Risk Specialist
Listed on 2026-07-01
-
IT/Tech
Cybersecurity, Information Security, Data Security
Risk Specialist 2 or 3
State Information Technology Services Division is seeking an experienced Risk Specialist to support the centralized cybersecurity organization by executing cybersecurity risk management processes, conducting risk assessments, documenting risk conditions, maintaining risk documentation, evaluating control effectiveness, and helping customers translate technical findings into actionable treatment decisions under established guidance. The position works across a federated state environment to help assess risk, maintain risk records, registers, and reports, support policy and compliance alignment, and provide practical guidance that references statewide standards while considering agency business needs.
The role requires strong analytical ability, willingness to learn, and the ability to communicate risk in plain language to technical, operational, and business stakeholders.
What are we looking for?
Education and Experience:
Specialist 2:
Associate degree in Cybersecurity, Information Technology, Business, Public Administration, or a related field; AND 2 years of experience in cybersecurity risk management, information security, compliance, audit, security assessment, or a closely related field. Alternate combinations of education, experience, and relevant certifications will be considered on a case-by-case basis. Specialist 3:
Associate degree in Cybersecurity, Information Technology, Information Assurance, Business, Public Administration, or a related field; AND 4 years of experience in cybersecurity risk management, information security, compliance, audit, security assessment, or a closely related field. Experience leading risk assessments, complex control assessments, or audits. Alternate combinations of education, experience, and relevant certifications will be considered on a case-by-case basis. Preferred:
Bachelor's degree in Cybersecurity, Information Technology, Information Assurance, Business, Public Administration, or a related field; AND Advanced cybersecurity certifications such as CRISC, CISA, CISM, CISSP, etc.
Competencies:
Required knowledge, skills, and abilities:
Knowledge of cybersecurity risk management frameworks and standards, including NIST RMF, NIST SP 800-30, NIST SP 800-37, NIST SP 800-53, NIST CSF 2.0, and their practical application in a state government environment. Knowledge of Information technology (IT) cybersecurity principles and methods such as confidentiality, integrity, availability, authentication, authorization, accountability, encryption, configuration, etc. Knowledge of common cyber threats, vulnerabilities, attack vectors, and how technical issues translate into business, mission, legal, and reputational impact.
Knowledge of information technology platforms, including hardware, software, network, data storage, cloud service virtualization, security, end-user platforms, etc. Skill in planning and executing structured risk assessments, including asset identification, threat and vulnerability analysis, likelihood and impact estimation, and residual risk determination. Skill in evaluating the design and effectiveness of security controls and interpreting assessment, audit, and scan results. Skill in leading complex risk assessments, including multisystem and cross agency scenarios, and resolving conflicting stakeholder perspectives.
Skill in using GRC platforms, vulnerability management tools, spreadsheets, and ticketing systems to document and track risk work. Ability to communicate risk in plain language, including providing clear explanation of scenarios, likelihood, impact, and treatment options such as avoid, mitigate, transfer, or accept. Ability to exercise independent, expert judgment in ambiguous and high impact situations, including advising on risk acceptance when standards and precedents are limited.
Ability to identify control gaps, inconsistencies, and emerging issues in complex technical, procedural, and architectural documentation. Ability to mentor, coach, and provide informal leadership to team members in risk techniques, documentation standards, and stakeholder communication. Ability to operate effectively in a…
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).