Cyber Risk Analyst III

Cyber Risk Analyst III

First Citizens Bank seeks an experienced Cyber Risk Analyst III to provide cybersecurity risk management and expert support at the highest level of governance and oversight. Primary responsibility is cyber risk identification & mitigation across the organization.

This position evaluates risks, identifies control gaps, and partners with stakeholders to implement mitigation strategies that strengthen the organization’s security posture. The analyst serves as a subject matter expert in risk assessment practices and cybersecurity domains, contributes to broader cyber risk oversight, recommends and monitors enhancements to processes and procedures, and provides reporting and analysis to support strategic objectives.

• Lead and execute cybersecurity risk assessments across cyber domains, business units, and technology environments. Evaluate control effectiveness against established frameworks and regulatory expectations, identify risk exposures, and document findings in clear, actionable terms.
• Identify potential risks across operational, technology, and regulatory domains. Work with stakeholders to define and track remediation plans, ensuring timely and effective resolution of identified issues; facilitate risk mitigation strategies aligned to business objectives and regulatory standards.
• Apply industry-standard frameworks (e.g., NIST CSF, NIST SP 800‑53, ISO 27001, FFIEC guidelines) to assess and benchmark the organization’s risk posture, conduct gap analyses, interpret requirements, and provide recommendations to close compliance or control gaps.
• Leverage strong technical knowledge of core cybersecurity domains (identity & access management, network security, cloud security, endpoint protection, vulnerability management, and security architecture) to assess risks and validate control implementation; provide informed insights on technical risk mitigation strategies.
• Collaborate with business, technology, and control owners to communicate assessment results, educate stakeholders on risk management expectations, and promote awareness of cybersecurity risks; support a culture of accountability and continuous improvement in risk management practices.
• Develop and maintain risk assessment reports and dashboards; communicate trends, patterns, and emerging risks to leadership, providing transparency into the organization’s cyber risk profile; track remediation progress, escalations, and highlight areas requiring additional oversight.
• Maintain awareness of changes in industry standards, threat landscape, and regulatory requirements; incorporate emerging practices into the organization’s risk assessment methodology to keep assessments relevant and effective.
• Remote eligible.

• Bachelor’s Degree and ≥6 years of experience in cyber risk management or oversight OR High School Diploma or GED and ≥10 years of experience in the same field.
• Direct experience performing cybersecurity risk assessments, including scoping, evaluation, gap analysis, and reporting.
• Strong knowledge of cybersecurity frameworks such as NIST CSF, NIST SP 800‑53, ISO 27001, and FFIEC guidance, with demonstrated ability to apply them in complex organizations.
• Demonstrated technical expertise across cybersecurity domains including IAM, security architecture, network and cloud security, endpoint protection, and vulnerability management.
• Experience identifying risks, defining remediation strategies, and partnering with stakeholders to reduce risk exposure.
• In‑depth practical knowledge of internal controls, cybersecurity processes, and risk management methodologies.
• Excellent written and oral communication skills, with ability to influence stakeholders and communicate effectively at multiple levels.
• Professional certifications such as CISSP, CISA, CISM, CRISC, or similar.

• 7–10 years of experience in cybersecurity risk management or oversight, including direct execution of cyber risk assessments.
• 3+ years in a large financial institution or similarly regulated environment.
• Familiarity with regulatory requirements and expectations related to cybersecurity risk management (e.g.,…