Cybersecurity Risk Analyst

We are seeking an experienced Cybersecurity Risk Analyst to join the Security Risk Management (SRM) team at a leading US online gaming platform. Reporting to the Director of SRM, this role is critical in protecting our cloud-based gaming infrastructure, customer data, and financial systems while ensuring compliance with gaming regulations and industry standards.

This role goes beyond traditional GRC. Our SRM team operates an AI-augmented Integrated Management System (IMS) built on ISO 27001 PDCA principles, where agentic AI tooling and its ecosystem of security skills are core to daily workflow. The ideal candidate brings strong risk management fundamentals and the ability to leverage AI tools to accelerate risk assessment, compliance evidence gathering, policy development, and executive reporting. We need someone who can hit the ground running with our AI-driven approach and actively identify new ways to apply AI across all SRM use cases.

This role is crucial for proactively managing technology risks and maintaining a strong security posture in an evolving threat landscape. The ideal candidate combines strong technical knowledge with business acumen and AI fluency to effectively communicate and manage risks across all organizational levels.

This is not a traditional GRC analyst position. You will work in an environment where:

• AI is core tooling. AI agents and our ecosystem of 50+ security-specific skills are how we draft policies, gather audit evidence, validate compliance, assess vendors, and produce executive reports

• Live data powers AI workflows. MCP servers connect our AI agents directly to GRC, security monitoring and defence, communications, and threat intelligence tools, enabling real-time compliance queries and automated evidence collection rather than manual data gathering

• Our documentation lives in code. Our Integrated Management System is a git repository structured around ISO 27001 PDCA, not a collection of Word documents in SharePoint

• You will shape how AI is used. Beyond using AI tools, you will help define AI governance for the organization and continuously improve how AI supports SRM operations

• Gaming adds complexity. Multiple jurisdictional gaming commissions, GLI certification, and real-time financial systems create a uniquely challenging regulatory environment

• If you thrive at the intersection of security risk management and AI-driven productivity, and you are excited about pushing the boundaries of what AI can do for GRC, we want to hear from you.

Risk Assessment and Management

• →

  Conduct comprehensive risk assessments of cloud infrastructure, gaming applications, CI/CD pipelines, DevOps processes, payment processing systems, and all other aspects of internal technology operations

• →

  Develop and maintain risk registers, threat models, vulnerability and threat management programs, and risk treatment plans across eight enterprise risk categories

• →

  Perform quantitative and qualitative risk analysis using industry-standard methodologies (ISO 27005, ISO 31000, NIST RMF)

• →

  Evaluate third-party vendor security risks and assess supply chain vulnerabilities using structured TPRM frameworks

• →

  Leverage AI tools to accelerate risk identification, analysis, and reporting workflows

Risk Mitigation and Control Implementation

• →

  Develop and recommend risk mitigation strategies and security controls

• →

  Collaborate with technical teams to implement security measures and monitor their effectiveness

• →

  Track remediation efforts and verify risk reduction activities via GRC platform integrations

• →

  Create and maintain risk metrics and key risk indicators (KRIs)

Compliance and Governance

• →

  Ensure alignment with regulatory and industry requirements including state-specific gaming regulations (GLI-19, GLI-33, GLI-GSF), ISO 27001, ISO 42001, PCI DSS v4.0, SOC 2, NIST CSF, and GDPR

• →

  Support internal and external audits (Deloitte, Bulletproof, Schellman) by gathering evidence, preparing documentation, and coordinating audit activities

• →

  Maintain security policies, procedures, and risk management frameworks within the IMS

• →

  Contribute to AI governance activities including AI service registry maintenance, Shadow AI detection, and ISO 42001 compliance

• →

  Assist in developing and updating the organization's cybersecurity and AI governance strategy

AI-Augmented Risk Operations

• →

  Use agentic AI tools with associated skills and agents as core productivity multipliers for risk analysis, policy drafting, compliance validation, and reporting

• →

  Operate within a git-based Integrated Management System, using AI skills for tasks such as ISO evidence gathering, threat modelling, third-party risk assessment, and executive communication

• →

  Work with Model Context Protocol (MCP) servers to connect AI agents to live data sources (GRC platforms, identity providers, collaboration tools, threat intelligence feeds) enabling real-time, context-aware risk analysis and automated evidence collection

• →

  Identify opportunities to extend agentic automation by integrating new MCP servers and APIs into existing AI workflows, reducing manual effort across compliance, audit, and risk operations

• →

  Identify and develop new AI-driven approaches to SRM challenges, continuously exploring how AI can improve risk assessment accuracy, audit preparation efficiency, and compliance coverage

• →

  Contribute to prompt engineering, skill development, and workflow optimization for AI tools used by the SRM function

• →

  Maintain awareness of AI security risks and participate in AI risk assessments for new tools and services

Reporting and Communication

• →

  Prepare risk reports and dashboards for management, audit committees, and gaming regulators

• →

  Present risk findings and recommendations to technical and non-technical audiences

• →

  Document risk assessment methodologies and maintain assessment artifacts

• →

  Provide risk-based guidance for security strategy decisions

• →

  Use AI tools to generate structured executive reports and translate technical findings into business language

Incident Response and Business Continuity

• →

  Participate in security incidents for risk impact assessment and lessons learned

• →

  Participate in site reliability incident response activities, in particular post-incident reviews

• →

  Support business continuity and disaster recovery planning

• →

  Conduct tabletop exercises and risk scenario planning

Education

• Bachelor's degree in Computer Science, Information Security, Technology Risk Management, or related field

• Relevant certifications and experience can substitute for formal education requirements

Experience

• 3-5 years of experience in cybersecurity risk management, GRC, or IT audit within the technology industry

• Demonstrated experience with risk assessment methodologies and frameworks (ISO 27005, ISO 31000, NIST RMF)

• Knowledge of security controls and their implementation across cloud environments

• Experience with GRC platforms (Vanta experience preferred)

• Practical experience using AI/LLM tools in a professional security or risk management context

AI and Technology Skills (Critical)

• Demonstrated proficiency with AI coding assistants and agentic AI tools. Candidates must show practical experience using tools such as Claude Code, Codex, or similar AI-augmentation tooling.

• Ability to craft effective prompts and work iteratively with AI to produce high-quality risk assessments, policies, and compliance documentation

• Comfort working in a git-based workflow (branching, commits, pull requests) as the primary means of managing security documentation

• Understanding of AI governance concepts: data classification for AI usage, model training policies, AI risk assessment, and responsible AI principles

• Familiarity with Model Context Protocol (MCP) or similar frameworks for connecting AI agents to external data sources and APIs. Understanding how agentic AI tools consume live data from platforms such as GRC systems, identity providers, SIEM/SOAR, and collaboration tools to automate security and compliance workflows

• Demonstrated curiosity and initiative in finding new applications for AI in GRC/risk management workflows, including identifying new data sources and integrations that can be brought into agentic AI pipelines

• Familiarity with Markdown as a documentation format

Technical Skills

• Understanding of security technology concepts (firewalls, IDS/IPS, SIEM, vulnerability management, CI/CD pipeline security)

• Familiarity with cloud security across major providers (AWS, Azure, GCP)

• Knowledge of network protocols and security architectures

• Understanding of Zero Trust architecture principles (NIST SP 800-207, CISA ZTMM)

• Basic scripting abilities for automation (Python, TypeScript, or shell scripting)

• Familiarity with REST APIs and how they can be leveraged for security automation and data integration

Soft Skills

• Strong analytical and problem-solving abilities

• Excellent written and verbal communication skills

• Ability to translate technical risks into business impact for executive and board audiences

• Detail-oriented with strong organizational skills

• Ability to work independently and manage multiple projects simultaneously

• Strong interpersonal skills for stakeholder management across engineering, legal, and executive teams

• Intellectual curiosity and a growth mindset, particularly regarding AI capabilities and their application to security risk management

Certifications (Preferred)

• CRISC (Certified in Risk and Information Systems Control)

• CISA (Certified Information Systems Auditor)

• CISSP (Certified Information Systems Security Professional)

• ISO 27001 Lead Implementer/Auditor

• ISO 42001 familiarity (AI Management Systems)

• CompTIA Security+ or CySA+

Additional Preferred Qualifications

• Experience in online gaming, sports betting, or other regulated industry sectors

• Knowledge of gaming-specific compliance frameworks (GLI-19, GLI-33, GLI-GSF)

• Experience with specific GRC platforms (Vanta, OneTrust)

• Experience building or contributing to AI governance programs

• Experience building or configuring MCP servers, API integrations, or agentic AI toolchains

• Knowledge of emerging threats and threat intelligence

• Experience with DevSecOps and agile methodologies

• Familiarity with process modelling (BPMN, DMN) for security workflows

• Experience with Microsoft Entra ID, Cloudflare Zero Trust, or similar identity/access platforms