Cyber Analyst-Governance and Risk

Cyber Analyst – Governance and Risk

The Cyber Analyst – Governance and Risk is responsible for managing the end-to-end lifecycle of the organization’s information security governance and technology risk policies and standards. This includes drafting, maintaining, coordinating reviews and approvals, and supporting adoption and ongoing oversight. The role also serves as the lead coordinator for inbound security questionnaires, audits, and due diligence requests from clients, prospects, and business partners, ensuring responses are accurate, consistent, and supported by appropriate evidence.

This position works closely with the Information Security Officer (ISO), Security and Governance teams, Technology, Compliance, Legal, and key business stakeholders to ensure governance and assurance artifacts remain aligned with implemented controls, regulatory expectations, and operational realities.

Key Duties and Responsibilities

Security Policy Governance and Oversight

• Draft, review, and maintain information security and technology risk policies, standards, and supporting procedures (e.g., access control, incident response, data handling, vendor and third-party security requirements), ensuring clarity, usability, audit readiness, and alignment with recognized frameworks and SEC requirements.
• Manage and continuously improve the policy lifecycle, including intake and change management, scheduled reviews, stakeholder feedback cycles, version control, approvals, publication, and enterprise communication.
• Maintain a centralized repository for policies and standards, including templates, mappings to frameworks, definitions, ownership assignments, and approval records.
• Administer policy exceptions by documenting business justification, compensating controls, approvals, expiration or renewal timelines, and required follow-up actions.
• Monitor internal and external drivers that may necessitate policy updates, such as control changes, audit findings, incidents and lessons learned, contractual obligations, or regulatory expectations, and coordinate updates with subject matter experts.
• Support policy adoption and awareness by partnering with stakeholders to deliver targeted communications and guidance.

Client, Partner, and Third-Party Assurance

• Serve as the primary coordinator for inbound security questionnaires, audits, and assurance requests from clients, prospects, and business partners.
• Manage intake, prioritization, timelines, and cross-functional collaboration to ensure timely and high-quality responses.
• Develop and maintain a standardized library of approved responses, control narratives, and security terminology to improve consistency and efficiency.
• Build and maintain an evidence inventory identifying available artifacts, ownership, storage locations, and currency to support repeatable and defensible responses.
• Review and validate questionnaire responses to ensure alignment with current policies, implemented controls, and operational practices; identify gaps, ambiguities, or potential risk exposures and escalate with recommended mitigation language or options.

Collaboration and Continuous Improvement

• Participate in governance forums, working groups, and cross-functional initiatives to align policy priorities and ensure consistent messaging across security and risk programs.
• Collaborate with technology, compliance, legal, and business teams to address governance, risk, and compliance (GRC) issues and enhance the organization’s overall security posture.

Experience and Credentials

• Bachelor’s degree in Business Administration, Information Technology, Risk Management, or a related field, or equivalent practical experience.
• Three or more years of experience in GRC, security compliance, technology risk, or information security governance, with demonstrated responsibility for policy development and cross-functional coordination.
• Proven experience managing and completing security questionnaires, audits, or due diligence requests, including coordinating subject matter expert input and supporting evidence.
• Working knowledge of common security and risk frameworks (e.g., NIST CSF, ISO/IEC 27001) and familiarity with regulatory expectations relevant to SEC and FINRA administrative requirements.
• Relevant certifications such as Security+, CGRC, CISA, CRISC, CISSP, or similar are preferred.

Core Competencies

• Ability to operate effectively in a dynamic, fast-paced environment with competing priorities.
• Demonstrated commitment to confidentiality, ethical standards, and the protection of client and company information.
• Strong written and verbal communication skills, with the ability to translate complex technical concepts for both technical and non-technical audiences.
• Highly self-motivated with the ability to work independently while collaborating effectively across teams.