Senior Information Security Governance - Risk and Compliance Analyst

We’re at the forefront of the data revolution, committed to building the world’s greatest data and applications platform. Our ‘get it done’ culture allows everyone at Snowflake to have an equal opportunity to innovate on new ideas, create work with a lasting impact, and excel in a culture of collaboration. Snowflake Global Security Compliance and Risk (GSCR) team is focused on ensuring all our Snowflake products and services, and Corporate IT environment are secured, compliant with regulatory requirements and cybersecurity and third-party risks are managed. Our team works cross-functionally with various key stakeholders (Product Security, Engineering, Corporate IT and Security, Legal, Enterprise Risk Management, and Internal Audit). The Senior Cybersecurity Risk and Policy Lead will be a critical and high-impact individual contributor role. This role will be responsible for managing the cybersecurity risks (identifying, assessing, managing, monitoring and communicating cybersecurity risks) and security policies (facilitate development, maintenance, and evolution of the security policy framework, and work with all security teams to implement, manage and track exceptions to policies, standards, and plans over time). Ideal candidates are highly motivated individuals who thrive in fast-paced environments, comfortable with modern technology stacks that leverage the cloud, and who see risk as something to manage pragmatically. 

JOB RESPONSIBILITIES:

• Ensure relevant cybersecurity risks identified are captured in the risk register and keep it updated with the related information

• Facilitate risk decomposition (scenario generation) activities with the relevant key stakeholders and document the outcomes

• Develop a broader understanding of the motives, targets and activities of cyber threat actors and manage threat actor profile for Snowflake

• Perform cyber risk assessments on new and existing cyber security risks in partnership with risk owners and subject matter experts

• Analyze cybersecurity risks to determine likelihood and impact to Snowflake business and describe risks in quantitative and qualitative terms

• Implement a quantitative risk methodology based on FAIR approach and quantify cybersecurity risks in financial terms

• Develop risk mitigation plan by partnering with the Risk and system owners

• Identify and develop appropriate metrics such as key performance indicators (KPIs) and key risk indicators (KRIs) to measure risks and highlight trends or themes

• Track and monitor risk mitigation plan activities with metrics and timeline

• Help make risk-based decisions and trade-offs impacting business strategies

• Help project prioritization for quarterly planning activities that could mitigate the risks

• Develop reports and dashboards to provide an update on risk posture to key stakeholders, risk owners and leadership team

• Maintain a strong understanding of risk management methodologies and frameworks

• Educate and build awareness of cybersecurity risk management  across the organization

• Empower key stakeholders and risk owners to use the common risk taxonomy

• Influence behaviors to reduce cybersecurity Risk and foster a strong risk-based culture throughout the organization

• Assess, evolve, and drive the policy management framework for all Security policies and standards in partnership with Security teams and Security Risk Management

• Review and make recommendations for streamlining existing and future security policies

• Appropriately assess control design and effectiveness in order to ensure policy and standard enforcement

• Create a process and collateral for rolling out new security policies to the whole company

• Establish, document, and broadly communicate security policy management norms to the Security organization, outlining how to create, maintain, enforce, and deprecate security policies in line with enterprise policy requirements

• Collaborate within Security Compliance, Product Security, Corporate Security, Legal and other partners to incorporate security and Compliance requirements into the security policy framework and track policy implementation and issues

• Manage the Security Exception Process to enable Security teams to track exceptions, manage approvals, and improve automation

• Partner with Security Analytics team to develop key performance indicators and dashboards to monitor and report on the Security policies

• Utilize people, process and technology in order to build tightly integrated policy tooling into a broad set of security internal tooling

QUALIFICATIONS:

• Minimum of 10 years of tactical and operational experience in Governance, Risk and Compliance, or Information Security, with a focus on risk assessments/management

• Strong analytical skills along with the ability to effectively communicate complex security related information including risk identification, assessment, and remediation activity.

• Knowledge and practical experience with the following risk management frameworks:  ISO, NIST, and FAIR.

• Experience with creating and utilizing risk KPIs and KRIs with data visualization tooling.

• Technical certifications within the area of security and risk are a strong plus (CISSP, CRISC, CISM or equivalent).

• Knowledge and experience pertaining to:

  • AWS or Azure or GCP  (or similar) cloud security and infrastructure

  • Software as a Service (SaaS) applications

  • CI/CD pipeline tools (such Github, Jenkins, etc.)

  • Network infrastructure security

  • Encryption technology and implementation

  • Database security

  • Operating system security

  • Artificial intelligence and machine learning

• Expert, communicator and writer; you can coach others on their writing skills, you can adapt your communication style for your audience, and you have experience drafting policies, reports, and other written materials for a variety of executive audiences

• Knowledge of global cybersecurity, technology and data privacy regulatory requirements 

• Experience reporting policy and Compliance posture to senior stakeholders

• Ability to direct cross functional work and hold others accountable to committed deadlines

Every Snowflake employee is expected to follow the company’s confidentiality and security standards for handling sensitive data. Snowflake employees must abide by the company’s data security plan as an essential part of their duties. It is every employee's duty to keep customer information secure and confidential.