Analysis Group is one of the largest international economics consulting firms, with more than 1,500 professionals across 15 offices in North America, Europe, and Asia. Since 1981, we have provided expertise in economics, finance, health care analytics, and strategy to top law firms, Fortune Global 500 companies, and government agencies worldwide. Our internal experts, together with our network of affiliated experts from academia, industry, and government, offer our clients exceptional breadth and depth of expertise.
The Information Security Analyst will support the Director of Information Security and Risk Management in the continuous improvement of the firm’s cybersecurity, compliance, and governance programs. The role will focus on Governance, Risk, and Compliance (GRC), third-party risk management, internal/external audit support, and security awareness. This position requires an organized, detail-oriented professional who is passionate about cybersecurity and risk reduction.
Essential Job Function & Responsibilities:
- Governance Support
- Maintain and update information security policies, procedures, and standards, ensuring alignment with regulatory and industry best practices (ISO 27001, SOC 2, NIST 800-53).
- Manage security policy exceptions and risk acceptance processes.
- Develop and track security metrics for senior leadership and regulatory reporting.
- Support internal and external audits, ensuring successful regulatory compliance efforts.
- Ensure adherence to legal and contractual security requirements, assisting in compliance with government and client security expectations.
- Risk Management and Audit Support
- Maintain the Risk Register and participate in the risk assessment process.
- Conduct security control testing and report on gaps, controls effectiveness, and areas for improvement.
- Develop dashboards to visualize risk trends and control effectiveness.
- Develop and maintain risk management metrics, reports, and dashboards.
- Participate in and manage audit requests, aligning internal stakeholders and facilitating evidence collection to ensure timely and accurate responses.
- Third-Party Risk Management (TPRM)
- Assess vendors and third-party service providers to evaluate security posture and compliance.
- Track and manage vendor security reviews, including remediation plans where necessary.
- Collaborate with Legal, IT, and Privacy to ensure contract security clauses meet firm standards.
- Security Operations and Reporting
- Support vulnerability management efforts, including scanning and remediation tracking.
- Conduct and manage periodic access reviews, ensuring that users have appropriate access based on least privilege and business requirements.
- Incident Response & Resilience
- Organize and facilitate cybersecurity tabletop exercises to assess response readiness and identify areas for improvement.
- Review, test, and improve the Incident Response Plan (IRP), ensuring alignment with evolving threats and best practices.
- Track lessons learned and drive corrective actions to enhance response capabilities.
- Assist in security incident investigations, coordinating response efforts and documentation as needed.
- Security Awareness and Training
- Develop and conduct security awareness training, including phishing simulations and targeted educational programs.
- Partner with stakeholders to improve security procedures, training, IT processes, and the security of existing systems.
- Maintain and update the internal security website, ensuring employees have easy access to security policies, best practices, and educational resources.
Qualifications:
- Bachelor’s degree required. Degree in Information Systems Security or related field preferred.
- Minimum of 2 years substantive relevant experience required.
- An ideal candidate will have 2-5 years of experience in information security, compliance, risk management, or IT security operations.
- Certifications (Preferred): Security+, CISSP, CISM, CISA, or equivalent.
- Technical Skills:
- Experience conducting risk assessments, security audits, and compliance evaluations preferred.
- Familiarity with ISO 27001, SOC 2, NIST 800-53, CSF, HIPAA compliance frameworks.
- Hands-on experience with GRC tools, vulnerability scanners, SIEM platforms, and security monitoring.
- Strong proficiency in Excel, Power BI, or similar tools to analyze risk and compliance data.
- Demonstrated experience with identity and access management (IAM), phishing detection, endpoint security, and incident response procedures.
- Soft Skills:
- Strong communication, documentation, and presentation skills.
- Self-motivated with the ability to work independently and in teams.
- Excellent problem-solving and analytical thinking skills.
- Adaptability and willingness to learn in a rapidly changing security landscape.
- An inclusive and growth-oriented mindset, strong interpersonal skills, and an ability to work across differences.
- To the extent permitted by applicable law, eligible candidates must be authorized to work in the United States without sponsorship or restriction, now and in the future.
Analysis Group embraces diversity and equal opportunity in a deep and meaningful way. We are committed to building teams that represent a variety of backgrounds, perspectives, and skills. The more inclusive we are, the better our work will be.
We provide equal access and opportunities regardless of sex, sexual orientation, gender, gender identity, gender expression, age, religion, race, color, ethnicity, national origin, ancestry, mental and physical ability or disability, medical condition, genetic information, citizenship status, socioeconomic status, veteran and military status, or membership in any other class protected under applicable law. We encourage candidates of all backgrounds to apply.
#LI-Hybrid