Cyber Risk Analyst III

This position provides cybersecurity risk management and expert support at the highest level of cybersecurity governance and oversight, with primary responsibility for cyber risk identification and mitigation across the organization. The role evaluates risks, identifies control gaps, and partners with stakeholders to implement mitigation strategies that strengthen the organization’s security posture. Serves as a subject matter expert in risk assessment practices and cybersecurity domains, contributes to broader cyber risk oversight, recommends and monitors enhancements to processes and procedures, and provides reporting and analysis in support of strategic objectives.

• Cyber Risk Assessments – Leads and executes cybersecurity risk assessments across cyber domains, business units, and technology environments. Evaluates control effectiveness against established frameworks and regulatory expectations, identifies risk exposures, and documents findings in clear, actionable terms.
• Risk Identification and Mitigation – Identifies potential risks across operational, technology, and regulatory domains. Works with stakeholders to define and track remediation plans, ensuring timely and effective resolution of identified issues. Facilitates risk mitigation strategies aligned to business objectives and regulatory standards.
• Framework Application – Applies industry-standard frameworks (e.g., NIST CSF, NIST SP 800-53, ISO 27001, FFIEC guidelines) to assess and benchmark the organization’s risk posture. Conducts gap analyses, interprets requirements, and provides recommendations for closing compliance or control gaps.
• Cyber Technical Expertise – Leverages strong technical knowledge of core cybersecurity domains (e.g., IAM, network security, cloud security, endpoint protection, vulnerability management, and security architecture) to effectively assess risks and validate control implementation. Provides informed insights on technical risk mitigation strategies.
• Stakeholder Partnership – Collaborates with business, technology, and control owners to communicate assessment results, educate stakeholders on risk management expectations, and promote awareness of cybersecurity risks. Supports a culture of accountability and continuous improvement in risk management practices.
• Monitoring and Reporting – Develops and maintains risk assessment reports and dashboards. Communicates trends, patterns, and emerging risks to leadership, providing transparency into the organization’s cyber risk profile. Tracks remediation progress, escalates overdue actions, and highlights areas requiring additional oversight.
• Continuous Improvement – Maintains awareness of changes in industry standards, threat landscape, and regulatory requirements. Incorporates emerging practices into the organization’s risk assessment methodology, ensuring assessments remain relevant and effective.
• Remote eligible.

• Bachelor’s Degree and 6+ years of experience in cyber risk management or cyber risk oversight OR High School Diploma or GED and 10+ years of experience in cyber risk management or cyber risk oversight
• Direct experience performing cybersecurity risk assessments, including scoping, evaluation, gap analysis, and reporting
• Strong knowledge of cybersecurity frameworks such as NIST CSF, NIST SP 800-53, ISO 27001, and FFIEC guidance, with demonstrated ability to apply them in complex organizations
• Demonstrated technical expertise across cybersecurity domains including IAM, security architecture, network and cloud security, endpoint protection, and vulnerability management
• Experience identifying risks, defining remediation strategies, and partnering with stakeholders to reduce risk exposure
• In-depth practical knowledge of internal controls, cybersecurity processes, and risk management methodologies
• Excellent written and oral communication skills, with ability to influence stakeholders and communicate effectively at multiple levels
• Professional certifications such as CISSP, CISA, CISM, CRISC, or similar

• 7–10 years of experience in cybersecurity risk management, or cyber risk oversight including direct execution of cyber risk assessments
• 3+ years of experience in a Large Financial Institution or similarly regulated environment
• Familiarity with regulatory requirements and expectations related to cybersecurity risk management (e.g., FFIEC, OCC, FRB, NYDFS, HIPAA, state law, and other guidance)
• Strong analytical, problem-solving, and project management skills
• Experience with continuous improvement of risk assessment methodologies and reporting practices

This job posting is expected to remain active for 45 days from the initial posting date listed above. If it is necessary to extend this deadline, the posting will remain active as appropriate. Job postings may come down early due to business need or a high volume of applicants.

The base pay for this position is generally between $102,000 and $157,000. Actual starting base pay will be determined based on skills, experience, location, and other non-discriminatory factors permitted by law. For some roles, total compensation may also include variable incentives, bonuses, benefits, and/or other awards as outlined in the offer of employment.

First Citizens benefits programs are designed to meet our associates where they are in life. Full-time associates (20+ hours) are offered a comprehensive benefits program, with customized offerings, including those designed to support families, however defined. More information regarding our benefits offerings can be found here: https://jobs.firstcitizens.com/benefits

Cyber Risk Assessments – Leads and executes cybersecurity risk assessments across cyber domains, business units, and technology environments. Evaluates control effectiveness against established frameworks and regulatory expectations, identifies risk exposures, and documents findings in clear, actionable terms.

Risk Identification and Mitigation – Identifies potential risks across operational, technology, and regulatory domains. Works with stakeholders to define and track remediation plans, ensuring timely and effective resolution of identified issues. Facilitates risk mitigation strategies aligned to business objectives and regulatory standards.

Framework Application – Applies industry-standard frameworks (e.g., NIST Cybersecurity Framework (CSF), NIST SP 800-53, ISO 27001, FFIEC guidelines) to assess and benchmark the organization’s risk posture. Conducts gap analyses, interprets requirements, and provides recommendations for closing compliance or control gaps.

Cyber Technical Expertise – Leverages strong technical knowledge of core cybersecurity domains (e.g., identity and access management, network security, cloud security, endpoint protection, vulnerability management, and security architecture) to effectively assess risks and validate control implementation. Provides informed insights on technical risk mitigation strategies.

Stakeholder Partnership – Collaborates with business, technology, and control owners to communicate assessment results, educate stakeholders on risk management expectations, and promote awareness of cybersecurity risks. Supports a culture of accountability and continuous improvement in risk management practices.

Monitoring and Reporting – Develops and maintains risk assessment reports and dashboards. Communicates trends, patterns, and emerging risks to leadership, providing transparency into the organization’s cyber risk profile. Tracks remediation progress, escalates overdue actions, and highlights areas requiring additional oversight.

Continuous Improvement – Maintains awareness of changes in industry standards, threat landscape, and regulatory requirements. Incorporates emerging practices into the organization’s risk assessment methodology, ensuring assessments remain relevant and effective.

Remote eligible.