Logo
DeWinter Group

Information Security Risk Assessment Sr. Analyst (Contractor)

DeWinter Group, San Jose, CA


Location: San Jose, CA (Hybrid Model Preferred) THIS IS A W2 CONTRACT ENGAGEMENTJob Description: As a Security Risk Assessment Sr. Analyst at BILL, you will support the Information Security Risk Management Program which is part of BILL InfoSec Governance, Risk, and Compliance (GRC) team. This role involves evaluating potential security risks from threats and vulnerabilities within the organization's people, processes and technologies, documenting the identified risks and effectively communicating them and recommendations to stakeholders across the organization. You will collaborate with teams cross-functionally to ensure the organization is well-informed of identified security risks and monitor the steps taken to timely mitigate them. The ideal candidate possesses a strong background in cybersecurity and risk management, with hands-on working knowledge and experience in risk management frameworks such as NIST RMF, FAIR, and OWASP, and is capable of effectively communicating with stakeholders enabling them to make risks in alignment with our security culture and business priorities. Key Responsibilities:Conduct security risk assessments to identify, score and document potential risks from threats and vulnerabilities within the organization's infrastructure and applications.Perform control effectiveness assessment by collaborating with cross-functional teams to understand technical implementations and assess control strengthCommunicate identified security risks and their potential impact to stakeholders, including technical and non-technical audiences.Track and report on the status of risk remediation efforts, ensuring timely resolution and compliance with organizational policies.Maintain security risk register and ensure timely updates of the risk registerContribute to performing risk aggregation and risk analysis to identify top risks and areas of focus/improvement for prioritizationContribute to developing detailed reports and presentations on risk assessments, including identified aggregated top risks, risk treatment progress, trending and escalation.Ensure these reports are understandable to technical and non-technical stakeholders, including senior managementDemonstrate a process-oriented, results-driven approach to security risk engineering, employing effective problem-solving and communication skills to serve as a subject matter expert and trusted advisorActively contributes to the administration, maintenance and process improvements of the GRC risk assessment programPerforms other job duties as required We’d love to chat if you have:Bachelor’s degree in Computer Science, Information Security, or a related field.5+ years of experience in security risk assessment, with strong background in cybersecurity and risk management, with hands-on working knowledge and experience in risk management frameworks such as NIST RMF, FAIR, and OWASPStrong technical knowledge of security controls, including but not limited to access controls, encryption, network security, and vulnerability management.Demonstrated experience working within a GRC framework, with an understanding of regulatory and compliance requirements (e.g., PCI DSS, SOC).Proven ability to work collaboratively with engineering teams to assess and mitigate security risks.Experience with security risk remediation programs, including technical implementation and compliance considerations.Strong analytical and problem-solving skills, with attention to detail and accuracy.Strong collaboration skills, with experience working cross-functionally with IT, Engineering, and other stakeholders.Excellent communication skills, capable of translating technical concepts into actionable insights for both technical and non-technical stakeholders.Experience in identifying process improvements and enhancing operational efficiencies within security programs.Experience with GRC Risk Management tool including tool implementation will be plus Preferred Skills:Experience with security assessment tools and methodologies.Knowledge of cloud security best practices and technologies (e.g., AWS, Azure, GCP).Strong project management skills with the ability to prioritize tasks and manage multiple projects simultaneously.Certifications like PMP, CISSP, or CISM are a plus but not required.DeWinter Group and Maris Consulting  is an equal opportunity employer, and all qualified applicants will receive consideration for employment without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws.  We post pay scales which are based on our client pay ranges. DeWinter, Maris, and our clients have the right to modify the requirements of the role which can impact the pay ranges posted.