Security Risk Analyst

Rate: £500-£550 per day Inside IR35

Duration: 6 months initially (will extend, 6 month rolling)

Location: Ipswich 3 days, 2 days remote

We are seeking a highly skilled Security Risk Analyst with a strong background in application security, vulnerability management, and risk assessment. In this role, you will be responsible for conducting security diagnostics across a suite of applications, identifying potential vulnerabilities, and delivering detailed risk assessment reports to the CISO. This position does not involve remediation but plays a critical role in uncovering and reporting risks within the organization’s application landscape.

• Conduct security risk diagnostics on enterprise applications to identify vulnerabilities, weaknesses, and compliance gaps.
• Perform comprehensive vulnerability assessments and penetration testing to evaluate application-level security posture.
• Develop detailed risk reports and vulnerability findings, including risk impact and likelihood, and deliver to the CISO.
• Collaborate with cross-functional teams to collect necessary data and context for risk assessments, while maintaining an independent risk evaluation.
• Support the organization’s GRC (Governance, Risk, and Compliance) objectives by aligning assessments with security frameworks and standards.
• Assist with security audits and help prepare documentation for internal or external reviews.
• Apply industry-recognized standards and frameworks such as NIST, ISO 27001, CIS Controls, in assessments and recommendations.
• Leverage past penetration testing, vulnerability management, and incident response experience to identify and contextualize threats effectively.
• Partner with and provide direct insights to CISOs and senior security leadership, contributing to overall security strategy and risk posture awareness.

• Senior profile with experience in security risk analysis, application security, or vulnerability management.
• OSPC or CISP
• Proven experience with security frameworks such as NIST, ISO 27001, CIS Controls – nice to have.
• Strong knowledge of vulnerability scanning tools (e.g., Qualys, Tenable, Nexpose, Burp Suite).
• Solid understanding of risk assessment methodologies and ability to communicate technical risks in business terms.
• Hands-on background in penetration testing, incident response, or vulnerability management with a move into risk analysis preferred.
• Experience collaborating with or reporting to CISOs and senior security stakeholders.
• Excellent analytical, documentation, and presentation skills.

• Security certifications such as CISSP, CISM, CRISC, OSCP, CEH, or equivalent.
• Experience working in regulated industries (e.g., finance, healthcare, government).
• Familiarity with risk scoring methodologies (e.g., CVSS, FAIR).