Senior Cyber Risk Analyst

Senior Cyber Risk Analyst

Company: Veteran Benefits Guide (VBG)

Veteran Benefits Guide (VBG) was founded by a former United States Marine with the goal of ensuring that Veterans receive accurate disability benefits in a timely manner. Since its inception, VBG has guided more than 45,000 Veterans through the complicated Veterans Affairs (VA) disability claims process. As a company founded by a Veteran and staffed by many Veterans and families of Veterans, VBG is committed to advocating for policies that protect the rights and interests of former service members.

The Senior Cyber Risk Analyst is responsible for leading enterprise cyber risk management activities, maintaining security and IT policy governance, and providing clear, actionable risk insights to senior leadership. This role partners closely with technology, legal, product, and business teams to identify, assess, and remediate cyber risks across the organization.

• Arizona (AZ)
• California (CA)
• Washington (WA)
• Nevada (NV)
• Utah (UT)
• Illinois (IL)
• Ohio (OH)
• New Jersey (NJ)
• Virginia (VA)
• North Carolina (NC)
• Florida (FL)

Reasonable accommodation may be provided to enable individuals with disabilities to perform essential functions.

• Own and maintain the organization’s information security and IT policies, ensuring align with industry standards and are functionally enforce hésible in the organization.
• Develop risk posture reporting for senior leadership, including risk assessments, control effectiveness, and risk register updates, tailoring depth and messaging to technical and executive audiences.
• Manage the control framework and library by identifying control gaps across technology domains and leading annual control testing and enterprise security assessments.
• Lead enterprise cyber risk management activities including identifying and quantifying cybersecurity risks using standardized risk rating methodologies.
• Maintain the enterprise risk register and oversee cybersecurity remediation efforts while advising on compensating controls and interim risk treatment strategies.
• Partner cross‑functionally with legal, technology, product, and business teams to understand regulatory obligations, risk tolerance, and remediation priorities.
• Coordinate and facilitate cross‑functional remediation discussions while tracking progress and driving accountability for risk reduction.
• Own the third‑party risk management process, including vendor security questionnaires, risk assessments of new and existing vendors, and development of remediation plans to address identified security gaps.
• Ability to work independently and drive end‑to‑end initiatives with minimal supervision.
• Understanding of Dev Ops, security architecture, and security configurations, enabling effective collaboration with engineering, product, and infrastructure teams to identify and mitigate risks.
• Adaptability and resilience in an evolving environment.лет
• Stay current with emerging threats, digitaal changes, and industry best practices in risk management, compensating controls, and enterprise technologies.
• Proven ability to translate complex technical risks into clear business impacts and actionable, risk‑based recommendations for stakeholders.
• Excellent analytical, written, and verbal communication skills with the ability to influence decision‑making across technical and non‑technical audiences.

• One or more industry‑recognized certifications such as CompTIA Security+, CISA, CISM, CISSP, or equivalent.
• Hands‑on experience with GRC tools (Archer, Service Now GRC, Vanta, etc.) and formal risk assessment methodologies.
• Strong working knowledge of risk management frameworks (NIST, ISO, and CIS) and regulatory requirements for HIPAA compliance.
• Broad security domain expertise, including cloud environments, SDLC, application security, data protection and enterprise architecture.

• 5+ years of experience in cyber risk management, control assurance, or information security governance.
• Bachelor’s degree or equivalent work experience in Information Technology, Cybersecurity, or a related discipline.