INFORMATION SECURITY RISK ANALYST
WHAT IS THE OPPORTUNITY?
The Information Security Analyst plays key role in the Information Security program with responsibility for collecting and analyzing technical and qualitative security data to provide actionable recommendations to bank leadership to mitigate security risk with a focus on supporting IT Controls Monitoring.The Information Security Risk Analyst will conduct quantitative and qualitative analysis to support the prioritization of tactical and strategic risk mitigation projects and measure progress of technology risk reduction initiatives. The Information Security Risk Analyst's work product will be shared with the Audit and Risk Committee, Royal Bank of Canada, and CNB's regulators. The Analyst will create presentations, briefings and communications on technology risk issues for a variety of internal and external stakeholders. The Analyst will develop, collect and report metrics and Key Risk Indicators (KRI) which provide effective, proactive identification of technology risks. The Information Security Risk Analyst is a subject-area specialist with specialized training, methods and analytic techniques to create recommendations and directions for cyber risk mitigation in a complex technical environment. The Information Security Risk Analyst role requires extensive critical thinking and problem solving, often using specialized frameworks or techniques to generate meaningful insight out of complex and technical data. Focus areas of security assessment by the Information Security Analyst include external threats and trends, applications and infrastructure security, cloud security, third party security and overall security program effectiveness in mitigating risk. The Information Security Risk Analyst's goal to create actionable information for IT and business leadership, and to provide objective assessment of cyber security risks for auditors, regulators and external parties. This requires routinely authoring detailed reports and gathering metrics ensure stakeholders receive accurate and complete information. The Info Security Risk Analyst keeps abreast of external cyber security trends, technologies and cyber risk management approaches, and often works with other teams on cyber risk-related initiatives to provide subject-matter recommendations and guidance to achieve a posture within the bank's overall risk appetite. This position level works on cyber incident identification and response, adhering to defined techniques for collection, data correlation, escalation, and reporting for cyber incident response. Events and problems analyzed are generally limited scope and complexity. The position requires a basic understanding of event and incident analysis and response techniques, which are largely defined based on event/data type
Technology and Innovation Division
As a member of City National's Technology & Innovation group, you will drive, develop, and maintain solutions for clients and colleagues. This is an exciting time of technology advancement and innovation across the bank, particularly within our technology teams.
WHAT WILL YOU DO?
- Define analysis objectives, collect data from internal and external sources, and evaluate/analyze data to provide objective information on cyber risks for IT and business management with both summary and detailed reporting
- Assess risk within subject specialty area to evaluate the design and effectiveness of security controls
- Provide insight and guidance to IT software and hardware upgrades and other projects to ensure production environments meet and exceed minimum security standards and will effectively counter cyber threats
- Partner with external partners, vendors, law enforcement, and intelligence community as applicable to fulfill reporting and information sharing requirements, and collecting information required for comprehensive risk analysis and assessment
- Create new and maintain process and procedural documentation for various risk analysis and risk assessment activities; Highlight industry-based methodologies, techniques or standards (FAIR, NIST, FFIEC, etc.) used as the basis for analysis efforts
- Publish routine, accurate risk analysis and assessment reports as defined by organizational risk policies and procedures to applicable audiences for each subject area discipline
- Participate in other security support projects and duties as needed or requested
- Heightened Standards
- Perform third-party and technology risk assessments
- Analyze, monitor, track, report control design and effectiveness to ensure regulatory and CNB compliance requirements
- Measure CNB's controls to the industry frameworks and regulatory requirements
- Collect, analyze and aggregate risk assessment data to create meaningful, actionable risk information for leadership, including recommendations, findings and observations on gaps and priorities.
- Analyze risk data to determine correlation with threats, vulnerabilities, business processes and apply quantified and qualified risk levels, considering CNB's risk appetite
- Analyze and determine opportunities for IT Risk Management process improvement, including the RSAM configurations and administration, as necessary.
WHAT DO YOU NEED TO SUCCEED
- H.S. Diploma
- Minimum of 3 years' experience in Information/Cyber Security field
- Minimum of 3 years' experience or equivalent training/certification in cyber security operations, incident response, risk analysis or cyber investigations
Skills and Knowledge
- Demonstrated experience analyzing complex cyber security data sets within subject area specialty
- Demonstrated knowledge of cyber security landscape – threats, trends, technologies
- Demonstrated knowledge of financial regulation and control frameworks applicable to cyber security or IT risk
- Excellent communication and interpersonal skills. Including a strong ability to create positive and professional business relationships with internal clients.
- Strong commitment to working as a team and providing excellent customer service.
- Exposure to banking or equivalent highly controlled technology environment is preferred
- Bachelor's degree in business or computer science is highly desired.
- Security certifications (CISSP, GSEC, etc.) are highly desired.
- System administration certifications (CCNA, MCSA, etc.) highly desired
- Formalized training in cyber security analysis or assessment techniques
*To be considered for this position you must meet at least these basic qualifications
The preceding job description has been designed to indicate the general nature and level of work performed by employees within this classification. It is not designed to contain or be interpreted as a comprehensive inventory of all duties, responsibilities, and qualifications required of employees assigned to this job.
INCLUSION AND EQUAL OPPORTUNITY EMPLOYMENT
City National Bank is an equal opportunity employer committed to diversity and inclusion. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, veteran status or any other basis protected by law.
ABOUT CITY NATIONAL
We start with a basic premise: Business is personal. Since day one we've always gone further than the competition to help our clients, colleagues and community flourish. City National Bank was founded in 1954 by entrepreneurs for entrepreneurs and that legacy of integrity, community and unparalleled client relationships continues to drive phenomenal growth today. City National is a subsidiary of Royal Bank of Canada, one of North America's leading diversified financial services companies.
Equal Opportunity Employer Minorities/Women/Protected Veterans/Disabled
Apply on company website