Join our team as a Cybersecurity Risk & Compliance Specialist to lead third-party risk assessments and support cybersecurity governance initiatives. With 7+ years of experience, you'll develop and implement security frameworks, policies, and procedures aligned with standards like NIST, ISO 27001, and PCI-DSS. Collaborate with internal teams and vendors to define security requirements, mitigate risks, and ensure compliance across procurement and project lifecycles. This hybrid role (2 days onsite, 3 remote) requires strong expertise in GRC practices, contract negotiation, and regulatory alignment. Ideal for professionals with CISSP/CISM/CISA certifications and a proven record in cybersecurity risk management.

 

Description

Responsibilities: Coordinate and perform risk assessments against a wide variety of inputs. Analyzes data from various sources to identify remediation of risks. Interprets policies, legislation and standards to adequately provide advice for management and executives. General Skills: Experience interpreting requirements from those standards and translating them into actionable implementations Strong understanding of internal control frameworks, control mappings, and scoping Familiar with a broad range of technical concepts: logical access control, agile development process, secure coding principles, security architecture, information security, network security, and privacy Expertise in gap analysis, remediation, control design and risk assessments Exceptional verbal and written communication skills Desirable Skills: Experience with GRC (Governance, Risk, Compliance) tools is a plus
Deliverables
Lead security and vendor risk assessments, identifying risks and gaps, and developing mitigation strategies for third-party vendors.
Conduct detailed assessments of third-party vendors’ security domains, communicate findings, prepare regular reports and updates to management and stakeholders.
Develop and implement cybersecurity governance frameworks, policies, and procedures in collaboration with cross-functional teams.
Provide support for audit, compliance, and regulatory requests. Precise and thorough documentation and analysis are essential for effective security auditing and compliance efforts.
Collaborate with internal teams and vendors to develop cybersecurity requirements for new solutions, ensuring alignment with security policies and standards.
Work with other team members to develop and align with cybersecurity requirements for solutions as required
Work with project teams to recommend and implement security controls to address identified risks.
Work with Enterprise Architecture, Solution Delivery, Security and Operations teams as part of a large program/project team to ensure security solutions and meet security compliance and security policies and standards
Identify requirements for policies and standards, and work with relevant teams in creation, development, review and approval
Act as a cybersecurity resource for new and upcoming project-based detail work
Work with project teams to identify and recommend security controls to remediate security risks and issues
Ongoing compliance work related to regulatory requirements and/or compliance to Metrolinx standards  
Develop the security process, procedure, governance artifacts and security controls within the Cybersecurity Risk Management and Governance/Compliance Programs.
Assist with security audits and threat/risk assessments to ensure compliance with security policies, standards and procedures, and work with business/technical/operational areas in taking corrective actions on any identified security exposures
Provide advice, risk assessment, recommendations and technical assistance in implementing security controls for projects
Communicate regularly with cybersecurity teams, internal stakeholders, project teams and representatives from various functional teams, including escalating any matters to senior team members that require additional analysis
Support the implementation of security principles, policies, and standards to align with industry best practices, ensuring security controls are integrated into system development, deployment, and operation

Additional Terms
Experience/skills required:

A minimum of seven (7+) years of experience in information security. Including working with large security projects
Strong communication, interpersonal and presentation skills for engaging with diverse stakeholders
Expertise in security governance, risk management, and compliance, including developing road maps, policies, standards, procedures and processes
Proven experience in contractual security requirements and third-party risk management through RFP processes and vendor evaluations throughout procurement life cycle
Ability to work in cross-functional teams, communicating complex technical information to all levels of the organization, including the leadership team
Proficient in cybersecurity risk management and third-party risk management tools (e.g., ServiceNow, OneTrust, Audit Board).
Experience with development of security processes, procedures and standards documentation
Strong knowledge of industry standards and regulations such as PCI-DSS, NIST, ISO 27001 and the ability to ensure compliance
Strong time management skills and the ability to prioritize project work and ongoing responsibilities
Self-motivated with the ability to work independently in a fast-paced environment in a fast-paced environment
Proficiency with standard Microsoft Office tools such as Word, Excel, PowerPoint, PowerBI and Visio

Education:

A current security designation (CISSP, CISM, CCSP or CISA)

 

Must Haves:

·        7+ Leading security and vendor risk assessments, identifying risks and gaps, and developing mitigation strategies for third-party vendors.

7+ years Developing and implementing cybersecurity governance frameworks, policies, and procedures in collaboration with cross-functional teams.
·        7+ Collaborating with internal teams and vendors to develop cybersecurity requirements for new solutions

·        7+ Developing the security process, procedure, governance artifacts and security controls within the Cybersecurity Risk Management and Governance/Compliance Programs.

·        7+ years experience in contract negotiation with procurement and legal teams through RFP processes and vendor evaluations throughout procurement life cycle

·        7+ years experience knowledge of industry standards and regulations such as PCI-DSS, NIST, ISO 27001  

·        7+ years experience facilitating cybersecurity awareness training  

 

Location: Hybrid - 2 days in office/3 days remote

Public Sector Experience: Preferred

# of submissions/supplier: 1