Title: Sr Enterprise Cyber Risk Mgmt Analyst, Vulnerability Assessment, Progression 
Company: Tampa Electric Company
Location: Ybor Data Center 
State and City: Florida  -  Tampa
Shift: M-F, 4 days in office per week / 1 home office day

Hiring Manager:  Alexis A Avila-Gonzalez

Recruiter: Mark E Koener 

TITLE:  Enterprise Cyber Risk Management Analyst, Progression

PERFORMANCE COACH:  Enterprise Cyber Risk Management Lead

COMPANY:  Tampa Electric

POSITION CONCEPT

The Enterprise Cyber Risk Analyst assumes a role in the implementation of the Enterprise Cyber Risk Management Framework which adheres to industry best practices and aligns with the organization's risk tolerance. Helps the organization protect assets from evolving cyber threats, stay in compliance with regulatory mandates, and foster a cyber risk aware culture. Serve as a solution orientated problem-solver with demonstrated knowledge of Information Security best practices. Ensures the integrity of the company’s information resources at the network, operating system, and application levels.  Provides support in a team setting, contributing to the systematic approach to cyber risk management to identify TECO's needs regarding information security requirements and the management of systems dedicated to monitoring and safeguarding enterprise assets. Performs cyber risk management activities and provides a methodology when performing risk analysis and risk evaluation.

This position can be hired at any level within the job family progression based on Education and years of experience. 

Enterprise Cyber Risk Management Analyst

PRIMARY DUTIES AND RESPONSIBILITIES

1. Responsible for the Identification of Risks on an ongoing effort to identify actions or conditions that can have adverse impacts on continuity of business or the cyber security of TECO. Responsible for the Classification and Prioritization of Risks, an ongoing analysis of the probability and impact associated with risks along with timeframes, where applicable, and their prioritization relative to other identified risks. Assists with Risk Mitigation decisions, actions, implementations, controls, or other activities that reduce the likelihood of a risk being realized, reduce the impact of the risk if realized, or improve TECO’s response time and efficacy. 25%

2. Assists with the oversight and Review of risks, their current probability and impact assessments, associated mitigation plans, and status of corrective measures currently underway or already undertaken along with efficacy review, where applicable, and a review of changing prioritization of said risks. Participate in developing and updating risk-related policies and procedures to align with industry standards and best practices. 25%

3. Utilizes risk assessment tools and technologies for effective threat identification and analysis. Regularly report risk findings to relevant stakeholders, including creating detailed risk assessment reports and presentations for management. Maintains a strong working relationship with individuals and groups involved in managing information risks across the organization. 25%

4. Participates in projects to recommend risk reduction. Exchange knowledge and information with other TECO facilities to ensure best practices are shared throughout the TECO organization. Partners and collaborate with other functional teams in support of cyber risk processes. 25%

QUALIFICATIONS

Education

Required:           High School Diploma.

Preferred:           Bachelor’s Degree in Computer Science, Information Systems or other Information Technology related field. 

Licenses/Certifications

Required:            From the list of certification vendors, one related Information Security professional certification or ability to obtain via self-study within one year of hire date (ex: (ISC)2, GIAC, ISACA, CompTIA, e-Council, etc.).

Preferred:           ITIL v3 and two or more of the following or similar Information Security professional certifications (ex: ACE, CCE, CEH, CISA, CISM, CISSP, CRISC, EnCE, GCCC, GCDA, GCED, GCFA, GCFE, GCIA, GCIH, GCWN, GICSP, GMON, GNFA, GPEN, GPPA, GREM, GWAPT, GXPN, OSCP, SSCP).

Related Experience

Required:            6 years of related Cyber Security or IT experience in Information Systems Audit or Assessor, Information Security, systems management, systems administration, information systems security, system certification, risk analysis).  May consider a degree in lieu of experience. Associates degree with 4 years related experience required or Bachelor's Degree in Computer Science, Information Systems or other IT related discipline with 2 years related experience.

Knowledge/Skills/Abilities (KSA)

Required:          

• Solid understanding of fundamental principles of cybersecurity, including threat landscape, vulnerabilities, and risk management.
• Familiarity with relevant security standards and frameworks such as NIST Special Publication 800-53, ISO 27001, and others depending on the industry.
• Knowledge of applicable laws and regulations governing information security, privacy, and data protection.
• Understanding of information technology systems, network architecture, and common technologies to assess security controls effectively.
• Knowledge of security control frameworks and their implementation, including access controls, encryption (certificates, PKI, Data Loss Prevention, multi factor authentication), and incident response.
• Knowledge of advanced cybersecurity tools and platforms, such as SIEM, IDS/IPS, endpoint protection, and threat intelligence solutions, for effective risk analysis and mitigation.
• Knowledge of Internet protocols, communication protocols, data and network security, and network monitoring tools.
• Proficiency in control testing to assess the effectiveness of security controls, including designing and executing test procedures to evaluate control performance against established criteria and standards.
• Ability to conduct comprehensive risk assessments, identifying and analyzing security risks to information systems.
• Technical skills to assess security controls, perform vulnerability assessments, and understand the technical aspects of security implementations.
• Strong communication skills to effectively convey assessment findings, risks, and recommendations to technical and non-technical stakeholders. Ability to create clear and detailed documentation, including assessment plans, reports, and recommendations.
• Critical thinking and problem-solving skills to analyze complex security issues and recommend appropriate solutions.
• A keen eye for detail to identify vulnerabilities, weaknesses, and discrepancies in security controls and documentation.
• Ability to adapt to evolving cybersecurity threats, technologies, and regulatory requirements.
• Adherence to ethical standards and professionalism, as SCAs often have access to sensitive information and play a critical role in maintaining the integrity of security assessments.
• Collaboration with various stakeholders, including system owners, security teams, and management, to ensure a comprehensive understanding of the information system and its security controls.
• Commitment to continuous learning and staying updated on the latest developments in cybersecurity, technology, and regulatory landscapes.

WORKING CONDITIONS

Normal working conditions with occasional weekend and overtime requirements, including on-call rotational support.

PHYSICAL DEMANDS/ REQUIREMENTS

Normal physical demands related to an office workplace environment.

Enterprise Cyber Risk Management Analyst Sr

POSITION CONCEPT:

The Enterprise Cyber Risk Analyst Senior assumes a role in the implementation of the Enterprise Cyber Risk Management Framework which adheres to industry best practices and aligns with the organization's risk tolerance. Helps the organization protect assets from evolving cyber threats, stay in compliance with regulatory mandates, and foster a cyber risk aware culture.  Collaborates with business units on cybersecurity, privacy, protection, and resilience of company assets, technology, and information. Ensures that the outcome of the risk assessment, risk treatment, and management plans remain relevant and appropriate to the circumstances, by using their extensive technical expertise and industry experience. Helps the business identify appropriate security solutions based on risk minimization and risk tolerance. Proposes technologies coordinated with industry regulatory requirements, anticipated trends, and corporate business plans to accomplish company goals and strategies. Delivers support in a team setting, contributing to the systematic approach to cyber risk management to identify TECO's needs regarding information security requirements and the management of systems dedicated to monitoring and safeguarding enterprise assets. Performs cyber risk management activities and provides a methodology when performing risk analysis and risk evaluation.

PRIMARY DUTIES AND RESPONSIBILITIES

1. Perform focused risks assessments within areas of the organization: capital projects, firewalls, threat advisories, cloud, network security, third-party risk, reputational risk, financial risk, and other areas as warranted. Communicate risk assessment findings to risk owners. Provide consultative advice to risk owners that enable them to make informed risk management decisions. Participate in projects to assist in identifying risk findings through vulnerabilities, security incidents, audits, and other cybersecurity programs and determine how to integrate these into TECO’s risk register. Identify appropriate controls to effectively manage cyber risks as needed. Identify opportunities to improve risk posture by ensuring that remediating or mitigating controls are identified and assess the residual risk. Drive continuous improvement through trend reporting analysis and metrics management. Participate in updating Enterprise Cyber Risk Management policies and procedures. Review risk management practices and comply with relevant laws and regulations. 35%

2. Responsible for the Identification of Risks on an ongoing effort to identify actions or conditions that can have adverse impacts on continuity of business or the cyber security of TECO. Responsible for the Classification and Prioritization of Risks, an ongoing analysis of the probability and impact associated with risks along with timeframes, where applicable, and their prioritization relative to other identified risks. Assist with Risk Mitigation decisions, actions, implementations, controls, or other activities that reduce the likelihood of a risk being realized, reduce the impact of the risk if realized, or improve TECO’s response time and efficacy. Report risk findings to risk owners, through risk assessment process and presentations for management. 30%

3. Perform ongoing cyber risk management activities within various IT and OT environments, including threat and vulnerability analysis. Leverage existing support tools and techniques when performing risk analysis and risk evaluation. Identify appropriate security solutions based on risk minimization and risk tolerance. Review the cyber risk management process to ensure that the outcome of the risk assessment, risk treatment, and management plans remain relevant and appropriate to the circumstances. Recommend and coordinate the implementation of corrective actions to close remediation items. 20%

4. Maintain a working relationship with risk owners across the organization. Exchange knowledge and information with other TECO facilities to ensure best practices are shared throughout the TECO organization. Partner and collaborate with other functional teams in support of cyber risk processes. 15%

QUALIFICATIONS

Education

Required:           High School Diploma.

Preferred:           Bachelors  Degree in Computer Science, Information Systems or other Information Technology related field. 

Licenses/Certifications

Required:            From the list of certification vendors, two related Information Security professional certifications or ability to obtain via self-study within one year of hire date (ex: (ISC)2, GIAC, ISACA, CompTIA, e-Council, etc.).

Preferred:           ITIL v3 and three or more of the following or similar Information Security professional certifications (ex: ACE, CCE, CEH, CISA, CISM, CISSP, CRISC, EnCE, GCCC, GCDA, GCED, GCFA, GCFE, GCIA, GCIH, GCWN, GICSP, GMON, GNFA, GPEN, GPPA, GREM, GWAPT, GXPN, OSCP, SSCP).

Related Experience

Required:            8 years of related Cyber Security or IT experience (Information Systems Audit or Assessor role, Information Security role, systems management, systems administration, information systems security, system certification, risk analysis).  May consider a degree in lieu of experience. Associates degree with 6 years related experience required or Bachelor's Degree in Computer Science, Information Systems or other IT related discipline with 4 years related experience.

Knowledge/Skills/Abilities (KSA)

Required:           

• Solid understanding of fundamental principles of cybersecurity, including threat landscape, vulnerabilities, and risk management.
• Familiarity with relevant security standards and frameworks such as NIST Special Publication 800-53, ISO 27001, and others depending on the industry.
• Knowledge of applicable laws and regulations governing information security, privacy, and data protection.
• Understanding of information technology systems, network architecture, and common technologies to assess security controls effectively.
• Knowledge of security control frameworks and their implementation, including access controls, encryption, and incident response.
• Knowledge of advanced cybersecurity tools and platforms, such as SIEM, IDS/IPS, endpoint protection, and threat intelligence solutions, for effective risk analysis and mitigation.
• Ability to conduct comprehensive risk assessments, identifying and analyzing security risks to information systems.
• Technical skills to assess security controls, perform vulnerability assessments, and understand the technical aspects of security implementations.
• Strong communication skills to effectively convey assessment findings, risks, and recommendations to technical and non-technical stakeholders.
• Ability to create clear and detailed documentation, including assessment plans, reports, and recommendations.
• Critical thinking and problem-solving skills to analyze complex security issues and recommend appropriate solutions.
• Keen eye for detail to identify vulnerabilities, weaknesses, and discrepancies in security controls and documentation.
• Ability to adapt to evolving cybersecurity threats, technologies, and regulatory requirements.
• Ability to analyze complex datasets and identify trends and patterns that could indicate cybersecurity risks or vulnerabilities.
• Adherence to ethical standards and professionalism, as SCAs often have access to sensitive information and play a critical role in maintaining the integrity of security assessments.
• Collaboration with various stakeholders, including system owners, security teams, and management, to ensure a comprehensive understanding of the information system and its security controls.
• Commitment to continuous learning and staying updated on the latest.

#LI-SC1

TECO offers a competitive Benefits package!!

Competitive Salary *401k Savings plan w/ company matching * Pension plan * Paid time off* Paid Holiday time * Medical, Prescription Drug, & Dental Coverage  *Tuition Assistance Program * Employee Assistance Program * Wellness Programs * On-site Fitness Centers * Bonus Plan and more!