Senior Cyber and Technology Risk Analyst

About the position

The Senior Cyber and Technology Risk Analyst serves as a member of the Cyber and Technology Risk Management team in our second line of defense. This role participates in the design and implementation and maturity of our cyber and technology risk management program. The Senior Cyber and Technology Risk Analyst provides subject-matter expertise, guidance and monitoring of the first line Cybersecurity and Technology control environment and teams to support effective management of cyber, technology, and data risk within the Credit Union’s risk appetite. This role operates with established risk frameworks and governance structures and guidance from senior team leaders. Complex or enterprise level decisions remain subject to leadership review and approval.

Responsibilities

• Contribute to strategic direction and participate in the execution of roadmap to enhance MACU’s cybersecurity and technology risk management capabilities.
• Help shape priorities, sequencing, and success measures for assigned program areas.
• Actively assist leadership in developing project plans, roadmaps and status reporting for risk assessments, control testing, standards and training documentation, and other risk management activities.
• Develop and implement testing approaches and strategies to assess the design and operating effectiveness of controls.
• Lead the design, conduct, and document tests of controls, process walkthroughs, and risk assessments to evaluate design and effectiveness.
• Intake, triage, analyze, and rate (inherent/residual) cybersecurity and technology risks in collaboration with subject matter experts and risk owners.
• Facilitate alignment and drive completion of risk treatment decisions.
• Coordinate and perform continuous monitoring of risk treatment activities.
• Assess risk and control gaps of IT systems, processes, and procedures.
• Ensure control gaps and other risk issues are documented and reported.
• Review remediation plans and provide feedback to ensure plans are sufficient to ensure sustainable remediation.
• Monitor remediation progress, identify blockers, and escalate concerns when risk reduction is not on track.
• Evaluate and provide guidance to first line of defense Cybersecurity and Technology teams related to their standards, processes, controls, and risk exceptions.
• Research, understand, and interpret regulations and frameworks that relate to cybersecurity, technology, privacy, and data.
• Stay aware of changes and educate key stakeholders regarding changes to existing and new regulations and recommended response considerations for MACU.
• Work closely with the risk owners and Legal, Risk Management, and Compliance teams to ensure compliance with applicable laws and regulations.
• Develop and maintain procedures and training related to risk frameworks, standards, and roles and responsibilities for first line Cybersecurity and Technology teams to ensure effective identification of risks, implementation of controls, monitoring of controls, and reporting on the control environment and any corresponding issues or risks.
• Improve adoption by translating expectations into actionable guidance and job aids.
• Actively identify and lead implementation of process improvements and efficiencies.
• Support regular and ad-hoc reporting on findings, metrics, and recommend mitigations to first and second line of defense leadership. This includes ad-hoc and scheduled meetings with leadership and risk owners.
• Coordinate and oversee third-party independent risks assessments as necessary to improve the IT risk program and control environment.
• Define scope, evaluate outputs, and ensure recommendations are actionable.
• Review and provide guidance and quality control for technology and security related Key Risk Indicators (KRIs).
• Improve the reliability, definition, and thresholds so KRIs drive decisions and action.
• Lead special projects and perform other duties as assigned.

Requirements

• Bachelor’s degree in Information Security, Computer Science, Information Management, Business or related field or equivalent combination of education and work experience.
• 5+ years of similar or related experience in first or second-line of defense cybersecurity, technology, or data risk management and/or IT audit or related consulting or professional services.
• Experience in leading the evaluation of security and technology controls against cyber, technology, and privacy regulations, standards and frameworks (e.g., FFIEC, ISO 27001, NIST CSF, NIST AI RMF, COBIT, SOC2, PCI, ITIL, DORA, FAIR, etc.).
• Experience leading the development and documentation of IT processes and controls.
• Advanced understanding of the purpose, application, and integration of enterprise‑wide cybersecurity and technology risk concepts.
• Demonstrated ability to analyze technology and security risk solutions, independently scope and execute risk assessments, and assess complex risk scenarios across domains such as vulner