IE11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

San Francisco Seeks Applicants for Cybersecurity Risk Analyst Position

“In alignment with our vision of serving as a model for a secure government, ensuring data confidentiality and integrity, as well as service availability, we have embarked on a mission to further mature the city’s cybersecurity program,” the job posting says.

This story is limited to Industry Insider — California members.
This story is limited to Industry Insider — California members. Login below to read this story or learn about membership.
The Department of Technology of the city/county of San Francisco is recruiting for a cybersecurity risk analyst to oversee identifying, assessing, controlling and monitoring risks through the citywide enterprise.

The IT Department “is the centralized technology services provider” for San Francisco government, delivering infrastructure and services to more than 28,000 employees and over 800,000 citizens, according to the job posting. The department has an annual operating budget of over $130 million and contains more than 240 employees. Key service areas include Technology Architecture and Security, Technology Service Delivery and Management, Client Services and Project Management Office, Public Safety Systems and Wiring, Technology Administration, Policy and Governance, and Public Communications.

“In alignment with our vision of serving as a model for a secure government, ensuring data confidentiality and integrity, as well as service availability, we have embarked on a mission to further mature the city’s cybersecurity program,” the job posting says. “Through the governance, risk, and compliance pillar of cybersecurity, we will strengthen the cyber program by further developing administrative controls, enhancing our risk management program, evolving vendor assessments, meeting compliance through adherence to regulatory frameworks, and cross-functionally working with senior management to align business and security goals.”

Desirable qualifications include:
  • Three to five years working in a cyber GRC-type role
  • Risk analytics experience within IT
  • Familiar with cybersecurity frameworks (NIST CSF/RMF, NIST 800-53, FedRAMP, etc.) and security standards (i.e., HIPAA, PCI-DSS, etc.)
  • Familiar with vendor risk management assessments (i.e., SOC2, CAIQ, etc.)
  • Ability to define and communicate risk in business-relevant language
  • Ability to communicate IT risk concepts to non-technical people
  • Comfortable with quantitative risk management, Factor Analysis of Information Risk (FAIR)
  • Familiar with auditing cybersecurity and technical policies and controls
  • Familiar with GRC platforms (i.e., SNOW, LogicGate, OneTrust, etc.)
  • Security certification preferred (i.e., Security+, CISA, CISM, CRISC, etc.)

The core responsibilities of the position include:
  • Perform cyber risk assessments against city cybersecurity requirements.
  • Conduct Vendor Risk Assessments to assess security posture of vendors.
  • Support the cyber awareness training and education program, including phishing simulations.
  • Track and monitor risk mitigation plans and develop reports in accordance with GRC metrics.
  • Coordinate with technology and business groups to assess, implement, and monitor IT-related security risks/hazards.
  • Perform review of policies and supporting procedures/processes.

The position has an annual salary range of $96,512 to $121,420. The application deadline is July 1.
Dennis Noone is Executive Editor of Industry Insider. He is a career journalist, having worked as a reporter and editor at small-town newspapers and major metropolitan dailies in California, Nevada, Texas and Virginia, including as an editor with USA Today in Washington, D.C. He lives in Northern California.