Cybersecurity - Risk Analyst

About the position WELCOME TO SITA We're the team that keeps airports moving, airlines flying smoothly, and borders open. Our tech and communication innovations are the secret behind the success of the world's air travel industry. You'll find us at 95% of international hubs. We partner closely with over 2,500 transportation and government clients, each with their own unique needs and challenges. Our goal is to find fresh solutions and cutting-edge tech to make their operations run like clockwork. Want to be a part of something big? Are you ready to love your job? The adventure begins right here, with you, at SITA. Supporting the cyber security risk management Team Leader, the Cybersecurity Risk Analyst will contribute to IT risk management practice within SITA EISO team by maintaining and enhancing the cybersecurity operational risk management framework. As part of the second Lines of Defense (2LoD), the Cybersecurity Risk Analyst will support business front lines (1LoD) risks & controls self-assessment capability and provide objective review to business lines to develop acceptable risk treatment plans, monitor risk mitigation execution progress and reporting to steering committees. Responsibilities • Maintain and improve the third-party risk management framework, which includes the supplier security onboarding, ongoing monitoring and offboarding requirements • Support the activities of the second line of defense (2LoD), monitoring the organization's operational risks and escalating any concerns about control weaknesses or exposures that exceed agreed business risk tolerance limits • Work with risk owners to ensure that operational risk templates and procedures are implemented correctly (e.g. providing training, advocating, socializing, coaching, etc.) • Support the cybersecurity exception handling process, including the objective review of the risk owner progress to achieve compliance with SITA policies and standards • Support risk management KPIs/KRIs identification, trends analysis and reporting • Document key findings, analysis, and recommendations in clear and concise reports for both technical and non-technical stakeholders • Act as a challenger to the first line by validating the adequacy and effectiveness of controls • Oversee and guide the first line's activities while ensuring that risks are properly identified, assessed, and mitigated • Develop and maintain an overarching cybersecurity risk management framework (processes, methods, and tools), provide constructive feedback and recommendations for improvement • Support compliance with legal, regulatory, and industry standards (e.g., ISO 27001, NIS2), including supporting regulatory reporting and audits by providing accurate and timely risk information • Facilitate risk record communication, quality, completeness between the first and second lines of defense by leveraging established risk templates, risk rating criteria and intersects • Navigate and work effectively across a complex, geographically dispersed organization • Promote a culture of risk awareness and share responsibility across the organization • Gather, manage and analyze requirements to design new application changes for own areas of responsibility ensuring sufficient effort is made to promote 'vanilla' functionality • Assist in and take ownership of estimates developed by less experienced staff and/or offshore providers • Coordinate the delivery testing and support of application changes related to own area of responsibility • Ensure quality solutions are delivered to business users on time and budget • Contribute to the development of application and process best practices and using a consultative approach gets buy-in from all stakeholders Requirements • 5 to 10 years of information system/cybersecurity risk and control management experience, including risk identification and analysis, response and remediation • Relevant certification desired: CISA, CISM, CISSP, CIA, CIPP, or related • Practical experience of assessing risks associated with third-party suppliers and reviewing assurance documents relating to security and IT controls provided by third parties (e.g. ISO 27001, SOC2 certifications, etc.) • Practical experience of managing an IT exception handling process • Ability to influence and engage with risk owners, and senior management • Ability to adapt quickly to changing priorities and demands • Demonstrate good learning attitude and attention to detail • Good communication skills, team player and a continuous improvement mindset • Ability to communicate in a clear, concise, and persuasive manner to all levels of audience • University degree in computer science, management information system, business administration or a related field of study required • At least 5 years experience in deployment or support of application software implementing systems and modules with experience of multiple full lifecycle implementations Nice-to-haves • Working knowledge and/or hands on experience with information security policy, procedures and standard development and improvement • Experience with GRC (Governance, Risk and Compliance) tools such as OneTrust, ServiceNow, Archer is considered an asset Benefits • Flex Week: Work from home up to 2 days/week (depending on your team's needs) • Flex Day: Make your workday suit your life and plans • Flex-Location: Take up to 30 days a year to work from any location in the world • Employee Wellbeing: Employee Assistance Program (EAP) for you and your dependents 24/7, 365 days/year • Professional Development: Training platforms, including LinkedIn Learning • Competitive Benefits: Competitive benefits that make sense with both your local market and employment status Apply tot his job