Senior Security Risk Analyst

Overview

We're looking for a highly motivated and detail-oriented Senior Security Risk Analyst to join our Governance, Risk, and Compliance (GRC) organization. Focused on security risk management, you will be a key partner to security architecture, product management and engineering teams to identify, assess, and manage security risks across our technology ecosystem.

This role is perfect for someone who enjoys translating "tech-speak" into clear, actionable insights. You'll play a key role in the entire risk journey—helping us spot issues early, supporting teams through risk treatment, and finding creative ways to automate so we can move faster.

This position reports to our Director, GRC in the Austin office. We're looking for someone to join us immediately.

• End-to-End
  
  Risk Management:
  
  Manage the full lifecycle of security risks and issues—from initial discovery through to resolution. You'll partner with owners to identify risk treatments (remediation, mitigation, or acceptance) that are practical and aligned with business goals.
• Technical Risk Translation: Act as a "translator" between technical teams and the business. You'll take complex findings and business issues and turn them into clear, actionable risk statements that stakeholders at all levels can understand.
• Cloud & SaaS Security Partnership: Collaborate with Engineering and Security Architect teams to evaluate the security posture of our technology ecosystem. You'll assess risks and configuration issues related to IAM, network security, pen tests, and our internal SaaS application stack.
• Risk Analysis: Apply the right tool for the job to score and prioritize issues. This includes using qualitative methods for daily triage and learning to apply quantitative models (FAIR) to help the business understand the potential financial impact of high-priority risks.
• Operational Optimization & Automation: Help us move away from manual tracking. You'll identify opportunities to automate risk workflows and reporting, making our GRC processes "Dev Ops-friendly" and scalable.
• Risk Governance & Register Management: Maintain the risk register, including ownership, treatment plans, and residual risk assessments. You'll track Key Risk Indicators (KRIs) and help build dashboards that give leadership a real-time view of our security health.
• Compliance Enablement: You will support risk-based alignment with security frameworks such as ISO/IEC 27001, SOC 2, and NIST CSF / NIST 800-53.

• Experience: Bachelor's degree and 6+ years of direct experience in cloud security, cybersecurity engineering, or technical risk management. Experience working in high-growth SaaS or cloud-native environments is required.
• Technical Knowledge: Understanding of cloud infrastructure security (AWS, GCP, or Azure) and security frameworks (NIST CSF, ISO 27001). Be able to interpret the outputs of Security Architects and Sec Ops teams, understanding network diagrams, attack paths, and vulnerability reports.
• Risk Methodology: Proficiency in qualitative risk assessment methodologies and awareness of quantitative methodologies like FAIR.
• Skills: Strong technical depth with a risk-based, pragmatic mindset. Capable of translating complex technical issues into business impacts. Exceptional communication and presentation skills, with the ability to interact effectively with stakeholders at all levels. Provide critical thinking with strong analytical and problem-solving abilities.
• Independent Contributor: Proven ability to work independently, take ownership of tasks, and prioritize effectively in a dynamic environment. You are comfortable operating in fast-moving environments with evolving architectures.
• Preferred
  • Familiarity with Dev Ops, CI/CD security controls, and Infrastructure security.
  • Certifications such as CRISC, CISM, CISSP or cloud provider certifications.
  • Experience utilizing a GRC platform for risk registering.

Base Pay Range:  -  USD Annual

For Los Angeles County (unincorporated) Candidates:
Procore will consider for employment all qualified applicants, including those with arrest or conviction records, in accordance with the requirements of applicable federal, state, and local laws, including the City of Los Angeles' Fair Chance Initiative for Hiring Ordinance, the Los Angeles County Fair Chance Ordinance for Employers, and the California Fair Chance Act.

A criminal history may have a direct, adverse, and negative relationship on the following job duties, potentially resulting in the withdrawal of the conditional offer of employment:
1) appropriately managing, accessing, and handling confidential information including proprietary and trade secret information, as well as accessing Procore's information technology systems and platforms;
2) interacting with and occasionally having unsupervised contact with internal/external customers, stakeholders, and/or colleagues; and
3) exercising sound judgment.