Job Information
MTA Advanced Cybersecurity Governance Risk & Compliance Analyst in New York, New York
Advanced Cybersecurity Governance Risk & Compliance Analyst
Job ID: 10955
Business Unit: MTA Headquarters
Location: New York, NY, United States
Regular/Temporary: Regular
Department: IT CISO
Date Posted: Mar 18, 2025
Description
JOB TITLE: Advanced Cybersecurity Governance, Risk and Compliance Analyst
SALARY RANGE: $115,433 -$166,223
HAY POINTS: 634
DEPT/DIV: Information Technology / Cybersecurity
SUPERVISOR: Manager, Cybersecurity Governance, Risk, and Compliance
LOCATION: Various/ 2 Broadway New York, NY 10004
HOURS OF WORK: 9:00 am - 5:30 pm (7.5 hours or as required)
This position is eligible for telework which is currently two day per week. New hires are eligible to apply 30 days after their effective date of hire.
About us:
The MTA transportation network has very large systems and infrastructure for financial, business, automated train, transportation, power, and physical security. The MTA IT Department is centrally responsible for providing a full range of Information and Operational Technology services to the MTA agencies and administrative units through its operating and support units. These services are provided on a 24/7/365 basis to support the MTA organization and its ridership.
Summary of Job
This role is responsible for prioritizing, leading and delivering cybersecurity initiatives to reduce, mitigate and remediate cybersecurity risks that impact both the Information Technology (IT) department and all the MTA agencies. This role facilitates compliance with regulatory requirements (e.g., TSA directives) and information security policies from the MTA and New York State. This role also partners and collaborates with MTA’s Enterprise Risk Management team to address cybersecurity risk impacts to non-IT areas throughout the organization. This role is responsible for providing critical expertise and guidance to less experienced colleagues on managing and analyzing cybersecurity risks, including risk identification, mitigation, and management. The analysis is conducted through technology risk assessments, data analytics tools, and business processes reviews. This role is responsible for collaborating with security engineers, architects, developers, vendors, and business units to continuously reduce the overall security risk to the MTA. This role must possess knowledge of cybersecurity risk frameworks and best practices.
Cybersecurity risk and analysis play a critical role in ensuring that the MTA’s risk-taking entities are aware of the risks inherent in their activities and decisions, understand the impact of their actions on the organization at an enterprise level, and identify opportunities to reduce, mitigate, or avoid the risks altogether.
Responsibilities
Analyzes and interprets industry standards, regulations, and best practices to develop risk management tools to identify cyber risk trends, gap analysis, or maturity opportunities.
Utilizes risk profiles and dynamic reporting mechanisms to incorporate cybersecurity risk information into the organization’s enterprise risk management program, providing a fully integrated, prioritized, enterprise-wide view of risks to drive strategic and business decisions.
Facilitates the remediation of control gaps and escalates cyber risk management activities to the C-suite by leveraging the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 and incorporates the activities into the organization’s broader enterprise risk management programs.
Identifies ATT&CK techniques (e.g., malware, ransomware, intrusion, etc.) and streamlines compliance efforts by leveraging Cybersecurity best practices, such as CIS Critical Security Controls.
Oversees research of adversary techniques against enterprise IT networks and cloud by leveraging relevant risk identification tools and knowledge bases, such as MITRE ATT&CK.
Enhances cyber risk management processes across the MTA by providing thought leadership, oversight, and coordination with other risk management activities across the organization.
Monitors the cyber environment for new risks and reviews the effectiveness of risk mitigation strategies, ensuring that the organization adapts to evolving threat landscapes (e.g., developing/maintaining a risk register, leading risk analysis, quantifying top risks, and developing risk reports).
Guides less experienced colleagues on analyzing information to proactively identify risks, trends, and process improvements, supporting reporting on risk topics to management and compliance-related collateral.
Drives risk project and program delivery, including project and process management, reporting, engagement in senior leadership meetings, and drafting and reviewing materials for senior management and other governance activities.
Continuously evaluates the effectiveness of the cyber risk program by developing, monitoring, gathering, and analyzing metrics for management.
Builds successful relationships with IT, Cybersecurity, and Enterprise Risk to understand the impact of cyber risk on business processes. Collaborates with Enterprise Risk to ensure all agencies comply with cyber regulations.
Co-leads and participates in risk and other management forums, contributing to continuous improvement of risk and project or program management practices.
Co-develops the agenda and materials for division meetings and events.
Develops, publishes, and manages the lifecycle of cyber risk policies, procedures, and guidelines in collaboration with Subject Matter Experts (SMEs). Must be knowledgeable about MTA’s Cybersecurity policies, procedures, and standards, and ensure that cyber risk management practices align with relevant laws, regulations, and industry standards.
Lead workforce cybersecurity activities including culture, awareness, and training to ensure appropriate awareness of cyber risk requirements across the Enterprise.
Establishes a cyber risk quantification methodology that effectively details inputs, outputs, and measurements for cyber risks.
Creates and designs risk reporting dashboards and recommends/builds enhancements to ensure consistent alignment with changes in the risk environment. Prepares detailed risk assessment reports, including findings, recommendations, and mitigation plans, for presentation to management.
Plans and allocates resources effectively to support risk management activities, including investing in technology, personnel, and training.
Develops cyber risk program performance metrics, monitors program performance, and produces required program reports.
Promotes and enforces compliance with IT and cyber risk policies, standards, procedures, and guidelines, including developing communications for the IT Division and partners throughout the business, facilitating information sessions, and developing guidance documents. Ensures that cyber risk management practices align with relevant laws, regulations, and industry standards.
Collaborates effectively with colleagues, stakeholders, and leaders across multiple organizations to achieve strategic objectives.
Performs other duties and tasks as assigned.
Observes the work performed by the contractor.
Reviews invoices and approving them if the work has contractual standards.
Addresses performance issues with the contractor when possible.
Escalates issues to other parties as needed.
Education and experience:
Education: bachelor’s degree and minimum of 8 years of relevant experience. An equivalent combination of education and experience may be considered in lieu of a degree.
Experience: 8 years
Certification(s): Requires at least one certification in the current platform/domain/technical skill. Possible certifications could be, but are not limited to:
Relevant Certifications
GIAC Critical Controls Certification (CIS)
ISC2 Certified in Cybersecurity
GIAC Security Leadership (GSLC)
Global Information Assurance Certification (GIAC)
Azure Security Engineer Associate
Certified Compliance & Ethics Professional (CCEP)
Certified Ethical Hacker (CEH)
Certified in Risk and Information Systems Control (CRISC)
Certified Information Privacy Professional (CIPP)
Certified Information Security Manager (CISM)
Certified Information Systems Auditor (CISA)
Certified Information Systems Security Professional (CISSP)
ISO 27001 Lead Auditor
Certified Secure Software Lifecycle Professional (CSSLP)
Offensive Security Certified Professional (OSCP)
CompTIA Security+ Certification
Cybersecurity Nexus (CSX) Practitioner
GIAC Certified Incident Handler (GCIH)
GIAC Security Essentials (GSEC)
ISC2 Certified Governance, Risk and Compliance (CGRC)
Technical SkillsAdvanced in cybersecurity best practices, such as CIS Critical Security Controls.
Advanced in utilizing risk identification tools, such as the MITRE ATT&CK knowledge base.
Advanced in NIST 2.0 Cybersecurity Framework and/or other risk frameworks/models.
Advanced in risk management.
Advanced in information security policies.
Advanced in regulatory requirements (e.g. DHS, TSA, FRA, FTA).
Advanced in analysis and reporting.
Advanced in adapting to evolving threat landscapes and business changes.
Working knowledge of latest legislature and regulation changes in the Cybersecurity industry.
Behavioral Skills
Advanced active listening, attention to detail, customer service, prioritization, and problem-solving skills.
Advanced in working independently and strategically.
Adept expertise in identifying and analyzing risks and developing effective mitigation strategies.
Advanced technical knowledge and diverse skillset to understand various technologies, systems, and potential risks.
Adept critical thinking, problem-solving, and decision-making skills.
Expert in interpersonal and verbal and written communication skills, with the ability to effectively collaborate with both technical and non-technical peers.
Advanced experience with managing multiple projects simultaneously and prioritizing tasks based on urgency and impact.
Advanced hands-on experience with related tools.
Advanced experience with working under pressure and meeting deadlines individually and collaboratively. Thinks logically, assesses problems, and is results oriented.
Advanced in identifying complex business and technology risks and associated vulnerabilities.
Advanced in communicating effectively, both orally and in writing, to interact with team members, customers, management, and support personnel (technical and non-technical).
Advanced in establishing and maintaining effective working relationships with employees at all levels within the organization, and with both internal and external customers.
Competencies
Core Competency
Proficiency Level
Competency Definition
Collaborates
Advanced
Building partnerships and working collaboratively with others to meet shared objectives
Cultivates Innovation
Adept
Creating new and better ways for the organization to be successful
Customer Focus
Adept
Building strong customer relationships and delivering customer-centric solutions
Communicates Effectively
Expert
Developing and delivering multi-mode communications that convey a clear understanding of the unique needs of different audiences
Tech Savvy
Advanced
Anticipating and adopting innovations in business-building digital
and technology applications
Technical Skills
Advanced
Specialized knowledge and expertise on tools, programs, domains, platforms, and products used for specific tasks
Values Diversity
Advanced
Recognizing the value that different perspectives and cultures bring to an organization
GENERAL:
May need to work outside of normal work hours (i.e., evenings and weekends)
Travel may be required to other MTA locations or other external sites
Pursuant to the New York State Public Officers Law & the MTA Code of Ethics, all employees who hold a policymaking position must file an Annual Statement of Financial Disclosure (FDS) with the NYS Commission on Ethics and Lobbying in Government (the “Commission”).
MTA and its subsidiary and affiliated agencies are Equal Opportunity Employers, including with respect to veteran status and individuals with disabilities.
The MTA encourages qualified applicants from diverse backgrounds, experiences, and abilities, including military service members, to apply.