RQ00671 - Security Specialist - Senior

The Security Specialist for Threat Risk Assessment, Threat Modelling, Vulnerability Assessment, Risk Identification will develop new workflows and contribute to the growth and maturity of the Security Risk Management and Information Security Office growth and maturity

Must haves: 

• In-depth knowledge of risk management frameworks (e.g., ISO 31000, NIST RMF) and threat modelling methodologies (e.g., STRIDE, DREAD).
  


• Expertise in identifying, evaluating, and prioritizing threats and vulnerabilities across physical, cyber, and operational domains.
  


• Strong analytical skills to assess potential impacts and likelihoods of various threat scenarios.
  


• Proficiency risk assessment matrices
  


• Excellent communication and reporting abilities to effectively present findings and risk mitigation strategies to both technical teams and executive stakeholders.
  


• Familiarity with legal, regulatory, and compliance requirements, ensuring assessments align with organizational and industry standards (e.g., PHIPAA).
  


• Proactive mindset and situational awareness to anticipate and adapt to emerging threats in a dynamic risk environment.
  

Responsibilities:

The Senior Security Specialist will be responsible for conducting Threat Risk Assessments (TRA) plays a critical role in identifying, evaluating, and mitigating security risks across the organization’s systems, processes, and assets. That includes participating in end-to-end risk assessment initiatives, developing and applying threat models, and working closely with stakeholders to understand business objectives and risk tolerance. The Senior Security Specialist will analyze vulnerabilities, assess potential threats, and determine the likelihood and impact of various risk scenarios, and will also be responsible for compiling detailed TRA reports, maintaining risk registers, and proposing actionable mitigation strategies and alignment with regulatory, industry, and organizational security standards, and effectively communicate findings to both technical teams and executive leadership. Additionally, the Security Specialist will contribute to the continuous improvement of risk management frameworks, support audit and compliance activities, and stay informed about emerging threats and security best practices.

Desired Skills:

• Risk Management & Assessment – 10–15 years
  


• Proven experience in conducting threat risk assessments using frameworks like ISO 31000, NIST RMF, or FAIR.
  


• Threat Modeling – 10–15 years
  


• Practical knowledge of threat modeling techniques (e.g., STRIDE, PASTA, MITRE ATT&CK), including development of data flow diagrams and attack vectors.
  


• Information Security Governance – 7+ years
  


• Strong understanding of security policies, standards, and controls aligned with ISO 27001, NIST CSF, and CIS Controls.
  


• Communication & Reporting – 10+ years
  


• Skilled in writing technical and executive-level reports, risk registers, and presenting to stakeholders and leadership.
  

Requirements

Rated Criteria:

• Threat Modeling Expertise 20 Points
  


• TRA Report: Demonstrated skills in TRA completions 20 Points
  


• Gap Analysis: Demonstrated skills in gap analysis 40 Points
  


• Communication Skills â€“ both written and verbal. 20 Points
  

Deliverables:

• TRA Report: A comprehensive document outlining identified threats, vulnerabilities, risks, and proposed mitigation strategies, tailored to the organization’s context.
  


• Risk Register: A structured log of all identified risks, including severity, likelihood, risk rating, responsible owners, and mitigation actions.
  


• Threat Modeling Diagrams: Visual representations of systems, data flows, and potential threat vectors using models like STRIDE or attack trees.
  


• Risk Assessment Matrix: A visual tool mapping the likelihood and impact of risks to prioritize them effectively.
  


• Asset Inventory & Classification: A list of assets in scope (e.g., systems, applications, data) categorized by value and sensitivity.
  


• Vulnerability Assessment Results: A summary of technical vulnerabilities discovered during the assessment, often with outputs from tools like Nessus or OpenVAS.
  


• Gap Analysis: Identification of discrepancies between current security posture and industry standards, best practices, or regulatory requirements.
  


• Mitigation & Remediation Plan: Detailed action plans with timelines and responsibilities for reducing identified risks to acceptable levels.
  


• Executive Summary: A high-level summary tailored for senior leadership, focusing on key findings, business impact, and strategic recommendations.
  


• Compliance Mapping: Documentation showing how risks and controls align with regulatory or standards frameworks (e.g., NIST, ISO 27001, SOC 2).
  


• Presentation Deck: Slide-based briefing to communicate findings, risks, and recommendations to stakeholders in a clear and digestible format.
  

Must Haves: 

10+ years experience: 

• In-depth knowledge of risk management frameworks (e.g., ISO 31000, NIST RMF) and threat modelling methodologies (e.g., STRIDE, DREAD). 
  


• Expertise in identifying, evaluating, and prioritizing threats and vulnerabilities across physical, cyber, and operational domains. 
  


• Strong analytical skills to assess potential impacts and likelihoods of various threat scenarios. 
  


• Proficiency risk assessment matrices 
  


• Excellent communication and reporting abilities to effectively present findings and risk mitigation strategies to both technical teams and executive stakeholders. 
  


• Familiarity with legal, regulatory, and compliance requirements, ensuring assessments align with organizational and industry standards (e.g., PHIPAA). 
  


• Proactive mindset and situational awareness to anticipate and adapt to emerging threats in a dynamic risk environment.