Senior Analyst, IT Risk Management and Governance

We offer more than a job, we offer a career!

• We support our employees to shape their career by encouraging continuing education and investing in training and development.
• We put our employees at the center of what we do to allow them to grow personally and professionally, with projects and challenges that are motivating and rewarding.
• We inspire people to do what they are passionate about by believing in integrity, respect and recognition of diversity and community support.
• We are a dynamic team where entrepreneurship, innovation and collaboration are at the core of our values.
• We offer competitive salaries and a multitude of benefits starting day one including generous medical and dental coverage, telemedicine, employee and family assistance program, and retirement and savings programs.
• We recognize the importance of work-life balance with our hybrid work program, wellness allowance, and year-round social activities and events.

This is a HYBRID role with 3 days in office requirement.

We are looking for an IT Risk Management Governance Senior Analyst to join our team in our Toronto office!

As an IT Risk Management Governance Senior Analyst, you will be responsible for ensuring effective, comprehensive, and seamless operations of the approved IT risk management governance framework aligned to industry best practices and standards.

The role is aimed to address risks in cybersecurity and IT governance and operations and provide an effective framework for identifying, assessing, monitoring, and managing cybersecurity and IT risks, including, and not limited to third party IT risks and user cyber training and awareness risks.

If you are career-minded and looking for a dynamic work environment with a growth mindset, you will love working with our team!

Your day as an IT Risk Management Governance Senior Analyst

• Support the approved IT Risk Management program within our company :
• Enable operationalization of the cybersecurity governance framework, including and not limited to controls, requirements, artefacts, processes, forums, and channels suitable to the operating environment and aligned to the suitable industry leading practices in cybersecurity (e.

g. ISO, NIST, SOC, CIS, CMMC, Bill 64, etc.).

• Develop cybersecurity governance requirements, control, processes and artefacts aligned to industry best practices as suitable for the operating environment.
• Act as the main custodian and key subject matter expert for the full repository of governance tools and artefacts (including and not limited to policies, controls, actions) to ensure accuracy, currency, timely reviews, relevance and suitability to BFL IT landscape.
• Act as the main custodian and key subject matter expert for the GRC automation platform.
• Support the approved Third-Party IT Risk Management Framework within our company, for example and not limited to the following :
• Maintain visibility and provide reporting on cybersecurity and IT risk posture of BFL third parties and overall portfolio.
• Develop, operationalize, and monitor compliance with the approved IT risk management thresholds, third-party Service Level Agreement (SLA), contract obligations, our company governance policies and metrics, industry best practices (including review of reports, certifications, evidence documentation, etc.)
• Liaise with third party relationship owners within the company and monitor due diligence in case of a third party cybersecurity incident, breach, relationship termination, data / activity repatriation, etc.
• Conduct assessments of cybersecurity and IT risks of the IT environment and our third parties'.
• Conduct cybersecurity and IT risk and control assessments of the IT environment and that of third parties, solutions and technologies and provide recommendations to protect and strengthen our cybersecurity and IT Risk Management posture.
• Develop and follow up on the approved recommendations and resolution plans to strengthen our cybersecurity and IT risk posture framework.
• Develop and support IT Risk Heat Map reviews and maintain our IT Risk Register and for our third party's portfolio.
• Monitor our IT risk posture indicators, alerting appropriate internal stakeholders on emerging risks and trends.
• Review, in partnership with Legal and Compliance, external contracts to identify and notify the IT leadership of potential IT risks to operations, data, systems or clients, etc.
• Contribute to the Cyber Governance Intake Channel and fulfill, in accordance with our Cybersecurity Governance Policies, requests for third party cyber and IT risk and control assessments.
• Lead our cybersecurity due diligence assessments for our third parties and provide recommendations to strengthen IT risk posture for our third parties and the portfolio.
• Liaise with third parties and monitor cyber posture maturity and the progress of implementing agreed our recommendations for cybersecurity remediations.
• Monitor, identify and alert appropriate internal stakeholders on emerging IT risks of our third-party portfolio that may exceed the approved IT risk appetite.
• Monitor BFL third party portfolio for cybersecurity and IT risk posture and provide recommendations to maintain IT risk level within the approved IT risk appetite.
• Onboard and operationalize third party IT risk management portal.
• Support the operationalization and ongoing management of the approved IT Risk Management and Cybersecurity Training and Awareness Program :
• Facilitate the selection and the delivery of relevant and effective cybersecurity training in accordance with the approved program requirements and objectives.
• Provide ongoing first-hand support for the development of content and the delivery of the optimal cybersecurity awareness initiatives.
• Continuously assess target audience needs, response trends and performance indicators and develop recommendations for effective Program enhancements.
• Continuously evaluate cybersecurity industry and global technology landscape for emerging and potential security threats and recommend appropriate cybersecurity and IT risk management training and awareness activities, approach, content and delivery tactics.
• Act as a key liaison with relevant stakeholders to enable smooth and seamless operations of the Program.
• Build trust, understanding and rapport with various stakeholders to ensure Cybersecurity Training and Awareness Program consistently achieves the approved performance targets.
• Act as the critical contributor and key subject matter expert for the training and awareness platform.
• Develop and maintain, in accordance with legal and compliance requirements, all IT risk assessments, due diligence, contractual agreements, and monitoring activities for IT environment and IT third-party portfolio.
• Maintain visibility and provide governance reporting on cybersecurity and IT risk posture.
• Participate in the development of the Cybersecurity Roadmap.
• Develop Cybersecurity and IT Risk Management governance framework metrics (e.g. IT Risk Appetite Statement, risk assessment criteria, KRI's, KPI's, thresholds, SLA's, etc.).
• Observe and analyze target audience data for engagement, response and overall cyber awareness performance and provide insights to continuously enhance training and awareness outcomes and relevant cyber controls as needed.
• Develop suitable trends and performance metrics for BFL Cybersecurity Training and Awareness Program (e.g. assessment criteria, KPI's, thresholds, SLA's and KRI's).
• Monitor Cybersecurity and IT Risk Management governance framework and BFL Cybersecurity Training and Awareness Program performance to the approved metrics.
• Develop and monitor IT control posture, effectiveness and maturity indicators, alerting on emerging risks and trends, coordinating Cyber Control Inventory and Exception Log reviews.
• Develop, operationalize, provide and continuously enhance constructive regular reporting on Cybersecurity and IT risk posture, including BFL third party portfolio cybersecurity and IT risks and Training and Awareness Program to various forums and audiences.
• Develop, recommend, facilitate and monitor the implementation of the approved recommendations to strengthen Cybersecurity Training and Awareness posture.
• Monitor and recommend enhancement to Cybersecurity Training and Awareness Program performance metrics.
• Continuously evaluate emerging and potential security threats and recommend appropriate risk management treatments and controls to adequately enhance BFL cybersecurity control effectiveness posture.

Our ideal candidate

• 3-5 years of progressive responsibility in roles focused on cybersecurity and IT risk management, cybersecurity governance and assurance, cybersecurity awareness, and third-party cybersecurity risk assessments.
• Demonstrated expertise in developing, operationalizing and monitoring cybersecurity and IT risks and controls, as well as cybersecurity training and awareness initiatives in all categories of cybersecurity discipline.
• Demonstrated expertise in conducting cybersecurity and IT risk and control assessments and gap analysis internally and for third parties;

advising on risks, threats, vulnerabilities; and making recommendations for risk mitigation and cyber posture improvements.

• Demonstrated experience in the development and deployment of cybersecurity governance processes, forums, channels, IT risk management artefacts, metrics and reporting.
• Firsthand work experience with online solutions for audit, governance, risk and compliance assessments, management, monitoring and reporting.
• Solid working knowledge and practical experience implementing and maintaining IT risk management controls aligned with globally recognized information security frameworks and standards such as the ISO 27001, NIST, PCI DSS, SOC, MITRE, etc.
• Working knowledge of : Information Security, Application Security, Infrastructure Security, Email Security, Phishing, Cybersecurity Awareness and various cybersecurity tools and services.

Current cybersecurity landscape and trends, emerging threats, defensive cybersecurity methodologies, vulnerabilities management and penetration testing methods.

• Proven experience to discuss and report technical matters with technical and non-technical stakeholders.
• Exceptional critical thinking, problem solving and analytical skills with the rare ability to pay attention to details while maintaining strategic and pragmatic approach.

Integrity, data driven and evidence-based objectivity, respect, collaboration, excellence, agility. Effective relationship building and collaboration skills.

Role model in cybersecurity discipline and practices.

• Bachelor's Degree in Computer Science, Business or Risk Management.
• Certifications - one of the following : Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), Certified Enterprise Risk Professional (CERP).

Certified Third Party Risk Professional (CTPRP), Certified Third Party Risk Assessor (CTPRA).

Who we are

Founded in 1987 by Barry F. Lorenzetti, BFL CANADA is one of the largest employee-owned and operated Risk Management, Insurance Brokerage, and Employee Benefits consulting services firms in North America.

The firm has a team of 1,300 professionals located in 26 offices across the country. Our employees have free rein to demonstrate their creativity, leadership, and entrepreneurial skills since we believe in each one of them.

BFL CANADA is a founding Partner of Lockton Global LLP, a partnership of independent insurance brokers who provide Risk Management, Insurance, and Benefits Consulting services in over 140 countries around the world.

More about us

Our Toronto office is located in beautiful downtown, in the core of the Financial District. Easily accessible by public transit, our office is close to a plethora of top-notch restaurants, ideal for enjoyable lunches or drinks after work.

Let's stay in touch : Follow us on LinkedIn to get privileged access to our activities and see our other job opportunities.

Visit our website to learn more about us : bflcanada.ca

We welcome and encourage applications from people with diverse abilities. BFL Canada is committed to fostering an environment that is diverse, equitable, inclusive, and accessible to all.

The diversity of our talents enables innovation and creativity through diverse backgrounds, different thinking, and unique knowledge.

Accommodations are available on request for candidates taking part in all aspects of the selection process.

Offers of employment at BFL CANADA are conditional upon satisfactory results of background verifications.

LI-Hybrid