Responsibilities
We are currently looking for a highly skilled and experienced Cyber Security Lead. In this role, you will be a key player in the compliance function of our Cyber Security team. This individual will perform a multi-faceted role focusing on two primary responsibilities.
First, manage cyber-control evidence requests for assuring the security and integrity of the organization’s network, systems, and data. Secondly, in the capacity of a Third-Party Risk Analyst, assess and manage cybersecurity risks associated with third-party vendors and service providers by evaluating vendors' security practices, ensuring compliance with industry standards and organizational policies.
This individual will play a crucial role in ensuring the effectiveness and compliance of cybersecurity controls across the entire organization.
Responsibilities & Deliverables:
Your roles & responsibilities will include, but are not limited to, the following:
Collecting and Validating Control Evidence:
Facilitate the collection and validation of evidence related to cybersecurity controls for scheduled audits and assessments.
Collaborate with internal teams to ensure accurate and comprehensive evidence submission.
Assessment Support:
Participate in assessment kickoffs and provide recurring status updates to relevant stakeholders.
Respond promptly to internal auditor and assessor requests, addressing any queries or information needs.
Security Control Library Management:
Maintain the security control library, ensuring it reflects the latest standards and best practices.
Regularly update control documentation based on compliance documents, industry frameworks, and regulatory requirements.
Vendor Assessment & Evaluation:
Conduct thorough assessments of third-party vendors' cybersecurity practices, including their security policies, procedures, and controls.
Evaluate vendors' compliance with industry standards (e.g., ISO, NIST, SOC 2) and regulatory requirements.
Review vendor security documentation, including audit reports, penetration test results, and security certifications.
Risk Identification and Mitigation:
Identify potential cybersecurity risks associated with third-party vendors and recommend appropriate mitigation strategies.
Collaborate with internal stakeholders to develop risk mitigation plans and monitor their implementation.
Maintain a risk register and track the status of identified risks and mitigation efforts.
Process Documentation:
Work closely with cybersecurity leaders to document and improve processes and procedures.
Capture essential details related to security controls and their implementation.
Performance Tracking and Reporting:
Track and report on the performance of audit and assessment support capabilities.
Identify areas for improvement and recommend remediation actions as needed.
Control Verbiage Certification:
Certify and update control verbiage, aligning it with compliance requirements and industry standards.
Required Experience:
Minimum of 3 years of experience in information security governance, risk, and compliance.
Experience in security control library management, process writing, control statement writing, compliance documentation recertification, and driving updates.
Solid project management skills.
Excellent verbal and written English communication skills, with the ability to effectively interact with technical, business, and other stakeholders at all levels of the organization.
Superior analytical and problem-solving abilities, enabling assessment of complex security issues, prioritization of tasks, and development of practical solutions.
Adaptability in tailoring conversations and presentations for different audiences, spanning technical, non-technical, and executive leadership.
Demonstrated commitment to continuous learning and professional development in the field of cybersecurity.
Certification in information security or GRC is a plus (CISM, CISA, CISSP, CGRC, etc.)
Flexibility for consistent availability for Eastern (UTC-5) and Pacific (UTC-8) time zones.
Education/Certifications Desired
Bachelor's degree from an accredited college or university, or equivalent experience.
Knowledge and experience in understanding implementation guidelines from security control frameworks, such as NIST CSF, NIST 800-53, PCI DSS, CIS, COBIT 5, CSA/CSM, ISO 27001.
