The Risk Assessment Consultant is responsible for assisting in driving the company's efforts to proactively identify, assess, and communicate the company's information security risks through critically analyzing the probable frequency and probable magnitude of future loss.
The assessor works in close partnership with internal information security and business representatives to scope assessments, gather documentation, interview clients, identify risks, document findings, and ensure transparent management of risks by following a structured
risk assessment methodology.
This position will be expected to independently lead and complete high-quality assessments across a diverse set of technologies, business functions, and complexity. This includes but is not limited to assessments for internal and SAAS applications, network devices, control processes, business functions, and facilitating the ongoing analysis of enterprise-wide risks across its family of companies.
This position will also be expected to partner with management and team members to proactively identify and participate in implementing process improvements, overcome barriers to success, build professional relationships across the company, brief senior leaders, and be a collaborative member of the team.
Key Responsibilities include:
Support Management and Decision Making:
- Works closely with and influences decision makers in other departments to identify, recommend, develop, implement, and support a risk informed decision and action framework.
- Initiates and implements continuous improvements in all areas of IT responsibility.
Business Partner Management
- Acts as a Change Catalyst for a risk-based approach to delivery of services and systems.
- Partners with others in their organization to set and manage expectations; continually seeks opportunities to be a thought partner and increase internal business partner satisfaction and deepen relationships.
- Adapts communication approach for audiences at multiple internal and external levels.
- Identify and recommend appropriate measures to manage and mitigate risks and reduce potential impacts on information resources to a level acceptable to the senior management of the company.
- Identify and report on new and emerging security risk and risk trends, including participating in risk remediation solution discussions and updates to compliance policy and standards.
- Fully understand business requirements and work with the business to define appropriate solutions for security objectives while meeting the business need.
- Manage the review of changes in company processes, standards and technology to ensure the
- effectiveness of security controls to meet compliance requirements.
- Integrate security risk reporting and management activities into day to day processes.
- Partner with all areas of the business, including internal auditors, legal, IT and business partners.
- Respond to and assist with audits, assessments and compliance requests.
- Serve as client liaison as needed on matters pertaining to Risk Management.
- Promote and consult on the positions that help strengthen and secure the organization by either following standards or helping direct others on technology positions.
- Act as a subject matter expert for the organizations information asset protection policies and procedures, and information technology best practices.
- Develop and refine enterprise policy, standards and procedures.
- Develop and refine procedures and techniques used by the team.
- Minimum 4 years of IT experience, ideally at least 2 of which are in a security domain. Previous information security risk assessment experience is a plus.
- Strong understanding of IT security best practices
- Demonstrated ability to lead and participate in cross functional teams, including offsite, remote and offshore resources.
- Effective written, verbal communication skills. Ability to tailor communication style to audience at hand.
- Ability to effectively communicate with technical and non-technical resources.
- Experience evaluating and securing payment processing technology.
- Experience and knowledge of the Factor Analysis of Information Risk (FAIR) taxonomy is a strong plus.
- Direct knowledge and experience working with regulatory and risk frameworks PCI, HIPAA, ISO, NIST, US State Cyber Regulation.
- Strong organizational skills.
- Self-directed, works with minimal guidance, and recognizes when guidance needed.
- Demonstrated ability to stay abreast securing evolving technology such as cloud and mobile computing.
- Proficient in MS Office Suite (Word, Excel, Project, PowerPoint, Visio).
- Knowledge and experience with ArcherGRC and RiskLens a plus CISSP or CISM, or other security industry certification a plus.