Senior Information Security Governance – Risk and Compliance Analyst

Senior Information Security Governance – Risk and Compliance Analyst

Requirements

• Minimum of 10 years of tactical and operational experience in Governance, Risk and Compliance, or Information Security, with a focus on risk assessments/management
• Strong analytical skills along with the ability to effectively communicate complex security related information including risk identification, assessment, and remediation activity
• Knowledge and practical experience with the following risk management frameworks: ISO, NIST, and FAIR
• Experience with creating and utilizing risk KPIs and KRIs with data visualization tooling
• Technical certifications within the area of security and risk are a strong plus (CISSP, CRISC, CISM or equivalent)
• Knowledge and experience pertaining to AWS or Azure or GCP (or similar) cloud security and infrastructure, Software as a Service (SaaS) applications, CI/CD pipeline tools (such Github, Jenkins, etc.), Network infrastructure security, Encryption technology and implementation, Database security, Operating system security, Artificial intelligence and machine learning
• Expert communicator and writer; you can coach others on their writing skills, you can adapt your communication style for your audience, and you have experience drafting policies, reports, and other written materials for a variety of executive audiences
• Knowledge of global cybersecurity, technology and data privacy regulatory requirements
• Experience reporting policy and compliance posture to senior stakeholders
• Ability to direct cross functional work and hold others accountable to committed deadlines

Responsibilities

• Ensure relevant cybersecurity risks identified are captured in the risk register and keep it updated with the related information
• Facilitate risk decomposition (scenario generation) activities with the relevant key stakeholders and document the outcomes
• Develop a broader understanding of the motives, targets and activities of cyber threat actors and manage threat actor profile for Snowflake
• Perform cyber risk assessments on new and existing cyber security risks in partnership with risk owners and subject matter experts
• Analyze cybersecurity risks to determine likelihood and impact to Snowflake business and describe risks in quantitative and qualitative terms
• Develop risk mitigation plan by partnering with the risk and system owners
• Identify and develop appropriate metrics such as key performance indicators (KPIs) and key risk indicators (KRIs) to measure risks and highlight trends or themes
• Track and monitor risk mitigation plan activities with metrics and timeline
• Help make risk-based decisions and trade-offs impacting business strategies
• Help project prioritization for quarterly planning activities that could mitigate the risks
• Develop reports and dashboards to provide an update on risk posture to key stakeholders, risk owners and leadership team
• Maintain a strong understanding of risk management methodologies and frameworks
• Educate and build awareness of cybersecurity risk management across the organization
• Empower key stakeholders and risk owners to use the common risk taxonomy
• Influence behaviors to reduce cybersecurity risk and foster a strong risk-based culture throughout the organization
• Assess, evolve, and drive the policy management framework for all Security policies and standards in partnership with Security teams and Security Risk Management
• Review and make recommendations for streamlining existing and future security policies
• Appropriately assess control design and effectiveness in order to ensure policy and standard enforcement
• Create a process and collateral for rolling out new security policies to the whole company
• Establish, document, and broadly communicate security policy management norms to the Security organization, outlining how to create, maintain, enforce, and deprecate security policies in line with enterprise policy requirements
• Collaborate within Security Compliance, Product Security, Corporate Security, Legal and other partners to incorporate security and compliance requirements into the security policy framework and track policy implementation and issues
• Manage the Security Policy Exception Process to enable Security teams to track exceptions, manage approvals, and improve automation
• Partner with Security Data Analytics team to develop key performance indicators and dashboards to monitor and report on the Security policies
• Utilize people, process and technology in order to build tightly integrated policy tooling into a broad set of security internal tooling

Preferred Qualifications

• Technical certifications within the area of security and risk are a strong plus (CISSP, CRISC, CISM or equivalent)