Cyber Security Risk Analyst
Alcoa · Pittsburgh, PA · 2 wk ago
FinanceFull-time
About the role
The Cyber Security Risk Analyst serves as a key contributor to the cybersecurity risk management program, providing subject matter expertise in identifying, assessing, and managing risks across both Information Technology (IT) and Operational Technology (OT) environments.
Responsibilities
- Contribute to the development, implementation, and continuous improvement of the Cybersecurity Risk Management Program, including frameworks, methodologies, policies, standards, and supporting tools.
- Perform cybersecurity risk assessments across IT, OT, cloud, and third-party environments, including enterprise systems and manufacturing/process control systems (PCS).
- Facilitate risk workshops with technical and business stakeholders to evaluate risks associated with new technologies, projects, and operational changes.
- Serve as a subject matter expert on risk methodology, scoring, and evaluation.
- Maintain and enhance the cybersecurity risk register, including risk scoring, treatment plans, and residual risk tracking.
- Support and guide risk treatment strategies (mitigation, acceptance, transfer, avoidance) and partner with compliance teams to design and implement appropriate controls.
- Translate technical risk findings into clear business and operational impact statements for non-technical audiences and senior leadership.
- Advise leadership on risk exposure, trends, and residual risks, including impacts to business operations and production.
- Define, monitor, and report Key Risk Indicators (KRIs) and emerging threat trends.
- Support audit, regulatory, and compliance activities (e.g., ISO 27001, NIST, SOC) related to cybersecurity risk management.
- Collaborate with Enterprise Risk Management (ERM) and Operations Risk Management teams to ensure alignment and integration of cybersecurity risks into broader risk reporting.
- Build and maintain strong relationships with stakeholders across IT, OT, business units, and risk management functions.
- Continuously monitor evolving cyber threats, emerging technologies, and industry practices to enhance risk management processes and capabilities.
Requirements
- Bachelor’s degree in Cybersecurity, Information Technology, Computer Science, Engineering, Risk Management, or a related discipline; equivalent professional experience may be considered in lieu of a degree.
- 6+ years of experience in cybersecurity, IT risk management, information security, governance, compliance, or IT operations within enterprise environments.
- Demonstrated experience assessing cybersecurity risk across IT and OT environments; experience in manufacturing or industrial organizations preferred.
- Strong knowledge of cybersecurity frameworks and standards (e.g., ISO 27001, NIST CSF, NIST 800-53, CIS Controls, SOX).
- Proven experience executing core GRC activities, including risk assessments, policy and standard development, control validation, audit support, and remediation tracking.
- Expertise in cybersecurity governance, risk assessment, and compliance program implementation.
- Experience using Governance, Risk, and Compliance (GRC) tools and risk reporting dashboards.
- Solid understanding of security principles, including security controls, threat modeling, vulnerability management, and incident risk analysis.
- Excellent written, verbal, and facilitation skills, with the ability to translate complex technical risks into clear business impacts.
- Demonstrated ability to collaborate effectively with cross-functional stakeholders, including technical teams, operations, and senior leadership, while managing multiple priorities in fast-paced environments.
Preferred Qualifications
- Relevant industry certifications such as CISSP, CISM, CRISC, CISA, CGRC, Security+, GRCP, or equivalent.
- Experience with third-party/vendor risk management, regulatory compliance assessments, and security awareness programs.
- Experience supporting global environments and contributing to enterprise-wide security or compliance initiatives.
- Experience supporting audits and assurance activities, including ISO/IEC 27001 certification and SOC report reviews.
- Familiarity with security operations capabilities, including SIEM, log analysis, and event monitoring for compliance and incident response.
- Understanding of enterprise security domains, including cloud security, infrastructure security, and identity and access management (IAM).
- Working knowledge of project management methodologies and practices.
- Experience in metals, mining, manufacturing, or other heavy industrial environments.