Security Specialist Senior

Must Haves:

• 8 years experience
• Expertise in identifying evaluating and prioritizing threats and vulnerabilities across physical cyber and operational domains.
• Strong analytical skills to assess potential impacts and likelihoods of various threat scenarios.
• Familiarity with legal regulatory and compliance requirements ensuring assessments align with organizational and industry standards (e.g. PHIPAA -Personal Health Information Protection Act).
• Proactive mindset and situational awareness to anticipate and adapt to emerging threats in a dynamic risk environment.
• In-depth knowledge of risk management frameworks (e.g. ISO 31000 NIST RMF- Risk Management Framework) and threat modelling methodologies (e.g. STRIDE DREAD).
• Proficiency risk assessment matrices
• Excellent communication and reporting abilities to effectively present findings and risk mitigation strategies to both technical teams and executive stakeholders.

Description

• This engagement involved participating in the end-to-end execution of a Threat Risk Assessment (TRA) to evaluate the security posture of the information system application infrastructure and business process. The objective is to identify potential threats assess vulnerabilities and determine the likelihood and impact of various risk scenarios affecting confidentiality integrity and availability.

Key activities included:

• Scoping the assessment in collaboration with business and technical stakeholders.
• Conducting structured risk analysis using recognized frameworks such as ISO 31000 NIST RMF or FAIR.
• Performing threat modeling (e.g. STRIDE MITRE ATT&CK) to map potential attack vectors and security gaps.
• Reviewing system architecture data flows and existing controls.
• Assessing compliance with relevant regulatory and organizational security requirements.
• Documenting findings in a detailed TRA report including risk ratings and actionable mitigation recommendations.
• Presenting results to executive leadership and supporting integration of risk treatments into the broader security strategy.

Desired Skills:

• Demonstrated expertise in enterprise risk analysis with a solid background in applying risk management frameworks such as ISO 31000 FAIR (Factor Analysis of Information Risk) and NIST RMF to identify evaluate and prioritize organizational security risks.
• Hands-on experience conducting structured threat analysis utilizing methodologies like STRIDE PASTA (Process for Attack Simulation and Threat Analysis) and MITRE ATT&CK. Familiarity with creating threat models mapping attack surfaces and visualizing system flows to uncover security weaknesses.
• Strong command of cybersecurity governance practices including the development and enforcement of information security policies and standards. Practical understanding of how to align internal controls with recognized frameworks like ISO 27001 NIST CSF and the CIS Critical Security Controls.
• Proven ability to translate technical risk findings into clear business language producing high-quality documentation such as executive summaries detailed risk reports and stakeholder presentations. Skilled in managing communication between technical teams and leadership to drive informed decision-making.

Required Skills:

• Risk Management & Assessment 5 7 years
• Proven experience in conducting threat risk assessments using frameworks like ISO 31000 NIST RMF or FAIR.
• Threat Modeling 3 5 years
• Practical knowledge of threat modeling techniques (e.g. STRIDE PASTA MITRE ATT&CK) including development of data flow diagrams and attack vectors.
• Information Security Governance 5 years
• Strong understanding of security policies standards and controls aligned with ISO 27001 NIST CSF and CIS Controls.
• Communication & Reporting 5 years Skilled in writing technical and executive-level reports risk registers and presenting to stakeholders and leadership.

Rated Criteria: 100 Points

• 1. Threat Modeling - 5-7 years of hands-on experience with threat modeling techniques such as STRIDE PASTA and MITRE ATT&CK including the development of data flow diagrams and identification of attack vectors to inform secure design decisions and guide risk mitigation strategies across systems and applications. 20 Points
• 2. TRA Report - 5 7 years of experience conducting comprehensive threat and risk assessments using frameworks such as ISO 31000 NIST RMF and FAIR with a strong focus on identifying vulnerabilities analyzing potential impacts and delivering actionable risk mitigation strategies to stakeholders. 20 Points
• 3. Gap Analysis - 5 7 years of extensive experience with security controls and architecture with a strong ability to identify gaps between the current security posture and industry standards best practices and regulatory requirements. 20 Points
• 4. Team Player - Demonstrates strong collaboration skills by working effectively with colleagues across functions openly sharing information supporting others to achieve shared goals and contributing to a positive respectful team environment. 30 Points
• Dec k- Over 5 years of experience authoring technical and executive-level reports developing risk registers and delivering presentations to stakeholders and senior leadership. 10 Points

Deliverables

• TRA (Threat Risk Assessment) Report:
  • A comprehensive document outlining identified threats vulnerabilities risks and proposed mitigation strategies tailored to the organizations context.
• Risk Register:
  • A structured log of all identified risks including severity likelihood risk rating responsible owners and mitigation actions.
• Threat Modeling Diagrams:
  • Visual representations of systems data flows and potential threat vectors using models like STRIDE or attack trees.
• Risk Assessment Matrix:
  • A visual tool mapping the likelihood and impact of risks to prioritize them effectively.
• Asset Inventory & Classification:
  • A list of assets in scope (e.g. systems applications data) categorized by value and sensitivity.
• Vulnerability Assessment Results:
  • A summary of technical vulnerabilities discovered during the assessment often with outputs from tools like Nessus or OpenVAS.
• Gap Analysis:
  • Identification of discrepancies between current security posture and industry standards best practices or regulatory requirements.
• Mitigation & Remediation Plan:
  • Detailed action plans with timelines and responsibilities for reducing identified risks to acceptable levels.
• Executive Summary:
  • A high-level summary tailored for senior leadership focusing on key findings business impact and strategic recommendations.
• Compliance Mapping:
  • Documentation showing how risks and controls align with regulatory or standards frameworks (e.g. NIST ISO 27001 SOC 2).
• Presentation Deck:
  • Slide-based briefing to communicate findings risks and recommendations to stakeholders in a clear and digestible format.
• Responsibilities:
  • Lead end-to-end Threat Risk Assessment (TRA) initiatives across systems processes and assets.
  • Develop and apply threat models to assess organizational security posture.
  • Collaborate with stakeholders to align assessments with business objectives and risk tolerance.
  • Analyze vulnerabilities and assess threats to determine likelihood and potential impact.
  • Produce detailed TRA reports documenting findings recommendations and risk ratings.
  • Maintain risk registers and track remediation efforts.
  • Propose actionable mitigation strategies based on assessment outcomes.
• Ensure alignment with:
  • Regulatory requirements
  • Industry standards
  • Organizational security policies
  • Communicate findings effectively to both technical teams and executive leadership.
  • Support audit and compliance activities as needed.
  • Contribute to the continuous improvement of risk management frameworks and methodologies.
  • Stay informed on emerging threats vulnerabilities and security best practices.