CS Risk Management Expert

The CS Risk Management Expert is responsible for identifying, evaluating, and managing cybersecurity risks across the enterprise. This role ensures that cyber risks are effectively integrated into the broader enterprise risk management strategy and that mitigation efforts are aligned with regulatory and business objectives. You will play a critical role in supporting secure decision-making by maintaining an up-to-date cybersecurity risk posture and working closely with various business and IT stakeholders. This includes a strong focus on risks associated with cloud environments, hybrid infrastructure, and SaaS/PaaS/Iaas services to ensure secure and complaint cloud adoption.

• Identify and evaluate cybersecurity risks across business functions, IT systems, infrastructure, and third-party vendors.
• Perform in-depth risk assessments for new projects, emerging technologies, digital initiatives, and service providers.
• Conduct specialized risk assessments for cloud environments. Including data residency, multi-tenancy, identity management, and shared responsibility considerations.
• Assess cloud service provider (CSP) security controls against regulatory, contractual and organizational requirements, ensuring alignment with frameworks such as CSA CCM.
• Develop, maintain, and regularly update the Cybersecurity Risk Register.
• Manage and update the Sectoral Risk Register in alignment with national regulations.
• Document risk ownership, treatment actions, and residual risk levels across the organization.
• Work closely with the Enterprise Risk Management (ERM) team to ensure cyber risks are fully integrated into the overall risk portfolio.
• Align cybersecurity risk practices with regulatory and industry standards including NIST Risk Management Framework (RMF), ISO 27005, ISO 31000, and NCA Risk Requirements.
• Ensure risk management processes address cloud compliance requirements from Saudi regulatory bodies (e.g., NCA CCC, CST cloud regulations).
• Support regulatory reporting and ensure full compliance with sector-specific cybersecurity risk mandates.
• Develop and support execution of Risk Treatment Plans in coordination with control owners and business units.
• Track the status of mitigation actions and ensure timely risk closure.
• Provide expert advice on risk acceptance criteria and escalation procedures.
• Collaborate with other teams to ensure that security risk considerations in design, migration and operation phases.
• Lead cloud-related incident post-mortem risk reviews to identify control gaps and prevent recurrence.

• Bachelor’s degree in Cybersecurity, Information Security, Risk Management, Computer Science, Computer Engineering, Software Engineering, MIS. Master’s or Cybersecurity Master’s degree is preferred.
• Preferred to have professional certificates such as (CRISC, CISA, GCCC, ISO 27005 Risk Manager, ISO 31000 Risk Management Professional, GIAC Security Essentials, and GISP – GIAC Information Security Professional). Cloud security certifications such as CCSP.

• +6 years of experience in Cybersecurity Risk Management, IT Risk, or Information Assurance roles.
• Experience conducting comprehensive risk assessments across IT infrastructure, vendors, cloud, and applications.
• Experience in assessing and managing risks for cloud platforms (GCP, OCI, AWS, Azure, Alibaba cloud) and SaaS applications. Experience working with GRC tools is a plus (e.g., ServiceNow GRC, Logic Manager or similar).

• Familiarity with regulatory risk reporting (especially in Saudi Arabia or GCC) is a strong advantage.
• In-depth knowledge of risk management frameworks (NIST RMF, ISO 27005, ISO 31000, NCA Sectoral Risk Requirements)
• Strong understanding of IT infrastructure, cybersecurity controls, and threat landscapes.
• Deep understanding of cloud-native security controls, zero-trust principles and container security risks.
• Ability to quantify risk and translate technical risks into business impact
• Familiarity with business continuity, disaster recovery, and third-party risk
• Strong knowledge of cloud governance, CSP contractual risk considerations, and secure configuration management.