Senior Risk Analyst (Cyber Security)
Our client has been serving the households, businesses and communities of Britain for over 250 years. They offer a comprehensive range of financial products and services - including current accounts, savings, mortgages, loans and credit cards.
To provide support to IT in order to advise, challenge and monitor (through metrics and assessments) the way that risks are managed, controls are implemented, and findings are addressed.
To take the lead in improving processes and coaching more junior members of the team, along with performing quality assurance activities.
This is a 2nd line of defence role within the 3 Lines of Defence model for Risk Management.
Primary Roles & Responsibilities:
- To provide ongoing support, advice and challenge for the 1st line of defense. Build knowledge of the IT Control Set, risk framework, and establish good working relationships with assigned control owners.
- To be an SME on specific risks and related controls by providing such advice and support.
- To work with IT and other Technology Risk and Security teams to evolve our risk universe and control framework to address identified weaknesses and emerging threats.
- To assess the effectiveness of controls through conducting assessments and the creation of KPIs/KRIs for data analysis.
- To ensure risks are accurately articulated and appropriate business and IT approval is sought where risks are being accepted or exceptions are being granted.
- Work with the 1st line of defense to identify risk event root causes and remediation plans.
- To manage risks, controls and findings within the Archer eGRC tool.
- To act as a role model for and coach more junior members of the team.
- To review work done by other members of the team as part of defined QA processes.
Knowledge and Capabilities:
- At least 5 years of experience in managing information systems or information/cyber security risk according to an industry standard approach.
- Knowledge of the 3 Line of Defense model for Risk Management.
- Able to demonstrate a high degree of credibility and influence senior stakeholders within the organisation.
- Ability to communicate effectively both orally and in writing.
- Excellent knowledge of information/cyber security and related principles.
- Thorough knowledge of IT and information/cyber security controls.
- Self-motivated, able to deliver with minimal supervision, and always aware of the "bigger picture".
- Experience of relevant standards, frameworks and regulations including some of: NIS Directive, GDPR, NERC CIP, Sarbanes Oxley, PCI, NIST Cyber Security Framework, HIPAA, UK Directive 105, US Data Privacy related laws, CFATS, CCPA, MAS 201, RIITPA, NIST 800-53, COBIT 5.
- Experience in the Critical National Infrastructure (CNI) and utility industry experience preferred.
- Educated to degree levels in math, science or computers
- 1-5 Years Risk Management experience, Information Security and Compliance
- Ability to interface effectively with other Security and Technology Risk Teams, Information Technology Leadership Team (ITLT), Control Owners, Control Operators, Enterprise Risk Management, Business Units
- Information Systems Certifications such as CRISC, CISSP, CISM or CEH, preferred
- Working knowledge of Archer, preferred
- Business skills such as Commerciality, Project Management, Stakeholder Engagement, Customer Focused, Performance Excellence and Data Management are desirable
Candidates will ideally show evidence of the above in their CV in order to be considered.
Please be advised if you haven't heard from us within 48 hours then unfortunately your application has not been successful on this occasion, we may however keep your details on file for any suitable future vacancies and contact you accordingly.
Pontoon is an employment consultancy and operates as an equal opportunities employer