or otherwise, available for any position. Do you wish to proceed with your submission?

• Yes, I understand the above statement.

09

If any of the State of Colorado positions listed in your employment history were performed as a contract employee, you MUST list the position/s, State Agency, and the name of the contracting company by whom you were paid during the contract position. If this does not apply, please type "N/A".
10

Do you currently reside in the state of Colorado?

• Yes
• No

11

Do you currently require employer sponsorship for a Visa, employer-provided documentation to maintain your Visa, or employer participation in a program for the purposes of immigration status?

• Yes
• No

12

In the future, will you require employer sponsorship for a Visa, employer-provided documentation to maintain your Visa, or employer participation in a program for the purposes of immigration status?

• Yes
• No

Required Question