Senior Analyst, Cybersecurity Risk and Compliance

We are Domosapiens- uniquely skilled, passionate data lovers anchored in a culture of connectivity. We are transforming the way business is managed by putting real-time data into the hands of every decision maker across organizations. Diversity is valued here because homogenized teams create echo chambers; and nobody benefits from that. The insight garnered from diverse backgrounds, perspectives and lived experiences results in pioneering innovations across the organization and better experiences for our customers. The more diverse our talent, the more impactful the Domosphere becomes.  

Position Summary

The Senior Analyst, Cybersecurity Risk and Compliance is a key member of Domo’s Information Security, Risk and Compliance team responsible for evaluating and supporting initiatives covering information security, policy, risk management, data classification, vendor management, privacy, audit, and awareness. This position assists other members of the Information Security and Compliance team with identifying and assessing potential information security risks, recommending mitigations and helping the risk owners drive the implementation of mitigations to reduce the risk to an acceptable level. In addition, this position assists with performing security assessments and monitoring and tracking compliance status; developing and improving processes, procedures, standards and guidance; providing guidance on security control implementation; and defining and implementing process improvement and maturity initiatives. The position will also be responsible for assisting in developing policies and procedures and evaluating risks and controls to support the company’s Federal Information Security Management Act (FISMA) Security Accreditation (FedRAMP), ISO 27001, ISO 27018, SOC 1, SOC 2, HIPAA, HITRUST and other regulatory and compliance initiatives. Success in this role requires a good understanding of information security best practices, strong security knowledge, ability to understand and communicate risk and controls, organization, planning, good communication and writing skills.

Key Responsibilities

• Lead the risk-based approach to help develop security strategy and lead and execute various risk-driven tasks based on those strategies;
• Perform and/or facilitate information security risk assessments, report on findings and recommend mitigations;
• Lead the program to effectively and efficiently analyze security risks using real-world security data and systems automation;
• Lead and analyze the security of new or existing applications, product features, software, or specialized utility programs and provide risk recommendations;
• Manage remediation of identified risks and vulnerabilities; identify those within the organization responsible for remediation tasks and negotiate dates for remediation to be complete;
• Manage the tracking progress on remediation of identified risks and vulnerabilities and provide appropriate reporting to all constituents;
• Support our Sec Ops, Sec Engineering, and Compliance teams to develop risk/vulnerability assessment programs to aid in the identification and mitigation of security risks and document specific security issues, propose resolution options, and interpret matters from the perspective of involved stakeholders;
• Gather relevant information from internal and external assessments and/or audits of information technology systems and processes, interpret results, and develop and communicate recommendations to management;
• Develop, build and maintain the controls matrix, in alignment with multiple compliance frameworks, including SOC 1 & SOC 2, ISO 27001, ISO 27018, FedRAMP, HITRUST, and HIPAA;
• Lead establishing rules for risk analyses and security assessments which includes addressing controls defined by FIPS 199, NIST SP800-37, NIST SP800-53, NIST SP800-171 for both business operations and technical implementations throughout the company.

Job Requirements

• Bachelors degree in Computer Science, Information Technology or related field or equivalent job experience;
• Minimum of 5 years experience in security risk management, compliance, audit, and information security;
• CISSP, CISM, CISA, CCSA or equivalent certification preferred;
• Familiarity with enterprise-level compliance tools such as ServiceNow, Archer, IBM GRC or other industry equivalent software;
• Knowledge and experience in FedRAMP, NIST SP 800-53 Rev 4, NIST SP 800-37, FISMA, NIST RMF, NIST FIPS 199, ISO 27001, ISO 27018, SSAE 18, HIPAA and HITRUST;
• Experience in cloud-based environments for production applications, including Amazon Web Services, Microsoft Azure, GCP or other large scale cloud deployment;
• Understanding of risks and controls as they pertain to firewalls, IDS/IPS systems, malware controls, URL filtering tools, anti-spam systems, BYOD controls, DLP, VPN, web application firewalls, endpoint security controls, OS hardening, multi-factor authentication, encryption key management, mobile device management, wireless security, full disk encryption, database security controls, containers, and network segmentation;
• Good advisory skills; able to get acknowledgement and commitment on assessment results and proposed mitigations across stakeholders with different interests;
• Strong analytical skills;
• Relationship builder; able to create and maintain a trusted network on all levels;
• Good communication, influencing and negotiating skills.

Domo is an equal opportunity employer.