​This is a 100% Remote position (listed with a Raleigh, NC headquarters) within the Information Security Governance, Risk, and Compliance (GRC) department. The role is focused on the formal identification and evaluation of cybersecurity risks, specifically through Risk and Control Self-Assessments (RCSAs). You will act as a critical bridge between technical security teams and enterprise risk standards, ensuring that all security exceptions and process-level risks are documented, rated, and remediated according to regulatory and industry frameworks.

• ​Requisition ID: 32036
• ​Location: Remote (US)
• ​Schedule: Monday – Friday
• ​Core Frameworks: NIST CSF and NIST SP 800-53.
• ​Key Systems: Enterprise Risk System of Record (GRC Tooling).

​Key Responsibilities: Risk Assessment and Control Governance

​This role ensures that the organization’s “cyber posture” is accurately measured and that gaps are identified before they can be exploited.

​RCSA and Exception Management

​You will lead cybersecurity process-level RCSAs in partnership with business function owners. This involves analyzing both inherent risk (the risk level without controls) and residual risk (the risk remaining after controls are applied). You will also manage the lifecycle of Information Security Standard Exceptions, assessing the risks of non-compliance and reporting these aggregations to leadership.

​Control Design and Effectiveness

​A major part of your work involves drafting and refining control statements to ensure they are clear, actionable, and effective. You will review existing controls for design effectiveness, identifying where gaps or inconsistencies exist. You are responsible for updating the system of record with current risk ratings and control environment scores on a regular cadence to maintain an accurate risk profile.

​Compliance and Remediation Planning

​You will evaluate security controls against Enterprise Policies, regulatory requirements (common in financial institutions), and frameworks like NIST 800-53. When gaps are found, you will support remediation planning by documenting improvement recommendations and defining the “target-state” for enhanced controls.

​Required Qualifications and Skills

​The ideal candidate has a strong background in structured risk taxonomies and the ability to communicate complex risks to both technical and business stakeholders.

• ​Experience: 6 years in cybersecurity/risk management with a Bachelor’s degree (or 10 years with a HS Diploma/GED).
• ​Technical Knowledge: Proven experience performing RCSAs and a working knowledge of NIST CSF and NIST 800-53.
• ​Communication: Ability to write clear, professional risk and control descriptions and assessment findings.
• ​Analytical Skills: Strong attention to detail, specifically in mapping technical controls to broad regulatory requirements.

​Preferred Qualifications

• ​Industry Context: Experience within large financial institutions or highly regulated environments.
• ​Certifications: CISA, CRISC, CISM, CISSP, or Security+.
• ​Strategic Thinking: Background in control rationalization (simplifying redundant controls) and evidence evaluation.

​Summary of Role Impact

​In a large-scale enterprise, especially within the financial sector, “compliance is not security,” but security cannot be proven without compliance. In this role, your analysis ensures that the organization understands its true risk exposure. By maintaining a rigorous RCSA process and managing security exceptions, you prevent “shadow IT” risks from going unnoticed and ensure that remediation efforts are prioritized based on actual business impact.