GRC - Risk Expert

Fireblocks is looking for a risk expert to join Fireblocks Information Security Governance, Risk and Compliance (GRC) team. As a risk expert you will be responsible for the following activities.

Develop, collect and report metrics and Key Risk Indicators (KRI) which provide effective, proactive identification of cyber security risks.

Perform quantitative and qualitative analysis to support the prioritization of risk mitigation projects, measure progress of technology risk reduction initiatives, and identify areas with high residual risk. 

Be responsible for proactively reviewing, analyzing, and identifying emerging risks, escalating to Fireblocks CISO where appropriate. 

Work with the GRC, IT, HR, Security, Legal, Customer Operations, Finance and Engineering teams to adhere to internal governance processes and controls for existing and new risk strategies, and will provide recommendations for remediation.

Lead change control efforts to ensure impacts are appropriately assessed, documented, and implemented.

Synthesize data and reporting; perform analysis and bring valuable business insights through evaluation of data in relation to cyber security risk and control management strategies.

Participate in sophisticated projects that involve multiple stakeholders and work in a Cloud / SaaS environment with cutting-edge Cybersecurity technologies and solutions.

Use business knowledge to assist with all aspects of responding to customers’ Information Security Risk Assessment inquiries. Assist with RFIs, RFPs, and risk assessment questionnaires regarding Fireblocks security posture and controls.

Responsibilities:

  • As a GRC risk expert you will identify and mitigate potential risks through the process of identification, management, and mitigation of the risk using a variety of controls. You will serve as a liaison, interfacing with business partners to drive meaningful reductions in risk.
  • You will review the current security policies and procedures to identify process gaps and opportunities for improvement. 
  • You will manage a periodic cyber security risk committee and present company-wide security KRI and mitigation plans. Create presentations, briefings and communications on technology risk issues for a variety of internal and external stakeholders
  • Develop and implement the components of the security GRC Framework for Fireblocks mapping threats, vulnerabilities, risks, assets, stakeholders, assessments, standards, policies, controls into a holistic lifecyle to achieve Assess and Test Once, Report Multiple Times
  • Have primary responsibility for architecting the risk assessment methodologies and systems to ensure all necessary inputs, modules, and reports are implemented to automate to the extent reasonably possible.
  • Perform periodic reviews of required controls, audit, identify weaknesses, and assist with action plans and solutions to identify residual risks and control gaps. Collect and automate (whenever possible) Fireblocks metrics to demonstrate risk reduction and to produce reports for multiple audiences. 
  • Build partnerships across the organization: Audit, Legal, Compliance, Information Technology, Business operations, Risk management, etc. to ensure the security GRC program is aligned with business objectives and requirements.
  • Performing security audits, Monitoring user access: Prepare failsafe measures (backups, DR, BCP), Vet third-party vendors and contractors.

Requirements

 

  • 5+ years’ demonstrated experience in security GRC, security project management, and other security practices
  • Demonstrate strong knowledge of risk management policies, methods, standards, processes, governance models, and risk analysis.
  • Knowledge of common security frameworks (NIST CSF, ISO 27001, COBIT, FFIEC CAT, etc.)
  • Knowledge of Public Cloud risks and security preferably SaaS services, AWS, Azure, GCP platforms
  • Solid understanding of common security topics (e.g., application security, infrastructure security, vulnerability management, Identity and Access Management, data protection, cyber threat and incident response, cloud security, etc.
  • Requires strong analytical skills, oral and written communication skills including documentation of requirements, problem solving skills, and project/program management skills
  • Ability to work towards or has achieved at least one Information Security or Risk Management Certification (Security+, CISSP, CCSP, CCSK, CISA, CISM, GSEC, CRISC, etc.)
  • Prior experience implementing and supporting enterprise wide cyber security risk programs
  • Experience with Governance, Risk Management, and Compliance (GRC) platforms e.g. RSA Archer, AuditBoard etc’
  • Strong proactiveness, self-management, multitasking and project management skills. 

Nice to have:

  • Act as the subject matter expert to develop and maintain an effective FFIEC CAT framework  
  • Ensure that the FFIEC CAT requirements are mapped to core regulations such as DFS500
  • Manage and maintain the FFIEC CAT framework to ensure the expected controls are in place and working as they should