Information Security Risk Analyst- Contractor
Information Security Risk & Compliance Analyst
Location: Tempe, AZ or Redwood City, CA
Job Description: This is an exciting time to join Shutterfly’s Information Security team. In this position you will be an integral part of advancing the company’s enterprise Information Security Program and manage, measure, operationalize and communicate a myriad of risk assessments across the organization. The Sr. Risk Analyst will drive information security risk management, compliance, privacy issues, policy evolution and contribute to the overall advancement of Shutterfly's Information Security Governance Risk and Compliance capability.
The experienced analyst will have a foundational level of experience enabling them to understand both information security risks AND business context. This individual contributor will be tasked with communicating across all audience types from line-level employees to executive leaders.
The Information Security Analyst will help to coordinate across the organization, in partnership with senior analysts and other leaders, to understand, categorize and prioritize security risks, applying business context, leading to clear security risk mitigation strategies.
Your primary duties and responsibilities will include:
● Navigate and execute through an evolving Information Security Risk Management program and recommend (and at time, be asked to drive) improvements.
● Ability to assess security risks against industry standards, and regulatory requirements, while maintaining a clear understanding of the Shutterfly business with guidance from the Sr. Risk Analyst and other leadership. Ability to flex between inherent and residual risk is imperative.
● Work closely with Information Security Architecture, Engineering and relevant operational teams to gather data and insights leading to holistic risk security awareness.
● Communicate information security and compliance risks to team leadership, craft risk memorandums for leadership/executive management to ensure proper awareness and decision making.
● Maintain risk management initiatives in a GRC platform such as Archer, Service Now or others.
● Contribute security inputs to metrics team for periodic reporting and insights
● Conduct periodic internal assessments for security risk and compliance
● Provides consultation to business units and technology teams on security best-practices and ongoing requirements
● Partners with Privacy and legal teams to ensure practices and approaches are
complementary to each other's goals and do not necessarily cause undue friction to stakeholders.
● Conducts ongoing industry and media research to keep current of the latest security issues, threats and technical capabilities.
● General knowledge of information security management system standards (e.g. SOC 2), frameworks, information technology regulatory and compliance requirements (e.g., PCI-DSS, GDPR, CCPA, HIPAA, HITRUST), and industry best practices
● 3-5 years of experience within large scale information security risk management programs or information security audit.
● 3-5 years of Information Technology and/or Information Security experience
● Demonstrated knowledge of a broad range of technical concepts: logical access control, agile development process/DevSecOps, secure coding principles, security architecture frameworks and methods, information security, network security, and privacy
● Strong organizational skills with ability to thrive in a sense-of-urgency environment, leveraging best practices, and approaching any problem as as team-player with a can-do attitude
● Strong written and verbal communication skills and ability to interface with all levels of business and executive leadership
● Strong understanding of compliance frameworks such as PCI, SOC2, HIPAA, HITRUST, ISO 27001/2, NIST CSF, etc.
● Strong grasp of key elements for a successful Risk Management Program and related frameworks or standards (e.g. NIST, ISO, COBIT)
● CISSP, CISA, CISM, GIAC or equivalent, proven experience.
● Bachelor of Science and/or Master’s in CIS/MIS/CS/CE, Engineering/Technology or related field or equivalent experience/training
● Experience with interpreting results of scanning tools such as Qualys or Nessus as it pertains to documenting information security risk(s)
● Information security consulting experience or substantial cross-functional responsibilities.