Risk Specialist

Position Overview

State Information Technology Services Division is seeking an experienced Risk Specialist to support the centralized cybersecurity organization by executing cybersecurity risk management processes, conducting risk assessments, documenting risk conditions, maintaining risk documentation, evaluating control effectiveness, and translating technical findings into actionable treatment decisions. The role works across a federated state environment to assess risk, maintain records, registers, and reports, support policy and compliance alignment, and provide practical guidance that references statewide standards while considering agency business needs.

Specialist 2:

• Associate degree in Cybersecurity, Information Technology, Business, Public Administration, or a related field.
• 2 years of experience in cybersecurity risk management, information security, compliance, audit, security assessment, or a closely related field.
• Alternate combinations of education, experience, and relevant certifications will be considered on a case‑by‑case basis.

Specialist 3:

• Associate degree in Cybersecurity, Information Technology, Information Assurance, Business, Public Administration, or a related field.
• 4 years of experience in cybersecurity risk management, information security, compliance, audit, security assessment, or a closely related field.
• Experience leading risk assessments, complex control assessments, or audits.
• Alternate combinations of education, experience, and relevant certifications will be considered on a case‑by‑case basis.

• Bachelor's degree in Cybersecurity, Information Technology, Information Assurance, Business, Public Administration, or a related field.
• Advanced cybersecurity certifications such as CRISC, CISA, CISM, CISSP, etc.

• Knowledge of cybersecurity risk management frameworks and standards, including NIST RMF, NIST SP 800–30, NIST SP 800–37, NIST SP 800–53, NIST CSF 2.0, and their practical application in a state government environment.
• Knowledge of IT cybersecurity principles and methods such as confidentiality, integrity, availability, authentication, authorization, accountability, encryption, and configuration.
• Knowledge of common cyber threats, vulnerabilities, attack vectors, and how technical issues translate into business, mission, legal, and reputational impact.
• Knowledge of information technology platforms, including hardware, software, network, data storage, cloud service virtualization, security, end‑user platforms, etc.
• Skill in planning and executing structured risk assessments, including asset identification, threat and vulnerability analysis, likelihood and impact estimation, and residual risk determination.
• Skill in evaluating the design and effectiveness of security controls and interpreting assessment, audit, and scan results.
• Skill in leading complex risk assessments, including multisystem and cross‑agency scenarios, and resolving conflicting stakeholder perspectives.
• Skill in using GRC platforms, vulnerability management tools, spreadsheets, and ticketing systems to document and track risk work.
• Ability to communicate risk in plain language, providing clear explanation of scenarios, likelihood, impact, and treatment options such as avoid, mitigate, transfer, or accept.
• Ability to exercise independent, expert judgment in ambiguous and high‑impact situations, including advising on risk acceptance when standards and precedents are limited.
• Ability to identify control gaps, inconsistencies, and emerging issues in complex technical, procedural, and architectural documentation.
• Ability to mentor, coach, and provide informal leadership to team members in risk techniques, documentation standards, and stakeholder communication.
• Ability to operate effectively in a federated state environment, balancing centralized standards with agency autonomy and relationship management.

• Work/life balance
• Health coverage
• Paid vacation, sick leave, and holidays
• Public Service Loan Forgiveness (PSLF) – Employment with the State of Montana may qualify for student loan forgiveness under PSLF.

• Position requires successful completion of a criminal background check.
• Only online applications are accepted.
• Participation in E‑Verify for employment eligibility verification.
• Telework is permitted with required weekly in‑office days in Helena as outlined in the job offer.

State government does not discriminate based on race, color, national origin, religion, sex, sexual orientation, gender identity or expression, pregnancy, childbirth or medical conditions related to pregnancy or childbirth, age, physical or mental disability, genetic information, marital status, creed, political beliefs or affiliation, veteran status, military service, retaliation, or any other factor not related to merit and qualifications of an employee or applicant.