Senior Information Security Analyst - GRC

Full job description

Responsibilities

The Senior Information Security Analyst (SISA) - Governance, Risk and Compliance (GRC) is a highly influential role responsible for supporting the security strategy of the SBA and elevating the SBA’s security posture. The SISA - GRC works under general supervision alongside audit, compliance and risk teams to identify and verify risks to systems and data, and ensure teams are cognizant of any deficiencies and working toward addressing findings and recommendations. The SISA - GRC is also responsible for the planning and maintenance of security policies. The SISA - GRC understands security risks and technologies and is able to effectively communicate them to business units. In addition, the position evaluates risk according to best practices, as well as compliance mandates, and provides detailed reports from assessments. When external examiners conduct engagements, the SISA - GRC is a primary point of contact and facilitator to ensure teams are abiding by safe computing and administrative procedures. In tandem with security leadership, the position consistently assesses and validates the assurance of the security program. As a primary point of contact for internal and external auditors, the SISA - GRC monitors progress and enforces resolution of outstanding issues that may lead to non-compliance or security threats to the business. As a key member of the security team, the SISA - GRC must focus on strong risk management and organizational resiliency and not be driven solely by compliance. The SISA - GRC reports to the Records and Information Manager. This position is located in Tallahassee, FL and requires on-site, in-person work.

75% - Leads the Security Governance, Risk and Compliance Program

Lead and/or coordinate enterprise-wide, ongoing security risk analysis and security program assessments in coordination with Internal Audit and Risk Management and Compliance teams

Maintain security GRC-related modules, projects and data in the SBA’s GRC platform

Identify strengths and weaknesses in the security program as they relate to privacy, security, business resiliency and compliance frameworks

Document, formulate and enforce areas of security improvement that balance risk with business operations and do not diminish efficiencies or innovation

Analyze findings, and document, recommend and report program gaps to security leadership

Translate technical risks into business terms and escalate items beyond the SBA’s established risk appetite to security and risk management leaders for review.

Maintain the information security policy set and supporting standards; coordinate annual reviews, stakeholder approvals, and exception handling consistent with SBA’s governance processes

Plan and execute control reviews against SBA’s approved security frameworks (e.g., NIST CSF/800-53, CIS Controls), document results, and monitor remediation effectiveness.

Perform security due diligence on vendors (e.g., SOC report reviews, questionnaires), track related findings, and collaborate with Vendor Management and business owners to manage risk

Serve as point of contact for internal/external audits and regulatory assessments; coordinate evidence collection, issue tracking, and closure documentation in the GRC system

Stay abreast of evolving technologies and areas of risk against the rapidly changing threat landscape as well as standards and compliance requirements

Develop and publish GRC metrics, KRIs, and status reports for leadership and the Information Security Oversight Group (ISOG); prepare materials for committees as needed

Contribute to the Information Security Program roadmap and OIS priorities; assist with cross-functional initiatives to mature governance and risk capabilities

20% - Coordinates the Security Awareness Program

Maintains the SBA security awareness and testing platform

Assists with the creation of effective awareness presentations, communications, and marketing materials

Delivers topic-specific security awareness training presentations to SBA employees

Identifies and evaluates top human risks to the organization and the behaviors that must change to mitigate those risks

Fosters a positive program that engages employees, to include a focus on improving security behaviors both at work and at home

Works with relevant business units to improve security awareness and meet applicable regulatory and compliance standards

Adapts security awareness training and strategy to incorporate and address emerging technologies and risks

Measures and reports on risks related to the security culture of the SBA

05% - Performs other duties as assigned

Qualifications

Five years of related experience. A postsecondary degree may be used as an alternative for years of direct experience; 2 years for an associate’s degree, 4 years for a bachelor’s degree, 6 years for a master’s degree, 7 years for a professional degree, or 9 years for a doctoral degree.

Preferences:

Certified in Governance, Risk and Compliance (CGRC), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), Certified Internal Auditor (CIA) Certified Information Systems Security Professional (CISSP), Certified in the Governance of Enterprise IT (CGEIT), or other relevant security, risk management, compliance, or audit-related certifications

A bachelor's degree from an accredited college or university in Risk Management, Cybersecurity, Information Technology, Finance, Business Administration, Accounting, or a related field

Demonstrable experience leading audits, risk assessments, compliance assessments, and/or experience as a cybersecurity analyst, engineer or architect

Knowledge, Skills, and Abilities:

At least 5-years’ IT audit, risk management or cybersecurity experience, with at least 2 years in an operationally focused IT or security practitioner role

Ability to articulate risk to drive objective decisions; strong prioritization and decision-making skills

Proficiency with control frameworks, risk scoring, issue management, and metrics/KRIs

Skilled at working with diverse teams and promoting enterprise-wide risk management rigor and security-first culture

High level of integrity, trustworthiness and confidence to represent the company and risk management leadership with the highest level of professionalism

Project management, multitasking and organizational skills

Ability to preserve credibility with the team through sustained industry knowledge

Demonstrated understanding and comprehension of a wide range of security, compliance and technology frameworks, laws and regulatory requirements, including but not limited to NIST CSF, NIST RMF, CIS Critical Security Controls, PCI, SOX, HIPAA, GDPR and GLBA

Exceptional written and verbal communication skills, and proven ability to translate security and risk to all levels of the business

Capacity to understand legacy and progressive technology and security controls along with respective risk. Working knowledge of technologies such as cloud computing, DevOps and application security is required

Track record of acting with integrity, taking pride in work, seeking to excel, being curious and adaptable, and communicating effectively

Prior team leadership experience preferred

Hiring Range: 78,000 - $100,000

The State Board of Administration is an Equal Opportunity Employer

Successful completion of a pre-employment background check is a condition of employment with the State Board of Administration