Cyber Security Analyst
Work on initiative directed toward the development and optimization of an enterprise wide cyber risk management program. Organize the processes, technologies, and capabilities that enable the analysis, measurement, management and communication of enterprise wide cyber risks.
The main responsibilities of the candidate will be to manage and perform the cybersecurity supply chain processes as required by NEE and defined in NEE-PRO-1420 – Cybersecurity Requirements for the Procurement of Data Systems, Products, or Services. The primary function of the Policy is to ensure that cyber supply chain risk is managed throughout the supplier’s lifecycle.
The candidate must enforce the processes necessary to administer, execute, and manage the requirements defined in NEE Policies. These services will require the collaboration with the designated NEE liaison, NEE stakeholders, and suppliers involved in the supply chain risk management process including:
- Enterprise Security Architecture;
- Vendor Relationship Management;
- Integrated Supply Chain;
- Legal; and Privacy Committee
The scope of work as defined by NEE, is categorized into:
- Cybersecurity Supply Chain Program Management activities (tracking, assignment, metrics, escalation, approvals, risk evaluation and acceptance)
- Cybersecurity Supply Chain risk assessment activities (performing security assessments of third parties and developing reports)
Cybersecurity Supply Chain Program Management Activities
- Manage the cybersecurity supply chain risk assessment intake process. Requests for risk assessments will be received from the cybersecurity general mailbox, SharePoint, and NEE liaison.
- Assign cybersecurity supply chain risk assessments to the third-party teams to perform the risk assessment.
- Document all cybersecurity supply chain risk assessment processes in SharePoint.
- Report cybersecurity supply chain risk assessment throughput and metrics to the NEE liaison on a bi-weekly or weekly basis.
- Follow-up on the implementation of mitigating controls committed to by business units in the cybersecurity supply chain risk management reports and report status to the NEE liaison monthly for follow-up.
- Escalate all unresolved issues encountered in the supply chain risk assessment process to management in a timely manner.
- Work on the redesign of any cybersecurity supply chain risk management processes.
- Work on configuration and implementation of the new SIG questionnaire template.
- Work with team mates to complete the configuration and implementation of the RSAM GRC tool.
Cybersecurity Supply Chain Risk Management Activities
- Work with Integrated Supply Chain (ISC) representatives to facilitate the required documentation needed to complete the cybersecurity supply chain risk assessment as determined by the answers of the Cyber Security Procurement Checklist and risk rating of the supplier. This documentation may include: The SIG questionnaire, SPSS, independent attestations, and other supporting documentation such as policies and procedures, vulnerability assessment testing, results, etc.
- Perform the risk assessment by reviewing the provided documentation and following up with the representative ISC agent for missing and/or incomplete documentation.
- Document the results of the cybersecurity supply chain risk assessment in the report template.
- Participate in any post issuance report issues with the NEE business unit representative.
- Perform repeat cybersecurity risk assessments during the same year as requested.
- Bachelors in Cyber Security, computer science, or comparable fields
- 5+ years of experience in cyber security/cyber security audits/Cyber Risk management
- CISSP, GSEC, CEH, CISM, CISA or other industry-relevant cyber-security certifications
- Ability to work with and translate complex scenarios into a simplistic manner for non-technical resources (legal, business leaders, Privacy Committee, etc.)
- Understanding of security operations concepts, vulnerability management and incident remediation within a complex organization
- Understanding of security threat environment relative to computer network architectures, designs, topologies, applications, databases, email systems, remote access, and operating system platforms
- Understanding of firewalls, routers, switches, messaging systems, various commonly used operating systems (Windows, Linux, UNIX), common attack tools, and vulnerability detection/management tools
- Demonstrated experience in project planning and execution, change planning and management.
- Demonstrated knowledge of recognized security industry standards and leading practices (e.g., NIST, ES-C2M2, ISO)
- Demonstrated understanding of technological trends and developments in the areas of cyber security, risk management, web architectures and cloud computing.
- Skill in presenting to groups of all technical, managerial and executive levels
- Skill in developing requests for information and request for proposals for hardware and software
- Ability to identify key elements of an assignment, anticipate potential problems and take steps to avoid them
- Ability to handle multiple tasks simultaneously, and remain effective in high pressure situations
- Ability to assume responsibility and to work flexible hours with minimal supervision, supporting on-call situations, as needed
Name: Taylor Haglund
Ph: (561) 585-1700