IT Risk and Security Consultant

This security specialist works with the agency CISO, risk manager, and privacy officer to perform the security analysis and other assigned security/risk tasks.
Position Summary:
The IT Consultant 1 is a tenured-level professional responsible for identifying, analyzing, and mitigating complex IT risks across the organization's technology infrastructure. This role involves strategic planning, cross-functional leadership, and subject matter expertise in IT risk management. The IT Consultant 1 will be a part of the Ohio Department of Medicaid IT Risk and Security that works closely with leadership, and external partners to ensure regulatory compliance, enhance the organization's cybersecurity posture, and support enterprise-wide risk and audit initiatives.

Key Responsibilities:

1. Risk Assessment and Analysis
• Lead complex IT risk assessments and threat modeling activities across systems and applications.
• Analyze trends and emerging risks to proactively recommend strategic mitigations.
2. Risk Mitigation and Management
• Develop and oversee implementation of advanced risk mitigation strategies.
• Monitor risk programs and revise controls based on performance metrics and audit outcomes.
3. Compliance and Governance
• Ensure enterprise-wide compliance with federal and state regulations, including HIPAA, IRS Pub. 1075, NIST 800-53, MARS-E, and ISO standards.
• Support policy lifecycle management and contribute to enterprise GRC strategy.
4. Incident Management
• Provide leadership in incident response and post-incident reviews.
• Collaborate with internal teams on root cause analysis and long-term remediation planning.
5. Review System Security Plans (SSPs)
• Review, update, and validate system security documentation for critical systems.
• Ensure alignment with internal risk policies, external contractual requirements, and frameworks such as NIST and CIS.
6. External Audit Support
• Serve as a key liaison to auditors and regulatory assessors.
• Oversee evidence collection, audit response documentation, and control testing coordination.
7. IT Security Policy Leadership
• Lead the creation and revision of organizational IT security policies.
• Recommend and draft policy enhancements based on risk assessment results, audit findings, and regulatory changes.
8. Reporting and Documentation
• Prepare and deliver executive-level reporting on risk posture, findings, and recommendations.
• Maintain thorough documentation aligned with organizational and audit standards.
9. Collaboration and Communication
• Represent IT risk in executive discussions, technical project meetings, and external partner engagements.
• Coach and mentor junior staff, IT and business personnel.

Qualifications:

• Education:
  Bachelor s degree in Information Technology, Computer Science, Cybersecurity, or a related field is required.
  Master s degree in a related field preferred.
• Experience:
  Minimum of 7 to 10 years of experience in IT risk management, cybersecurity, or information assurance.
  Demonstrated success leading cross-functional projects and managing compliance for large systems. Experiences in Heath and Human Services or Healthcare business preferred.
• Certifications (Preferred):
  CISA, CISSP, CRISC, CISM, CGEIT, or similar credentials.
• Technical Skills:
  Expertise in risk frameworks (NIST 800-53, MARS-E, ISO 27001), vulnerability management, system security plans, and audit lifecycle management.
• Analytical Skills:
  Exceptional critical thinking, data analysis, and risk prioritization abilities.
• Communication Skills:
  Strong verbal and written communication skills with the ability to tailor information to different audiences, including executives.

Interpersonal Skills:
Demonstrated ability to collaborate across teams, influence without authority, and drive organizational change