Wednesday, February 05, 2014

An IT Audit to IT Risk Management Career Move That Rarely Surfaces

If you’re an IT Auditor and you have aspirations to move into Security, IT Risk Management and/or Compliance, I may have your desired career move on my desk.

This position could be placed in my client’s offices in either Sparks, MD or Horsham, PA.  Once they've landed this role, the candidate’s new title will be IT Security and Risk Management Analyst.

I’m approached frequently by people who want to know how they can move from career track “A” to career track “B”.  Sometimes, the answer is as simple as being in the right place at the right time.  Generally, that means that a person is employed with a company already when an opportunity to jump tracks presents itself.

My client’s willingness to take on an IT Auditor who aspires to be an IT Security and Risk Management Analyst is a bit of a rare occurrence in that the CISO is willing to train the right person.  What is the right person?

Here is a picture of the job.  Don’t get hung up on the title if you’re an IT Auditor. What I need from you is a burning passion to advance your career into the realm of Security and IT Risk Management. 


IT Security and Risk Management Analyst 
Sparks, MD or Horsham, PA has been retained by an outstanding CISO whom we've done work for in the past. This CISO is building an Information Security and IT Risk Management program from the ground up in a company that has gone from 500 to over 5,000 employees through more than 20 acquisitions over the past few years. The acquisitions are not finished. This company will continue to grow and you have an opportunity to see your personal experience grow with it. This CISO wants you to want opportunities and as you prove that you’re capable, opportunities will land in your lap. This is a rare opportunity to work for a CISO who has outstanding leadership capabilities. You’ll have the mentor that most security professionals go through their entire career wishing they had.

Our client operates in the healthcare industry and is the leading vertically integrated national provider of bedside diagnostics services offering mobile x-ray, ultrasound, teleradiology and laboratory services to skilled nursing home, assisted living, home healthcare, hospice and correctional markets. Services are offered through a network of subsidiary companies, each with its own core specialty or specialties, many of which interact with and support each other. With a national platform currently servicing 1.5 million beds, our client provides tremendous reach in the market and possesses the potential to expand services far into adjacent markets. 

The newly created IT Security and Risk Management Analyst role will reside Sparks, MD, Horsham, PA or Burbank, CA. This team member will contribute to security-related initiatives within the IT Security Risk Assessment, Third-Party Management, Vulnerability Management, Incident Management and Business Continuity programs as well as various other security initiatives supporting various service lines and business units. This role is set aside for a candidate who has a deep desire to learn, to grow and to produce. 

Primary Duties 

• Serve as a key liaison between the IT Security & Risk Management and the business 
• Responsible for identifying areas for improvement in IT control environments and identifying areas for automation and gained efficiencies in current controls 
• GRC for SOX, HIPAA and other compliance frameworks 
• Participate, drive, test, and advance Business Continuity and Disaster Recovery Plans 
• Participate in the creation of enterprise security documents (policies, standards, baselines, guidelines and procedures) under the direction of IT Management 
• Performs risk assessments and implementation of technical and non-technical countermeasures 
• Provide recommendations for additional security solutions or enhancements to existing controls, to improve overall enterprise security. 
• Participate and lead the Security Incident Response Team (SIRT) in the identification, containment, eradication, and resolution of security issues. 
• Participate in the design and execution of vulnerability assessments, penetration tests and security audits. 
• Actively contribute and manage a wide array of security projects 
• Other duties as requested 


The ideal candidate will have IT audit experience, business continuity experience and/or significant consulting experience relevant to this position. 
• 2+ years of broad IT Risk Management experience in operations, incident response, business continuity, and IT audit support 
• Previous HIPAA, SOX, SAS70/SSAE16 PCI compliance experience is preferred 
• Experience in conducting IT risk assessments using an industry standard risk assessment framework (NIST, Octave, etc.) 
• Knowledge of contemporary threat vectors, vulnerabilities, and remediation and mitigation techniques 
• Strong proficiency in Microsoft Word, Excel, PowerPoint, and Access 
• Working level knowledge of security information and event management (SIEM) and data loss prevention (DLP) tools and services 
• Working level knowledge of vulnerability scanning tools like Nessus and Qualysguard 
• Previous exposure to UNIX, RHEL, Microsoft Server platforms and MS network services 
• Professional security certification such as CISSP, Security+, GISP/GIAC, CISA/CISM, CMBCP and ITIL certifications are a plus 
• Proficient grammar, sentence structure and written communication skills 
• Education: Bachelor’s Degree in Computer Science, Information Technology or similar

IT Security and Risk Management Analyst 

$75,000 - $90,000+
Travel: 25% 
Telecommute: 10%
Education: BA/BS's Security Recruiter Blog