Senior Information Security Analyst - GRC

Full job description
Responsibilities

The Senior Information Security Analyst (SISA) - Governance, Risk and Compliance (GRC) is a highly influential role responsible for supporting the security strategy of the SBA and elevating the SBA’s security posture. The SISA - GRC works under general supervision alongside audit, compliance and risk teams to identify and verify risks to systems and data, and ensure teams are cognizant of any deficiencies and working toward addressing findings and recommendations. The SISA - GRC is also responsible for the planning and maintenance of security policies. The SISA - GRC understands security risks and technologies and is able to effectively communicate them to business units. In addition, the position evaluates risk according to best practices, as well as compliance mandates, and provides detailed reports from assessments. When external examiners conduct engagements, the SISA - GRC is a primary point of contact and facilitator to ensure teams are abiding by safe computing and administrative procedures. In tandem with security leadership, the position consistently assesses and validates the assurance of the security program. As a primary point of contact for internal and external auditors, the SISA - GRC monitors progress and enforces resolution of outstanding issues that may lead to non-compliance or security threats to the business. As a key member of the security team, the SISA - GRC must focus on strong risk management and organizational resiliency and not be driven solely by compliance. The SISA - GRC reports to the Records and Information Manager. This position is located in Tallahassee, FL and requires on-site, in-person work.

75% - Leads the Security Governance, Risk and Compliance Program
Lead and/or coordinate enterprise-wide, ongoing security risk analysis and security program assessments in coordination with Internal Audit and Risk Management and Compliance teams
Maintain security GRC-related modules, projects and data in the SBA’s GRC platform
Identify strengths and weaknesses in the security program as they relate to privacy, security, business resiliency and compliance frameworks
Document, formulate and enforce areas of security improvement that balance risk with business operations and do not diminish efficiencies or innovation
Analyze findings, and document, recommend and report program gaps to security leadership
Translate technical risks into business terms and escalate items beyond the SBA’s established risk appetite to security and risk management leaders for review.
Maintain the information security policy set and supporting standards; coordinate annual reviews, stakeholder approvals, and exception handling consistent with SBA’s governance processes
Plan and execute control reviews against SBA’s approved security frameworks (e.g., NIST CSF/800-53, CIS Controls), document results, and monitor remediation effectiveness.
Perform security due diligence on vendors (e.g., SOC report reviews, questionnaires), track related findings, and collaborate with Vendor Management and business owners to manage risk
Serve as point of contact for internal/external audits and regulatory assessments; coordinate evidence collection, issue tracking, and closure documentation in the GRC system
Stay abreast of evolving technologies and areas of risk against the rapidly changing threat landscape as well as standards and compliance requirements
Develop and publish GRC metrics, KRIs, and status reports for leadership and the Information Security Oversight Group (ISOG); prepare materials for committees as needed
Contribute to the Information Security Program roadmap and OIS priorities; assist with cross-functional initiatives to mature governance and risk capabilities

20% - Coordinates the Security Awareness Program
Maintains the SBA security awareness and testing platform
Assists with the creation of effective awareness presentations, communications, and marketing materials
Delivers topic-specific security awareness training presentations to SBA employees
Identifies and evaluates top human risks to the organization and the behaviors that must change to mitigate those risks
Fosters a positive program that engages employees, to include a focus on improving security behaviors both at work and at home
Works with relevant business units to improve security awareness and meet applicable regulatory and compliance standards
Adapts security awareness training and strategy to incorporate and address emerging technologies and risks
Measures and reports on risks related to the security culture of the SBA
05% - Performs other duties as assigned

Qualifications
Five years of related experience. A postsecondary degree may be used as an alternative for years of direct experience; 2 years for an associate’s degree, 4 years for a bachelor’s degree, 6 years for a master’s degree, 7 years for a professional degree, or 9 years for a doctoral degree.

Preferences:

Certified in Governance, Risk and Compliance (CGRC), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), Certified Internal Auditor (CIA) Certified Information Systems Security Professional (CISSP), Certified in the Governance of Enterprise IT (CGEIT), or other relevant security, risk management, compliance, or audit-related certifications
A bachelor's degree from an accredited college or university in Risk Management, Cybersecurity, Information Technology, Finance, Business Administration, Accounting, or a related field
Demonstrable experience leading audits, risk assessments, compliance assessments, and/or experience as a cybersecurity analyst, engineer or architect

Knowledge, Skills, and Abilities:

At least 5-years’ IT audit, risk management or cybersecurity experience, with at least 2 years in an operationally focused IT or security practitioner role
Ability to articulate risk to drive objective decisions; strong prioritization and decision-making skills
Proficiency with control frameworks, risk scoring, issue management, and metrics/KRIs
Skilled at working with diverse teams and promoting enterprise-wide risk management rigor and security-first culture
High level of integrity, trustworthiness and confidence to represent the company and risk management leadership with the highest level of professionalism
Project management, multitasking and organizational skills
Ability to preserve credibility with the team through sustained industry knowledge
Demonstrated understanding and comprehension of a wide range of security, compliance and technology frameworks, laws and regulatory requirements, including but not limited to NIST CSF, NIST RMF, CIS Critical Security Controls, PCI, SOX, HIPAA, GDPR and GLBA
Exceptional written and verbal communication skills, and proven ability to translate security and risk to all levels of the business
Capacity to understand legacy and progressive technology and security controls along with respective risk. Working knowledge of technologies such as cloud computing, DevOps and application security is required
Track record of acting with integrity, taking pride in work, seeking to excel, being curious and adaptable, and communicating effectively
Prior team leadership experience preferred

Hiring Range: 78,000 - $100,000

The State Board of Administration is an Equal Opportunity Employer

Successful completion of a pre-employment background check is a condition of employment with the State Board of Administration

United States
Florida
Tallahassee Show on map Get directions