Security Analyst

Sr. Security Governance Risk & Compliance (GRC) Professional

Arlington VA

12 Months Contract

Hybrid Job: 3 Days onsite at Arlington VA office.

GCs and Citizens -

Essential Duties and Responsibilities:

Perform control/risk assessments by leveraging deep understanding of the organizations technology stack including cloud platforms infrastructure components DevOps pipelines and application architectures to define scope control procedures policies and testing criteria.

Conduct cyber risk evaluations using recognized frameworks (NIST RMF/CSF/800-171 and PCI) while aligning control expectations to the technical design of systems services data flows and authentication models.

Assess likelihood vs. impact for risks identified through vulnerability data engineering feedback internal assessments operational telemetry and threat intelligence feeds.

Translate complex technical issues such as cloud misconfigurations exposed APIs IAM weaknesses system design flaws and network segmentation gap into clear and actionable risk statements that outline threat vectors attack paths and potential business impacts.

Perform quantitative and qualitative risk analysis using scenario modeling loss event frequency analysis and control effectiveness scoring informed by threat behaviors and system architecture.

Conduct ongoing threat analysis by evaluating adversary tactics (MITRE ATT&CK) exploitability of technology-stack components vulnerability chaining paths and systemic architectural risks.

Evaluate how threats and risks affect business operations financial exposure regulatory posture and service availability by connecting technical failures to operational dependencies.

Facilitate risk workshops with business leaders and engineering teams to ensure consistent risk scoring and prioritization grounded in realistic threat scenarios and technical context.

Maintain and enhance the enterprise risk register with detailed technical context including system dependencies technology-layer impacts exploit conditions and risk scoring rationale.

Support development of risk appetite thresholds KRIs and measurement models that reflect real-world threat activity platform maturity and evolving attacker capabilities.

Review and validate risk remediation plans for technical accuracy feasibility within system architecture and expected reduction of identified threat vectors.

Partner with engineering and security teams to understand technical assessments such as pen tests red team operations secure code reviews cloud posture reviews and vulnerability scans and convert findings into structured risk evaluations.

Contribute to policy standard and governance framework improvements by integrating insights about system architecture cloud controls data protection mechanisms and threat-informed defense requirements.

Support internal and external audits by interpreting technical security requirements collecting evidence from systems and platforms and mapping controls to risks observed in the technology stack.

Track emerging threats vulnerabilities and attacker tradecraft analyzing their relevance to the environments architecture and advise leadership on potential risk and required mitigation strategies

Support internal and external audits by interpreting requirements gathering evidence and mapping controls to risks.

Track emerging threats and regulatory expectations advising leadership on potential risk impacts

Formal Education Required:

Bachelors in Computer Science Management Information Systems Information Security or related field.

Experience and Certifications Required:

10 years experience in risk management and compliance IT operations or security engineering with 5 years of experience in performing security control assessments IT Governance and contract management.

10 years experience in Information Security with and strong technical knowledge of cybersecurity technologies

5 years of experience in an audit and risk assessment environment

10 years experience in a variety of technology disciplines including software development systems engineering systems integration and technology evaluation

Highly proficient in information security controls and frameworks such as NIST-CSF HIPAA SPNIST 800-53 NIST 800-171 NERC CIP PCI ISO 27001/27002 ISO 27005 Center for Internet Security (CIS) 20 Critical Security Controls.

Experience with public cloud service providers (AWS & Azure) specifically the types of industry-standard controls and best practices for configuring and managing these services.

Experience in managing GRC software ServiceNows GRC modules