Senior Cyber Risk Analyst

The Senior Cybersecurity Risk Analyst is responsible for conducting comprehensive risk assessments for security exceptions, which represent deviations from established information security standard requirements. This role performs deep-dive evaluations of key risk data points, analyzes factors contributing to likelihood and impact, and determines inherent risk exposure. The analyst will also assess the effectiveness of existing and proposed controls, ensuring that risk decisions are well-informed, evidence-based, and consistently documented.

The ideal candidate is a seasoned cybersecurity professional with broad domain knowledge, strong analytical skills, and the ability to communicate effectively with senior leaders across technical and business functions.

Remote eligible.

• Risk Assessment of Security Exceptions: Conduct end-to-end risk assessments for exceptions to information security standards, including detailed analysis of key risk data points, threat scenarios, and compensating controls. Evaluate likelihood and impact factors using defined methodologies to determine inherent risk ratings. Document assessment results clearly and comprehensively, including rationale, evidence, and recommended risk treatments. Ensure consistency and repeatability in risk scoring across the security exceptions portfolio.

• Control Effectiveness & Validation: Perform control effectiveness assessments on security controls leveraged within risk assessments. Review supporting documentation, evidence, and control designs to ensure applicability to standard exceptions.

• Evidence Collection & Analytical Review: Gather and analyze technical and procedural evidence from system owners, SMEs, and business units. Review architecture diagrams, vulnerability reports, IAM configurations, network flows, and other technical artifacts to inform risk decisions. Maintain high-quality documentation that is audit-ready and aligned with regulatory expectations.

• Stakeholder Engagement: Facilitate conversations with senior leaders, system owners, architects, SMEs, and risk teams to ensure clarity of risk posture and decision-making. Present complex cybersecurity concepts in a clear, concise manner appropriate for both technical and non-technical audiences. Provide subject matter expertise on security exceptions governance, risk methodology, and best practices.

• Governance & Continuous Improvement: Contribute to the enhancement of risk assessment methodologies and operations. Support audit and regulatory inquiries by providing well-structured documentation and risk analysis rationale. Identify opportunities for process and control improvements across the cybersecurity risk and exceptions lifecycle.

Bachelor's Degree and 4 years of experience in Risk management, or financial analysis, or statistical modeling OR High School Diploma or GED and 8 years of experience in Risk management, or financial analysis, or statistical modeling

Required Qualifications:

• 8+ years of experience in cybersecurity risk management, cybersecurity operations, governance, or related fields.
• Strong understanding of cybersecurity domains including Threat and Vulnerability Management, Identity & Access Management, Network Security & Architecture, Endpoint Security, Data Protection, and Encryption.
• Demonstrated experience performing complex risk assessments, control evaluations, and evidence-based risk analysis.
• Ability to interpret security standards and applicable regulations and frameworks.
• Proven ability to communicate and influence effectively at all organizational levels, including senior leadership.
• Strong analytical, critical thinking, and problem-solving skills.
• Exceptional written communication skills and attention to detail.

Core Competencies:

• Risk-Based Decision Making: Applies structured analysis to determine risk severity and justify recommendations.
• Technical Aptitude: Understands complex systems, architectures, and security controls.
• Influencing Skills: Guides stakeholders toward informed risk decisions while maintaining strong relationships.
• Judgment & Accountability: Exercises sound judgment in ambiguous or evolving situations.
• Quality & Rigor: Produces audit-ready documentation with precision and clarity.
• Collaboration: Works effectively across cybersecurity, technology, and business teams.

Preferred Qualifications:

• Professional certifications such as CISSP, CISM, CRISC, or equivalent.
• Experience working with security exception processes, GRC tools, or enterprise risk frameworks.
• Prior experience in financial services, heavily regulated industries, or environments with strong audit expectations.
  Familiarity with CVSS scoring, threat modeling methodologies, and likelihood/impact modeling.

The base pay for this position is generally between $98,000 and $150,000. Actual starting base pay will be determined based on skills, experience, location, and other non-discriminatory factors permitted by law. For some roles, total compensation may also include variable incentives, bonuses, benefits, and/or other awards as outlined in the offer of employment.

This job posting is expected to remain active for 45 days from the initial posting date listed above. If it is necessary to extend this deadline, the posting will remain active as appropriate. Job postings may come down early due to business need or a high volume of applicants

Benefits are an integral part of total rewards and First Citizens Bank is committed to providing a competitive, thoughtfully designed and quality benefits program to meet the needs of our associates. More information can be found at https://jobs.firstcitizens.com/benefits.