Job Description:
Hybrid Work Arrangement
- Work location: Remote Tuesdays & Fridays (3 days in office/2 days remote)
Job Description:
- As New York City continues to advance our cybersecurity posture, it is essential that we have analysts dedicated to managing and execution of governance, risk, and compliance functions on behalf of the CISO and senior level executives.
- The Senior Risk Analysts will be responsible for implementing tools and practices to enhance processes related to third-party risk management, risk assessment, and general cyber risk governance.
- The position requires a diverse background in governance, risk, and compliance; analysis; technology implementation; project management; and collaboration with diverse groups of stakeholders to strengthen the security posture of New York City agencies.
- The Senior Risk Analysts will be expected to continue building an effective Citywide Cybersecurity risk program.
- These analysts will be responsible for improving our risk assessment process to make it more user-centric, interviewing and communicating with agencies when performing risk assessments, and driving creation of a third-party vendor register and monitoring process.
- Analysts will review and analyze technologies for inventorying third parties, collaborate with SMEs to collect third party intelligence and define actions based on it, and design steps for reviewing existing third parties in our portfolio.
- Delays in onboarding practitioners with expertise in these areas will leave unaddressed gaps in our risk governance framework.
- As NYC’s reliance on third party vendors continues to grow it is imperative for the City to have a vendor management practice, which does not only review vendors at the front end of the procurement process but actively manages risk throughout the vendor lifecycle.
- According to the 2025 Verizon Data Breach Investigations Report, 30% of breaches were linked to third party involvement (twice as many as in 2024).
- Maintaining our status quo can open up the City and agencies to lawsuits or audit findings (e.g. IRS, City Comptroller).
- If the City sustains a substantial cyber incident that results in loss of life or significant financial losses, it is not uncommon for individuals and organizations that are negatively impacted to file lawsuits against organizations that are responsible for defending/protecting critical information and critical services.
- The City would not be able to defend itself as having exercised due diligence in the protection of data and services without the existence of and proper functioning of a mature cyber risk program.
- Not having a user-centric risk assessment process drains resources from City agencies and the Audit & Compliance team due to questions being misunderstood.
- This also causes inaccuracies in submitted information, which leads to risk being misevaluated and mismanaged.
.MANDATORY SKILLS/EXPERIENCE
A minimum of 4 years of experience in risk management or cybersecurity risk assessment or 4 years of experience evaluating and managing third parties in a cybersecurity team.
DESIRABLE SKILLS/EXPERIENCE:
- BS/BA degree in Cybersecurity, Risk Management, Information Systems, Computer Science, or a related field.
- One or more of the following certifications are a plus:
- Certified Information Systems Auditor (CISA)
- Certified Information Systems Security Professional (CISSP)
- Certified in Risk and Information Systems Control (CRISC)
- Certified Information Security Manager (CISM)
- CompTIA Security+
- CompTIA Network+
- CompTIA A+
- CompTIA CySA+
- Cisco Certified Network Associate - CCNA
- CEH: Certified Ethical Hacker
- GIAC Information Security Fundamentals (GISF)
- GIAC Security Essentials (GSEC)
- (ISC)2 Systems Security Certified Practitioner (SSCP)
- Ability to work effectively in a team environment.
- Being highly organized, motivated and a self-directed professional.
- Knowledge of hardware, software, data, and network principles and systems related to Private and/or Public Sectors services.
- Understanding of commonly used computer operating systems, databases, network structures.
- Familiarity with cybersecurity framework(s) (NIST, SANS, PCI, ISO 27001/27002, or CIS)
- Investigative and analytical skills.
- Excellent oral and written communication skills;
- Knowledge of the current and evolving cyber threat landscape;
- Knowledge of laws, regulations, policies, and ethics related to cybersecurity and information privacy;
We are an equal opportunity employer. All aspects of employment including the decision to hire, promote, discipline, or discharge, will be based on merit, competence, performance, and business needs. We do not discriminate on the basis of race, color, religion, marital status, age, national origin, ancestry, physical or mental disability, medical condition, pregnancy, genetic information, gender, sexual orientation, gender identity or expression, national origin, citizenship/ immigration status, veteran status, or any other status protected under federal, state, or local law.