Senior Cybersecurity Risk Analyst

Join AIR as a Senior Cybersecurity Risk Analyst. This is a key role within AIR’s Information Security Office, responsible for coordinating and driving institution‑wide security initiatives. The Senior Cybersecurity Risk Analyst will apply technical expertise across advanced security testing, continuous threat exposure management, and red‑team initiatives while leading risk and assurance activities, internal assessments, continuous monitoring, and client security questionnaire responses. This position will support data governance efforts, including information security plan reviews. If you are ready to make a significant impact and excel in a fast-paced environment, this role is for you. The position requires broad expertise across application security testing, risk identification and treatment, and security assessment and authorization activities. This position reports to Director, Head of Information Security.This remote position offers hybrid work flexibility to work from one of AIR’s U.S. <a href="https://www.air.org/locations#headquarters" target="_blank">office locations</a> with occasional travel required for meetings, training sessions, and conferences. <h4>About AIR:</h4>Founded in 1946 and headquartered in Arlington, Virginia, the American Institutes for Research (AIR) is a nonpartisan, not-for-profit organization that conducts behavioral and social science research and delivers technical assistance to address some of the most pressing challenges in the United States and globally. We generate evidence and apply data-driven solutions that expand opportunities and improve lives for all.<h4>Responsibilities:</h4>Essential job functions include but are not limited to:<ul><li style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">Drive and perform vulnerability management activities, including scanning, analyzing, reporting, and tracking network, container, application, and static code findings in collaboration with cross-functional teams.</li><li style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">Execute application security testing and findings analysis, including DAST, SAST, continuous threat exposure management activities, and targeted red teaming engagements.</li><li style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">Lead cyber risk management efforts by identifying risks, developing and reporting treatment plans, and maintaining the enterprise risk registry.</li><li style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">Oversee and drive the remediation of findings utilizing standard Plan of Action and Milestones (POA&M) processes resulting from both internal and external security controls assessment, vulnerability assessments, and security testing.</li><li style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">Execute and contribute to internal controls assessments for AIR web applications, secure data enclaves, general support systems, and other key systems to support internal and external client security requirements.</li><li style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">Respond to client data security and privacy questionnaires with accuracy and subject‑matter expertise.</li><li style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">Perform and drive continuous monitoring activities to ensure ongoing compliance with internal policies and external regulatory requirements.</li><li style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">Support data governance by conducting information security plan reviews and contract reviews.</li><li style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">Serve as AIR’s HIPAA Security Officer, ensuring compliance with HIPAA Security Rule requirements.</li><li style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">Support third party risk management activities, including evaluating new software and artificial intelligence (AI) use cases.</li><li style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">Duties, responsibilities, and activities may change, or new ones may be assigned at any time based on business needs.</li></ul>Qualifications:Education, Knowledge, and Experience<ul><li style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">Bachelor’s degree and at least 9 years of relevant experience in information security.</li><li style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">A major cybersecurity certification from ISC2, ISACA, OffSec, or SANS.</li><li style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">A minimum of 5 years of hands‑on experience with vulnerability management and security testing tools, including DAST, SAST, and SCA.</li><li style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">At least 5 years of experience securing and testing cloud environments such as Azure, AWS, or Google Cloud.</li><li style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">A track record of 2+ years of experience conducting cyber risk and assurance activities, including applying relevant security frameworks.</li><li style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">Strong understanding of key standards, including NIST SP 800‑53, 800‑171, and 800‑88.</li><li style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">The candidate should be able to obtain a Level 6C Security clearance (Public Trust Position).</li></ul>Skills<ul><li style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">Exceptional communicator with the ability to translate complex technical concepts for diverse audiences and a strong team‑oriented mindset, consistently fostering effective collaboration across virtual, cross‑functional, and diverse teams.</li><li style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">Proven ability to operate with a high degree of independence, exercising sound judgment and initiative, while also engaging collaboratively to support shared goals and team success.</li><li style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">Highly adaptable in fast‑moving environments, with the capability to prioritize, balance, and drive multiple concurrent workstreams to timely, high‑quality outcomes.</li><li style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">Advanced analytical, critical‑thinking, and problem‑solving skills, demonstrating disciplined attention to detail and a commitment to delivering accurate, high‑quality results.</li><li style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">Deep understanding of common attack techniques, vectors, and tools used by threat actors, along with strong capabilities in cyber incident response, forensic log analysis, and incident handling procedures.</li><li style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">Extensive knowledge of native cloud security, compliance frameworks, and security posture management solutions, including CNAPP.</li><li style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">Proven ability to analyze static and dynamic application security testing results and assess cyber risks across systems and processes.</li><li style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">Strong grasp of emerging technology trends, including AI governance and associated risk management practices.</li></ul><div>Disclosures: Applicants must be currently authorized to work in the U.S. on a full-time basis. Employment-based visa sponsorship (including H-1B sponsorship) is not available for this position. Depending on project work, qualified candidates may need to meet certain residency requirements.American Institutes for Research is an equal employment opportunity/affirmative action employer. All qualified applicants will receive consideration for employment without discrimination on the basis of age, race, color, religion, sex, gender, gender identity/expression, sexual orientation, national origin, protected veteran status, or disability. AIR adheres to strict child safeguarding principles. All selected candidates will be expected to adhere to these standards and principles and will therefore undergo reference and background checks. AIR maintains a drug-free work environment. ACCESSIBILITY NOTICE: If you need a reasonable accommodation for any part of the employment process due to a physical or mental disability, please send an email to Taliba Boone at tboone@air.orgor call 202.403.5000.Fraudulent Job Scams Warning & Disclaimer: AIR is aware of individuals falsely presenting themselves as AIR representatives. Fraudulent job scams seek to extract sensitive information or money from victims. To protect yourself, please be aware that AIR recruitment will only email you from an “@air.org” domain. Please take extra caution while examining the email address, for example jdoe@air.org is correct and jdoe@aircareers.org is not a legitimate AIR email address. If you are unsure of the legitimacy of a communication you have received, please reach out torecruitment@air.org. If you see a job scam, or lose money to one, report it to the Federal Trade Commission (FTC) atReportFraud.ftc.gov. You can also report it to your state attorney general. Find out more about how to avoid scams atftc.gov/scams.</div><div class="job__pay-ranges"><div class="pay-range"><div class="description"><div class="body"><a href="https://www.air.org/build-career-air/benefits">AIR’s Total Rewards Program,</a> is designed to reward our staff competitively and motivate them to achieve our critical mission. This position offers the anticipated annual salary as listed. Salary offers are made based on internal equity within the institution and external equity with competitive markets. Please note this is the annual salary range for candidates that are based in the United States.</div></div></div></div>#LI-MP1 #LI-Remote<div class="content-pay-transparency"><div class="pay-input"><div class="description"><a href="https://www.air.org/build-career-air/benefits">AIR’s Total Rewards Program,</a> is designed to reward our staff competitively and motivate them to achieve our critical mission. This position offers the anticipated annual salary as listed. Salary offers are made based on internal equity within the institution and external equity with competitive markets. Please note this is the annual salary range for candidates that are based in the United States.</div><div class="title">Anticipated Annual Salary Range</div><div class="pay-range">$157,000—$180,000 USD</div></div></div>

Senior Cybersecurity Risk Analyst

USA Remote Jobs