Job Information
MTA Senior Cybersecurity Governance, Risk and Compliance Analyst in New York, New York
Senior Cybersecurity Governance, Risk and Compliance Analyst
Job ID: 9999
Business Unit: MTA Headquarters
Location: New York, NY, United States
Regular/Temporary: Regular
Department: IT CISO
Date Posted: Jan 3, 2025
Description
JOB TITLE: Senior Cybersecurity Governance, Risk and Compliance Analyst
SALARY RANGE: $123,053 - $145,243
HAY POINTS: 551
DEPT/DIV : Information Technology / Cybersecurity
SUPERVISOR: Manager, Cybersecurity Governance, Risk, and Compliance
LOCATION: Various/ 2 Broadway New York, NY 10004
HOURS OF WORK: 9:00 am - 5:30 pm (7.5 hours or as required)
This position is eligible for telework which is currently two day per week. New hires are eligible to apply 30 days after their effective date of hire.
About us:
The MTA transportation network has very large systems and infrastructure for financial, business, automated train, transportation, power, and physical security. The MTA IT Department is centrally responsible for providing a full range of Information and Operational Technology services to the MTA agencies and administrative units through its operating and support units. These services are provided on a 24/7/365 basis to support the MTA organization and its ridership.
Summary of Job
This role is responsible for managing and delivering cybersecurity initiatives to reduce, mitigate and remediate cybersecurity risks that impact both the Information Technology (IT) department and all the MTA agencies. This role assesses and prioritizes information security and cybersecurity risk across the organization, facilitates compliance with regulatory requirements and information security policies, and develops and reports on information security metrics. This role is responsible for providing critical expertise in managing and analyzing cybersecurity risks, including risk identification, mitigation, and management. The analysis is conducted through technology risk assessments, data analytics tools, and business processes reviews. This role is responsible for collaborating with security engineers, architects, developers, vendors, and business units to continuously reduce the overall security risk to the MTA. This role must have familiarity of cybersecurity risk frameworks and best practices.
Cybersecurity risk and analysis plays a critical role in ensuring that the MTA’s risk-taking entities are aware of the risks inherent in their activities and decisions, understand the impact of their actions on the organization at an enterprise level, and identify opportunities to reduce, mitigate, or avoid the risks altogether.
Responsibilities
Analyzes and interprets industry standards, regulations, and best practices to develop risk management tools to identify cyber risk trends, gap analysis, or maturity opportunities.
Identifies, analyzes, evaluates, and documents security risks and controls based on established risk criteria.
Utilizes risk profiles and dynamic reporting mechanisms, to incorporate cybersecurity risk information into the organization’s enterprise risk management program providing a fully integrated, prioritized, enterprise-wide view of risks needed to drive strategic and business decisions.
Collaborates with more experienced colleagues to escalate cyber risk management activities to the C-suite by leveraging the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 and incorporate the activities into the organization’s broader enterprise risk management programs.
Identifies ATT&CK techniques (e.g., malware, ransomware, intrusion, etc.) by leveraging Cybersecurity best practices, such as CIS Critical Security Controls.
Researches adversary techniques against enterprise IT networks and cloud by leveraging relevant risk identification tools and knowledge bases, such as MITRE ATT&CK.
Supports the enhancement of the cyber risk management processes across the MTA by providing thought leadership, oversight, and coordination with other risk management activities across the organization.
Monitors the cyber environment for new risks and reviews the effectiveness of risk mitigation strategies, ensuring that the organization adapts to evolving threat landscapes (e.g., maintaining a risk register, performing risk analysis, quantifying top risks and developing risk reports).
Analyzes information to proactively identify risks, trends, and process improvements, supporting reporting on risk topics to management and compliance-related collateral.
Assists with risk project and program delivery, including project and process management, reporting, engagement in senior leadership meetings, drafting and reviewing materials for senior management and other governance activities.
Assists with the evaluation of the effectiveness of the cyber risk program by developing, monitoring, gathering, and analyzing metrics for management.
Maintains successful relationships with IT, Cybersecurity, and Enterprise Risk to understand the impact of cyber risk on business processes. Collaborates with Enterprise Risk to ensure all agencies comply with cyber regulations.
Participates in risk and other management forums and contributing to continuous improvement of risk and project or program management practices.
Provides support on agenda and materials development on division meetings and events.
Must be knowledgeable about MTA’s Cybersecurity policies, procedures, and standards, and ensure that cyber risk management practices align with relevant laws, regulations, and industry standards.
Researches, recommends, and contributes to information security polices, standards, and procedures. Assists with the lifecycle management of information security policies and supporting documents.
Supports workforce security activities including culture, awareness, and training to ensure appropriate awareness of cyber risk requirements across the Enterprise. Assists in audits and assessments to demonstrate compliance with cybersecurity standards.
Maintains risk reporting dashboards and recommend/build enhancements to ensure consistent alignment with risk environment changes and updates.
Enforces compliance with IT and cyber risk policies, standards, procedures, and guidelines – including developing communications for the IT Division and partners throughout the business, facilitating information sessions, and developing guidance documents. Ensures that cyber risk management practices align with relevant laws, regulations, and industry standards.
Collaborates effectively with colleagues, stakeholders, and leaders across multiple organizations to achieve strategic objectives.
Performs other duties and tasks as assigned.
Observes the work performed by the contractor.
Reviews invoices and approving them if the work has contractual standards.
Addresses performance issues with the contractor when possible.
Escalates issues to other parties as needed.
Education and experience:
Education: bachelor’s degree and minimum of 5 years of relevant experience. An equivalent combination of education and experience may be considered in lieu of a degree.
Experience: 5 years
Certification(s): Requires at least one certification in the current platform/domain/technical skill. Possible certifications could be, but are not limited to:
Relevant Certifications
GIAC Critical Controls Certification (CIS)
ISC2 Certified in Cybersecurity
GIAC Security Leadership (GSLC)
Global Information Assurance Certification (GIAC)
Azure Security Engineer Associate
Certified Compliance & Ethics Professional (CCEP)
Certified Ethical Hacker (CEH)
Certified in Risk and Information Systems Control (CRISC)
Certified Information Privacy Professional (CIPP)
Certified Information Security Manager (CISM)
Certified Information Systems Auditor (CISA)
Certified Information Systems Security Professional (CISSP)
ISO 27001 Lead Auditor
Certified Secure Software Lifecycle Professional (CSSLP)
Offensive Security Certified Professional (OSCP)
CompTIA Security+ Certification
Cybersecurity Nexus (CSX) Practitioner
GIAC Certified Incident Handler (GCIH)
GIAC Security Essentials (GSEC)
ISC2 Certified Governance, Risk and Compliance (CGRC)
Technical Skills
Adept in cybersecurity best practices, such as CIS Critical Security Controls.
Adept in utilizing risk identification tools, such as the MITRE ATT&CK knowledge base.
Adept in NIST 2.0 Cybersecurity Framework and/or other risk frameworks/models.
Adept in risk management.
Adept in information security policies.
Adept in regulatory requirements (e.g. DHS, TSA, FRA, FTA).
Adept in analysis and reporting.
Adept in adapting to evolving threat landscapes and business changes.
Working knowledge of latest legislature and regulation changes in the Cybersecurity industry.
Behavioral Skills
Advanced in establishing and maintaining effective working relationships with employees at all levels within the organization, and with both internal and external customers.
Advanced in interpersonal and verbal and written communication skills, with the ability to effectively collaborate with both technical and non-technical peers.
Advanced in communicating effectively, both orally and in writing, to interact with team members, customers, management, and support personnel (technical and non-technical)
Adept in identifying and analyzing risks and developing effective mitigation strategies.
Adept in critical thinking, problem-solving, and decision-making skills.
Adept in active listening, attention to detail, customer service, prioritization, and problem-solving skills.
Adept in hands-on experience with related tools.
Adept in working independently and strategically.
Adept technical knowledge and diverse skillset to understand various technologies, systems, and potential risks.
Adept in managing multiple projects simultaneously and prioritizing tasks based on urgency and impact.
Adept with working under pressure and meeting deadlines individually and collaboratively. Thinks logically, assesses problems, and is results oriented.
Adept in identifying complex business and technology risks and associated vulnerabilities.
Competencies
Core Competency
Proficiency Level
Competency Definition
Collaborates
Advanced
Building partnerships and working collaboratively with others to meet shared objectives
Cultivates Innovation
Adept
Creating new and better ways for the organization to be successful
Customer Focus
Adept
Building strong customer relationships and delivering customer-centric solutions
Communicates Effectively
Advanced
Developing and delivering multi-mode communications that convey a clear understanding of the unique needs of different audiences
Tech Savvy
Adept
Anticipating and adopting innovations in business-building digital
and technology applications
Technical Skills
Adept
Specialized knowledge and expertise on tools, programs, domains, platforms, and products used for specific tasks
Values Diversity
Advanced
Recognizing the value that different perspectives and cultures bring to an organization
GENERAL:
May need to work outside of normal work hours (i.e., evenings and weekends)
Travel may be required to other MTA locations or other external sites
Pursuant to the New York State Public Officers Law & the MTA Code of Ethics, all employees who hold a policymaking position must file an Annual Statement of Financial Disclosure (FDS) with the NYS Commission on Ethics and Lobbying in Government (the “Commission”).
MTA and its subsidiary and affiliated agencies are Equal Opportunity Employers, including with respect to veteran status and individuals with disabilities.
The MTA encourages qualified applicants from diverse backgrounds, experiences, and abilities, including military service members, to apply.