Principal Cybersecurity Risk Analyst

Job Summary:

• The Principal Cybersecurity Risk Analyst (PCSA) will lead project and technology-based risk assessments within the environment, lead technical and nontechnical third-party risk assessments, and recommend mitigating action or controls.
• The PCSA will further identify and convey information security, physical security, business continuity, and IT operational requirements to project teams, and the Sourcing department in support of new contracts and ongoing engagements.
• The primary responsibility of the PCSA is to oversee and monitor mitigation strategies for information security risks.

Major Responsibilities:

• Lead third-party vendor risk, project risk, or technology risk assessments.
• Oversee the assessment of the adequacy of a vendor's security program to Product client NJ data.
• Communicate with business and IT regarding security risks and deficiencies.
• Lead ongoing security assessments to validate appropriate controls are in place.
• Review Vendor reports to acknowledge findings from the security assessments and document remediation action plans.
• Ensure proper evidence is gathered to facilitate timely closure of remediation plans.
• Provide Information Security consulting and subject matter expertise on third-party service contracts and/or Sourcing arrangements and internally to junior analysts.
• Lead the development and improvement of security processes, assist in metrics development, both within the technology and business organizations.
• Continuously review and improve the TPRM program, with the intention of improving the efficiency of the workflow as well as the quality of metrics development and reporting.
• Lead cross-functional teams to serve as the facilitator between the Information Cyber Security Office and the broader organization.
• Act as a security advisor and ensure an ongoing awareness of identified risks.
• Collaborate with internal ICSO teams to utilize expertise to identify evolving security threats and provide in-depth understanding of "if, how, and when" they should be addressed. Conduct technical research to aid in threat assessment.
• Lead the evaluation and assessment of supplier criticality and review changes in scale and Product of services contracted with supplier for material impact.
• Actively promote commitment to client NJ’s Information Security, Enterprise Risk Management and Audit initiatives, as well as its culture of compliance.

Internal Relationships:

• Legal Affairs, IT Governance, or IT Security Operations
• Internal Customers/Users
• Internal clients and constituents

External Relationships:

• 3rd Party Suppliers/Vendors
• 4th Party Suppliers/Vendors
• External Customers

Education/Experience:

• HSD or GED required, Bachelor Degree preferred (or equivalent work experience)
• Third-party, technology, and project risk assessment experience
• Experience with Governance, Risk, and Compliance tools
• 5 years of experience in Risk Management with advanced understanding of Third-Party Risk Management
• 7 years of experience in an Information Technology Audit/Information Security
• Proficient working knowledge within the following risk domains/technologies:
  • Change Management
  • IDS/IPS technologies
  • Firewall technologies
  • Network Architecture
  • Vulnerability Management
  • System/Access Administration
  • Key Management/Tokenization
  • Database and application security
  • Secure Software/Code Development
  • Physical and Environmental Security
  • Security Event Logging & Monitoring
  • Database/Application/Network Layer Secure Protocols
  • Cloud Security
  • Identity & Access Management
  • Business Continuity and Disaster Recovery Management
  • Automation/Artificial Intelligence

Additional Licensing, Certifications, Registrations:

• CISSP, CISA, CRISC or equivalent

Knowledge:

• Requires a solid understanding of IT security concepts with an emphasis on Security and Risk Assessment.
• Requires solid knowledge of IT and computer systems.
• Requires familiarity with HIPAA security rules and National Institute of Standards and Technology (NIST) standards.
• Requires familiarity with Vendor Risk Management.
• Suggested familiarity with ServiceNow tool.

Skills:

• Requires strong analytical thinking skills.
• Requires excellent verbal and written communication skills.
• Requires excellent interpersonal skills and the ability to work effectively with others as a team.
• Requires excellent PC skills and demonstrated proficiency with MS Office Suite.
• Requires the ability to handle multiple tasks and prioritize effectively.
• Ability to train/mentor incoming team members.

Travel (If Applicable):

• Conduct on-site/virtual security assessments to measure the effectiveness of the third-party's current control environment. (Some travel may be required.)