Cyber Security Risk Analyst

Description:

Cyber Security Risk Analyst - Assurance

Duration: 1.5 year

Optional Extension: 6 months

JOB DESCRIPTION:

The Consultant will be responsible for providing the following Services to the Bank:

Under the direction of the Assistant Director, Cyber Security Assurance:

• Lead the creation, drafting, and finalization of comprehensive cyber system risk reports for internal clients and stakeholders

• Translate and synthesize complex technical findings from Threat and Risk Assessments (TRAs) and penetration tests into clear, actionable business insights for non-technical stakeholders

• Quickly integrate into the existing Assurance team workflow and manage the cyber risk reporting queue for the duration of the engagement

• Apply industry-standard cyber risk frameworks, including National Institute of Standards and Technology (NIST) and the Harmonized Threat and Risk Assessment (HTRA) methodology, to assess, document, and communicate risk

• Document, track, and report cyber risks in ServiceNow Governance, Risk Compliance (GRC), including risk register entries, treatment plans, exceptions, and remediation tracking

• Convert technical vulnerability and threat findings into clear business impact statements and risk treatment recommendations for senior stakeholders

• Support governance forums, internal audit, and regulatory inquiries with clear written and verbal communication of cyber risk posture

• Maintain the quality, consistency, and timeliness of the Assurance team's reporting outputs across the engagement

• Provide guidance to team members on report quality, framework alignment, and effective risk articulation, as required

• Produce documentation, artifacts, and reporting required for stakeholders, governance forums, and leadership

• Other activities and deliverables, as required

Required Qualifications & Skills:

The Consultant should have the following qualifications and skills:

• University Degree or College Diploma in computer science, information security, risk management, or a related field

• A minimum of five (5) years of recent demonstrated experience in cyber security, technology risk, or a related discipline

• A minimum of three (3) years of recent demonstrated experience producing executive-grade cyber risk reports for senior business and technology stakeholders

• Demonstrated working knowledge and practical application of (NIST) cyber security risk frameworks (e.g., NIST CSF, NIST SP 800-30, NIST SP 800-53)

• Demonstrated working knowledge and practical application of the Harmonized Threat and Risk Assessment (HTRA) methodology

• Demonstrated recent hands-on experience using ServiceNow GRC for documenting, tracking, and reporting on cyber risks, including risk register and issue management modules

• Demonstrated experience interpreting penetration test and Threat & Risk Assessment (TRA) outputs and converting them into clear, actionable business language

• Demonstrated strong written and verbal communication skills, with the ability to deliver sensitive risk information to business leaders in a clear, objective, and consultative manner

• Demonstrated strong knowledge of common cyber vulnerabilities, exploit methods, and risk remediation strategies, with the ability to map technical risks to business impact

• Demonstrated ability to work independently, manage competing priorities, and integrate quickly into an existing team's workflow

• Demonstrated ability to enforce consistency in language, risk articulation, and formatting across multiple reports, ensuring alignment with enterprise reporting expectations

• Demonstrated experience leveraging AI-assisted tools to support analysis, content generation, or data processing, with a focus on maintaining accuracy, confidentiality, and alignment with organizational standards

• Demonstrated strong data comprehension, including the ability to differentiate between structured and unstructured data, understand relationships across data elements, and apply data management principles to ensure consistent, accurate, and reusable reporting outputs