Cyber Security Risk Analyst

Job Purpose

The purpose of the Cyber Security Risk Analyst is to own the risk assessment lifecycle and lead detailed technical security audits across cloud and om-prem environments. This position will also be responsible for design and execution of IT controls testing, the evaluation of technical controls effectiveness, and for driving remediation with engineering and product teams.

Key Accountabilities

1. Lead technology and cyber risk assessments, maintaining a risk register with clear impact/likelihood rationales and treatment plans.
2. Map controls to frameworks (ISO/IEC 27001:2022/27002, NIST CSF 2.0, NIST 800‑53, CIS Controls, PCI DSS 4.0) and regulatory obligations (GovRAMP, EU AI Act, GDPR, CCPA).
3. Support policy/standard updates and control design reviews; advise on risk appetite, KRIs, and control maturity targets.
4. Conduct security risk assessments, identifying threats, vulnerabilities, and control gaps.
5. Maintain the security risk register, define treatment plans, and monitor remediation progress.
6. Support quantitative or qualitative risk analysis (e.g., FAIR-lite) for critical assets and processes.
7. Conduct deep dive security reviews, identifying threats, vulnerabilities and control gaps.
8. Plan and execute end-to-end technical audits including scope, testing plans, evidence requests, fieldwork, sampling, walkthroughs, and issue rating.
9. Develop control frameworks for secure software development and execute audits having a good understanding of agile software development practices and security by design principles (DevSecOps).
10. Produce clear, actionable audit reports and present findings to engineering leadership and risk committees.
11. Test design and operating effectiveness of Access Control, Application and Data Security, IT Service Operations, Technology Architecture, Logical and Physical Security.
12. Validate evidence, perform re-performance/inspection, and document results according to audit best practices.
13. Track remediation to closure; verify fixes and update control matrices.
14. Perform third-party risk assessments, reviewing security posture, contractual controls, and data flows.
15. Contribute to AI governance and data protection audits where relevant.
16. Partner with security engineering, IT, data, and product teams to translate requirements into technical controls and pragmatic remediation.
17. Create playbooks, control testing procedures, and knowledge articles; run enablement sessions to raise control maturity.
18. To combine a risk and compliance mindset with strong technical depth in modern enterprise security tooling.
19. Proven experience in cyber security with demonstrable experience in risk assessment and security auditing.
20. Audit and security certifications such as CISA, CISSP, CISM, ISO 27001 Lead Auditor/Implementer or equivalent experience.
21. Strong knowledge of ISO 27001/27002 and NIST CSF, with familiarity across NIST 800‑53, CIS Controls, and SOC 2 or PCI DSS.
22. Hands-on experience assessing Microsoft and Azure security including Entra ID, Defender suite, Sentinel, Intune, Azure Policy, and Purview.
23. Experience with Identity and Access, Cloud Security (Azure, AWS), Data Protection, SecOps, Agile Software Development (DevSecOps), Security by Design.
24. Solid grasp of ITGCs and evidence-based testing methods; excellent audit documentation and reporting skills.
25. Technical literacy across networks, identity, cloud, endpoints, logging/monitoring, and secure configuration.
26. Competence in using GenAI to enhance work practices and have experience in using Agentic AI to automate GRC processes.
27. Ability to develop relationships with key technical position holders across locations and functions
28. Excellent communication skills with the ability to express ideas and messages clearly, both written and verbally

Skills, Qualifications & Experience

1. To combine a risk and compliance mindset with strong technical depth in modern enterprise security tooling.
2. Proven experience in cyber security with demonstrable experience in risk assessment and security auditing.
3. Audit and security certifications such as CISA, CISSP, CISM, ISO 27001 Lead Auditor/Implementer or equivalent experience.
4. Strong knowledge of ISO 27001/27002 and NIST CSF, with familiarity across NIST 800‑53, CIS Controls, and SOC 2 or PCI DSS.
5. Hands-on experience assessing Microsoft and Azure security including Entra ID, Defender suite, Sentinel, Intune, Azure Policy, and Purview.
6. Experience with Identity and Access, Cloud Security (Azure, AWS), Data Protection, SecOps, Agile Software Development (DevSecOps), Security by Design.
7. Solid grasp of ITGCs and evidence-based testing methods; excellent audit documentation and reporting skills.
8. Technical literacy across networks, identity, cloud, endpoints, logging/monitoring, and secure configuration.
9. Competence in using GenAI to enhance work practices and have experience in using Agentic AI to automate GRC processes.
10. Ability to develop relationships with key technical position holders across locations and functions
11. Excellent communication skills with the ability to express ideas and messages clearly, both written and verbally

Diversity, Equity, and Inclusion

At Sage we are committed to building a diverse and inclusive team that is representative of all sections of society and to sustaining a culture that celebrates difference, encourages authenticity, and creates a deep sense of belonging. We welcome applications from all members of society irrespective of age, disability, sex or gender identity, sexual orientation, color, race, nationality, ethnic or national origin, religion or belief as creating value through diversity is what makes us strong.