Senior Information Security Risk Analyst

Job Title
Senior Information Security Risk Analyst
Job ID
27405776
Location
New York,  NY 10017
Other Location
Description

Senior Information Security Risk Analyst

WHO WE ARE

Cloud9 Technologies is a voice communication and analytics platform for institutional traders.  We leverage cloud services including AWS, a wide array of web services, WebRTC, as well as advanced deep learning techniques to empower firms with the benefit of modern communication tools and enhance trader workflow with actionable voice data & analytics.    

Our company was started in 2014 by a team of motivated entrepreneurs and highly successful industry veterans that have started several businesses and taken multiple companies through public offerings.  We are well funded, with investors including J.P. Morgan, Barclays, NEX, and Point72 Asset Management. Cloud9 has been profiled in publications such as the Wall Street Journal, Forbes, and Waters Technology.  Our award-winning technology was a named the 2017 Best Sell-Side Trading Communication System by Waters Technology for the second year in a row, recognized in the Top 10 innovative solutions of the year by the Futures and Options Industry Association, named to the CB Insights Fintech 250, and the FinTech Global RegTech 100.

By bringing together an experienced group of engineers, product managers, and industry experts, Cloud9 developed a communications platform for the trading floor of the future – offering more functionality and analytic insight than legacy hardware at a fraction of the cost.  We’re a group of pioneers who enjoy solving challenges and building disruptive technology – and we’re looking to hire the best and brightest.

Join our team to contribute to the development of the most secure, compliant, and reliable communications platform in the financial services industry.

 

WHAT YOU WILL DO

In order to comply with various organizational policies, client contractual obligations and regulatory mandates related to Information/Privacy, Cloud9’s Information Security and Compliance department is in the process of implementing a new Information Security Program and Risk Management framework based on various well know information security standards and frameworks such as ISO/NIST, which includes requirements for regularly assessing information risk and facilitate remediation of identified vulnerabilities within organization’s network, systems, and applications.

Cloud9 Information Security and Compliance department requires a dedicated resource to perform regular Risk and Vulnerability Assessments utilizing various IT Security Tools and Methodologies and reports on findings and recommendations for corrective action.

As a Senior Information Security Risk Analyst, this resource will be responsible for assessing information risks, identifying opportunities for reducing risk, and facilitate remediation of identified vulnerabilities within organization’s network, systems, and applications. Reports on findings and recommendations for corrective action. Perform regular Risk and Vulnerability Assessments utilizing various IT Security Tools and Methodologies and reports on findings and recommendations for corrective action. Identify opportunities to reduce risk and documents remediation options regarding acceptance or mitigation of risk scenarios. Facilitate and monitor performance of risk remediation tasks, changes related to risk mitigation & reports on findings. Maintain oversight of IT and vendors regarding the security maintenance of their systems and applications. Provides regular status reports, including metrics and outstanding issues. Assist in all internal and external audits, and regulatory examinations.

 

RESPONSIBILITIES

  • Provides oversight and governance of the organization’s Information Security/Cyber Security Program and communicates progress and issues to the Sr. Management;
  • Initiates and develops innovative concepts to solve complex challenges with little or no precedent; creates new opportunities to enable the use of new solutions. Serves as a consultant to disseminate specialist information security knowledge and provide conceptual guidance to other senior and high-level technical experts.
  • Develop and implement effective Threat and Vulnerability Management program;
  • Research and investigate new and emerging vulnerabilities, to include 0 Day events, and participate in external security communities;
  • Develop an externally focused view of the evolving threats facing organization;
  • Promote awareness of applicable regulatory standards, upstream risks and industry best practices across the organization.
  • Responsible to integrate & manage feeds from application security tools, vulnerability scans & penetration testing tools into organization’s GRC platform
  • Assist in all internal and external audits, and regulatory examinations.
  • Assist in development and implementation of policies, procedures, standards that meet existing and newly developed policies and regulatory mandates including privacy regulations such as GDPR, CCPA etc.
  • Serve as project manager/lead within IT security projects.
  • Examine systems and procedures to identify potential adverse events, including but not limited to hardware and software crashes, physical disasters, malicious intruders, malware, denial of service attacks and employee misconduct.
  • Identify risks which might occur;
  • Stay knowledgeable of current advances in all areas of information technology concerning vulnerabilities, security breaches or malicious attacks;
  • Continuously evaluate communication security, data vulnerability, business continuity and compliance risks;
  • Identify vulnerabilities or weaknesses in systems;
  • Examine employee compliance with security controls and deficiencies;
  • Evaluate security policy, processes and procedures for completeness;
  • Ensure that controls are adequate to protect sensitive information systems;
  • Report to management on IT system vulnerability and protection against malware and hackers;
  • Clearly document and define risks and potential impacts along with the statistical probability of such an event and identify systems affected by the defined risk;
  • Provide mitigation/ damage reduction proposals with cost justification.
  • Assist in identifying breaches in organization’s security or tracking the source of an unauthorized intrusion.
  • Identify defensive steps to take, including necessary firewalls, security software and data encryption;
  • Recommend all infrastructure and applications patching and remediation be done;
  • Recommend improvements in network security, identity management and logging.
  • Monitor and advise on information security issues related to the systems to ensure the security controls are appropriate and operating as intended.
  • Conduct organization wide data classification assessment & security audits and manage remediation plans.
  • Create, manage and maintain user security awareness.
  • Develop and maintain security operating procedures and associated documentation.
  • Identify inefficiencies and make suggestions for process improvements.
  • Updates job knowledge by tracking and understanding emerging security practices and standards; participating in educational opportunities; reading professional publications; maintaining personal networks; participating in professional organizations.
  • Enhances department and organization reputation by accepting ownership for accomplishing new and different requests; exploring opportunities to add value to job accomplishments.
  • Perform semi-annual user access and entitlement reviews.
  • Perform quarterly reviews and recertification’s of Privileged Accounts.
  • Manage enterprise asset management initiative

 

THE RIGHT BACKGROUND

  • Should have proven experience in: project & program related communication & tasks, managing multiple projects & tasks at once, being productive while balancing a task list that can vary from highly interactive to very little interaction.
  • Ability to work efficiently, making sound decisions while meeting time sensitive deadlines
  • Superior organizational and time management skills
  • Self-motivated and able to prioritize tasks based on business requirements
  • Strong analytical and problem solving skills.
  • Strong leadership and teambuilding skills.
  • Self-motivated and detail-oriented.
  • Creative thinking and troubleshooting.
  • Excellent communication (oral and written), interpersonal, organizational, and presentation and listening skills.
  • Strong deductive reasoning, critical thinking, problem solving, and prioritization skills
  • Ability to work in a fast-paced, support team environment
  • Ability to follow detailed process and procedure documentation
  • Ability to present complex solutions and methods to general community
  • Strong team player who collaborates well with others to solve problems
  • 10+ years of progressive experience in Information Security with a proven ability to engage with Senior Management and Regulators
  • 7+ years working in IT Risk Management
  • Knowledge of technical infrastructure, networks, databases and systems in relation to IT Security and IT Risk.
  • Preferred: Knowledge of well-known standards and frameworks (e.g. ISO 27002, NIST Cybersecurity Framework, COBIT, COSO), rules and regulations related to information/cybersecurity (e.g. SOX, DFS, FRB, and FFIEC etc.)
  • Preferred: 7+ years’ experience in conducting IT Compliance Assessments (e.g. SOX, DFS, FFIEC, DFS, ISO)
  • Preferred: 7+ years’ experience in administrating IT Security Controls in an organization
  • Preferred: 7+ years’ experience in performing security reviews and risk assessments
  • Solid understanding of networking concepts
  • Solid understanding of operating system security concepts
  • Understanding of malware, emerging threats, attacks, and vulnerability management
  • Experience assisting the development and maintenance of tools, procedure, and documentation
  • Prior experience working within a financial service organization preferred.

Education

  • Required: Bachelor’s Degree from a four-year college or university in Engineering, Business Administration, Computer Science, Management Information Systems, Information Security.
  • Required: CISSP, CISA, CRISC
  • Optional: CSSLP, CISM, CEH