CivicPlus is seeking an Information Security Risk Analyst to play a key role in our growing cybersecurity program. You will be responsible for identifying, assessing, tracking, and communicating information security risks across the organization, managing enterprise and third-party risk, and leading security awareness training.

What You'll Do

Identify and translate inherent and residual risk through likelihood, impact, treatment plans, and ownership.
Define and track risk and awareness key metrics to measure program effectiveness and communicate to leadership and governance committees.
Conduct and manage enterprise information security risk assessments using recognized frameworks and maintain an information security risk register.
Lead third-party security risk assessments for vendors, partners, and service providers through analysis of assurance documentation and security questionnaires.
Maintain the information security risk register and third-party vendor risk inventory to track and monitor ongoing risks and approved exceptions.
Develop and lead enterprise security awareness training, including phishing simulations and targeted role-based training.
Support internal and external security and compliance assessments through risk evidence and documentation.
Partner closely with organizational functions and key stakeholders to ensure security risks are understood, prioritized, and treated in alignment with organizational risk appetite.

What We're Looking For

4 – 6 years of experience in information security, cybersecurity, risk management, or a related field.
Working experience managing enterprise and third-party risk assessments, risk registers, and security training programs.
Working experience supporting compliance audits and certifications, including NIST 800-53, ISO 27001, PCI, and/or SOC 2.
Security+, GSEC, or equivalent certification.
Bachelor’s degree in Cybersecurity, Information Security, Information Systems, Risk Management, or a related field.
Strong understanding of cybersecurity risk management principles, modern security control frameworks, and Cloud/SaaS risk management considerations.
Ability to translate technical risks into clear business impact for non-technical stakeholders, including metrics reporting and presentation.
Experience developing risk management and assessment policy and procedure documentation.
An inquisitive mindset for continuous monitoring and improvement within a mature security program.

Technical Stack

NIST 800-30
NIST 800-53
AWS
Azure
GCP

Benefits & Compensation

Compensation range: $80,200 - $117,100
Comprehensive health insurance
Dental insurance
Vision insurance
Flexible Time Off
401(k) plan

CivicPlus is proud to be an Equal Employment Opportunity employer. We celebrate and support diversity for the benefit of our employees, products, clients, and communities.