Cybersecurity Risk Analyst

As an NRG employee, we encourage you to take charge of your career and development journey. We invite you to explore exciting opportunities across our businesses. You’ll find that our dynamic work environment provides variety and challenge. Your growth is key to our ongoing success—take the lead in shaping your career development, goals and future!

The Cybersecurity Risk Analyst supports the organization’s cyber risk management program by identifying, assessing, documenting, and communicating cyber risk across systems, applications, technologies, and business initiatives. This role partners with Technology, Business, Enterprise Risk and other stakeholders to enable risk-informed decisions and practical risk treatment outcomes.

The role is focused on internal cybersecurity risk assessments evaluating threats, vulnerabilities, control gaps, and business impact while helping stakeholders align on risk acceptance decisions consistent with organizational risk tolerance. Work is guided by the NIST CSF 2.0, with expected familiarity with FAIR and professional AI tools, as well as awareness of emerging technology risks and evolving cyber threats. This role is distinct from team responsibilities centered on third‑party risk, vendor contracts, security surveys, or regulatory compliance.

• Conduct cybersecurity risk assessments for systems, applications, infrastructure, technologies, projects, and business initiatives.
• Identify, assess, analyze, and document cybersecurity threats, vulnerabilities, control gaps, exploitability considerations, and potential business impacts.
• Evaluate inherent and residual cyber risk and develop clear, supportable risk statements, ratings, and recommendations.
• Apply established cybersecurity risk assessment methodologies, frameworks, and reference materials, including FAIR and other relevant cyber risk analysis approaches.
• Support practical and well‑informed cyber risk treatment recommendations, including mitigation, remediation, transfer, avoidance, and acceptance.
• Assist in identifying and documenting reasonable cyber risk acceptance positions aligned with business objectives, governance expectations, and organizational risk tolerance.

• Partner with stakeholders across Technology, Cybersecurity, Business, and Enterprise Risk to gather information and support effective cyber risk assessments.
• Facilitate meetings, workshops, and working sessions to bring the right stakeholders together for risk identification, analysis, treatment, and acceptance discussions.
• Build alignment across teams and help translate technical cybersecurity issues into clear business risk implications and decision points.
• Coordinate with team members responsible for adjacent activities, including third‑party risk management, compliance support, contract review, security surveys, and regulatory matters, while maintaining primary focus on internal cyber risk assessment and analysis.

• Work closely with vulnerability management and other cybersecurity teams to understand vulnerability exposure, remediation priorities, compensating controls, and the impact of technical findings on cyber risk.
• Analyze vulnerability data, remediation status, exploitability, and exposure trends to inform cyber risk assessments and recommendations.
• Maintain awareness of emerging cyber threats, attack techniques, threat actor activity, and technology developments that may affect the organization’s risk posture.

• Collect, organize, analyze, and report cybersecurity risk metrics, trends, and themes to support leadership reporting and program oversight.
• Prepare clear and concise risk assessment documentation, reports, summaries, and presentations for technical and non‑technical stakeholders.
• Support the continuous improvement of cybersecurity risk assessment processes, templates, standards, and reporting practices.
• Use approved AI‑enabled tools responsibly to support cyber risk research, analysis, documentation, and operational efficiency in…