Principal Security Risk Analyst

Job Locations US-MA-Boston
Posted Date 1 month ago(9/24/2020 6:35 PM)
Requisition ID
Job Function
Information Technology


Cengage Logo 210x40

Do you dare to reinvent the future of education?

At Cengage, we're harnessing the power of tech to build a future where all learners have the tools and confidence to achieve their goals. As a Cengage employee, you'll be helping to transform the way people learn. Collaborating with the best of the best, you'll feel challenged and inspired to do breakthrough work. Together, there's no limit to what we can imagine, create and innovate!

Are we right for you?

We set the bar higher by bringing our unique talents and points of view to the table every day. We're curious and comfortable with change and are willing to take risks to transform education for the better. Most importantly, we put learning first with everything we do. We also offer a fun, challenging, and rewarding environment with the opportunity to work with some of the most talented people in our industry.

What You'll Do Here:

The Principle Security Risk Analyst is responsible for applying a risk-based framework to the Cengage Security Program, which includes infrastructure security, application security, and security operations. The framework must define outcomes, key performance indicators (KPIs), key risk indicators (KRIs), and metrics required to monitor the security posture of the organization, the risk levels, and the efficacy of the Security Program. This position will work cross-functionally to ensure that all significant IT risks are identified, measured, and monitored and that control objectives are defined and achieved. The position will require experience working with a risk framework, measuring and reporting on risk outside of the security team, strong communication and presentation skills, and working knowledge of privacy and security laws and regulations.



  • Define and document the outcomes, KPIs, KRIs, and metrics that will drive the Cengage Security Program.
  • Assist in the maintenance of the security library, including policies, standards, procedures, and guidelines.
  • Develop and maintain a comprehensive risk management process, including:
    • Performing risk assessment;
    • Monitoring external risk factors;
    • Developing risk dashboards;
    • Modeling loss; and
    • Maintaining Cengage-specific controls frameworks.
  • Manage information security compliance assessment of business processes.
  • Identify and communicate control deficiencies and recommend mitigations and/or remediations.
  • Document and monitor the implementation of controls for applications, technologies, and assets.
  • Design, implement, and maintain an IT Governance, Risk, and Compliance tool to conduct, manage and monitor risk management activities.
  • Inform Cengage’s information security strategy by developing programs and projects to enforce security requirements.
  • Recommend policies and programs to mitigate and/or minimize IT risks.
  • Develop executive-level reporting of risk posture, risk trends, key areas of risk, and recommendations, using industry standard tools and methodologies.
  • Remain current on all phases of risk management methodology.
  • Assist in the evaluation and mitigation of third-party vendors risk and control activities.

Skills You Will Need Here:


  • 10 years of relevant experience, or a Bachelor’s degree and 7 years of relevant experience.
  • Ability to clearly articulate the business impact of a security risk.
  • Strong presentation, writing, and communication skills.
  • Working knowledge of NIST SP800-53, NIST Cyber Security Framework, COSO and/or COBIT; other framework experience may be acceptable.
  • Experience building and executing a risk assessment methodology at enterprise scale.
  • Experience writing policies, procedures, standards, guidelines, etc.
  • Familiarity with application security vulnerabilities and practices.
  • Familiarity with infrastructure security vulnerabilities and practices.
  • Experience with incident response and incident response planning.
  • Familiarity with a variety of system platforms including iSeries, web applications, web services, Windows Server, SQL and nosql databases, and Linux.
  • Driven independently, works collaboratively.
  • High level understanding of Factor Analysis of Information Risk (FAIR).


  • Have read “How to Measure Anything in Cybersecurity Risk” or other related research and can discuss framework.


Sorry the Share function is not working properly at this moment. Please refresh the page and try again later.
Share on your newsfeed

Need help finding the right job?

We can recommend jobs specifically for you! Click here to get started.