​This is a Senior-level, Remote position within the Information Security Governance, Risk, and Compliance (GRC) department. Compared to the mid-level role (Job 32036), this “Senior” version requires higher years of experience and commands a higher salary. You will lead the execution of Risk and Control Self-Assessments (RCSAs) and manage high-level security exceptions, ensuring that the bank’s technical operations align with its risk appetite and regulatory mandates.

• ​Requisition ID: 31830
• ​Base Pay: $120,000 – $180,000
• ​Location: Remote (US)
• ​Experience Required: 8 years with a degree (or 12 years with HS/GED).
• ​Core Frameworks: NIST CSF, NIST SP 800-53.

​Key Responsibilities: Risk Leadership and Control Architecture

​As a Senior Analyst, you are responsible for the accuracy of the bank’s risk landscape and the maturity of its control environment.

​Strategic Risk Assessment (RCSA)

​You will partner with senior business function owners to execute process-level RCSAs. This involves a deep-dive analysis into how a specific cybersecurity process (like Identity Management or Vulnerability Patching) could fail. You will determine the Inherent Risk (pre-control) and Residual Risk (post-control) ratings, documenting the evidence required to satisfy auditors and regulators.

​Control Design and Rationalization

​A critical part of this role is drafting and refining “control statements.” You will review existing controls for Design Effectiveness (DE)—asking, “Is this control built correctly to stop the risk?”—and Operating Effectiveness (OE)—asking, “Is it actually working day-to-day?” You will also support “control rationalization,” which is the process of identifying and removing redundant or ineffective controls to streamline the security program.

​Security Exception Governance

​When a business unit cannot meet a security standard, they request an “exception.” You will perform the risk assessments for these exceptions, calculating the aggregate risk to the bank and recommending remediation plans or “target-state” enhancements to eventually close the security gap.

​Required Qualifications and Skills

​First Citizens Bank is looking for an experienced GRC professional who can translate technical security gaps into business risk language.

• ​Experience: 8+ years in cybersecurity or risk management.
• ​Technical Frameworks: Advanced familiarity with NIST 800-53 and NIST CSF.
• ​Analytical Writing: Proven ability to write clear, actionable findings that can be presented to executive leadership or regulators.
• ​Collaborative Influence: Experience working with technical IT teams to implement control improvements without disrupting business operations.

​Preferred Qualifications

• ​Financial Services Context: Experience in a large, highly regulated financial institution.
• ​Certifications: CRISC (Certified in Risk and Information Systems Control), CISA, or CISSP.
• ​Tooling: Experience with GRC systems of record (e.g., Archer, ServiceNow GRC).

​Summary of Role Impact

​In the financial sector, “Risk” is the primary language of the business. As a Senior Cyber Risk & Controls Analyst, you ensure that cybersecurity is not just a technical silo, but a quantified business function. Your work ensures that First Citizens Bank remains resilient against threats while satisfying strict banking regulations. By identifying control gaps and driving remediation, you directly prevent financial loss and protect the bank’s reputation.