Principal Cyber Security Risk Analyst

Under the general supervision of the Deputy Chief Information Security Officer, the Principal Cyber Risk Analyst serves as the top-level senior risk analyst in the Cybersecurity department, covering all of UC Davis health, including medical school, nursing school and medical research.

The incumbent is a recognized organization wide expert in threat analysis, event probability, loss impacts, and the effectiveness of compensating security controls at reducing probability and impact, across multiple technologies. They are highly skilled at communicating these things to all levels of staff and leadership in language they can understand. Being deeply steeped in conversational expression of cybersecurity risk, they are capable of asking non-threatening, leading questions that help others understand influential factors, while mentally calculating rough ranges of loss magnitude. They are completely comfortable communicating ballpark ranges for quick assessment, while carefully deferring actionable results to formal reports that come later.

This role leads workgroups of leaders and subject matter experts from across the system through exercises to disambiguate complex strategic risks. Provides top expertise on control efficacy and risk reduction value. Oversees risk analysis report output from other risk analysts and ensures quality & consistent value from the team. Manages cybersecurity & privacy metrics collection & reporting.

Collaborates with other UC Health, UC Campus and UCOP risk professionals to align UCDH risk reduction policies. Interacts with all levels of the UCDH staff, peers at other UC campuses, and UCD/UCDH business partners to follow and to enhance risk management processes that keep risk appetites in alignment with organizational risk tolerance, while balancing business/academic strategies.

Plays an important role in the efforts to secure the information assets of UCDHS from threats to the confidentiality, integrity, and availability of such assets. Prepares and maintains various security reports and dashboards, coordinates technology audit response activities, reviews system security architecture designs, actively participates with business and campus units throughout the university community.

Apply By Date: 12/2/2025 by 11:59pm

Accepting applicants for hybrid or remote work.

Minimum Qualifications - For full consideration, applicants are encouraged to upload license and/or certification if required of the position

• The Open Group's OpenFAIR and either ISC2 CISSP OR CompTIA Security+
• Bachelor's degree in related area and / or equivalent experience / training
• 2 years' minimum experience performing cybersecurity risk analysis in a business subject to US Healthcare privacy & information security regulations.
• 3+ years demonstrated experience administering privacy & security controls or standards (NIST, CIS, ISO, PCI) in compute, infrastructure, storage and applications.
• Experience leading effective meetings, and or risk analysis work sessions.
• 1+ years experience performing cybersecurity risk analysis in a business subject to US healthcare privacy & information security regulations.
• Demonstrated proficiency at using cyber risk quantification techniques (e.g., OpenFAIR) to calculate and communicate single-event loss expectancy, probable event frequency, and annualized loss expectancy (ALE).
• Advanced interpersonal skills sufficient to work effectively with both technical and non-technical personnel at all levels in the organization.
• Demonstrated expert level knowledge of regulations and security risks common to infrastructure, firewalls, wireless, compute (endpoint and server), storage, applications (endpoint, server and cloud), IOT and biomedical devices.
• Demonstrated expert-level knowledge of NIST SP800-53 rev5 moderate-baseline controls, as our policies are aligned with this framework.
• Excellent communication skills (Oral/Written).
• Strong proficiency with common productivity tools (MS Office, Adobe, etc.)
• Must have the ability to work independently, set priorities, organize the work of others and meet multiple deadlines

Preferred Qualifications

• ISACA's CRISC or similar information risk certification.
• ISC2's CISSP
• HCCA's CHPC
• CompTIA's Security+
• GIAC (Any specialty)
• ISC2's HCISPP
• Master's Degree
• 4 years' experience performing and leading cybersecurity and privacy risk analysis exercises.
• 4 years' experience leading workgroups of highly skilled subject matter experts and business leaders through business process and technical design analysis exercises.
• Preferred 4 years' experience evaluating diligence in following cybersecurity technical controls & safeguards, such as ISO27001/2, NIST Cybersecurity Framework, and its source risk control library, SP800-53.
• 1 year experience with the FAIR Controls Analytics Model (FAIR-CAM).
• 3 years' experience with Cyber Risk Quantification (CRQ), especially OpenFAIR.
• 2 years' experience analyzing business processes, business value, and the ways that cybersecurity threats can impact them.
• 2 years' experience delivering verbal and written communication; especially showing the ability to present complex principles to mixed audiences.
• 1 year working with medical research institutional review boards (IRB's).
• 1 year working with transactional attorneys and reviewing service contracts.
• Deep knowledge of HIPAA, HITECH, PCI regulations, and the audit control standards that support them.
• Deep understanding of quantitative cyber security risk-- analyzing threats & threat event probabilities, losses, and also control effectiveness at reducing probability or loss, as is covered in OpenFAIR, and the FAIR Controls Analytics Model.
• Understanding of CA State's many privacy regulations, especially CCPA, CPRA, and CCPA.
• Understanding of CA State's many educational privacy & academic freedom regulations, and how they interact
• Understanding of good healthcare-specific cybersecurity policies and procedures
• Understanding of state-of-the-art Artificial Intelligence capabilities, including language models.
• Familiarity with the UNIX/Linux operating systems and its basic operations
• Familiarity with Windows server and workstation operating systems and their basic operations.
• Familiarity with LAN and WAN networking technologies, and common security issues
• Familiarity with common cyber security control systems used at all levels, including but not limited to: Firewalls, ACL's, Intrusion Detection (IDS), Intrusion Prevention (IPS) Data Loss Prevention, Endpoint Detection & Response (EDR), Security Operations and Response (SOAR), Security Information and Event Management (SIEM), Cloud Access Security Brokers (CASB), Identity & Access Management (IAM),

Key Responsibilities

• 30% - Principal expert for systemic risk
• 30% - Provide Expert Risk Analysis
• 20% - Develop and Improve UCDH Cyber GRC Services
• 20% - Risk analysis oversight

Department Overview

The UC Davis Health Cybersecurity team is dedicated to safeguarding institutional data, critical infrastructure, and operational technology within the UC Davis Health System organization. Taking a proactive and comprehensive approach to protecting the organization from cyber risks. Employing best practices, robust security controls, and education of the workforce, to strengthen the overall security posture and resilience of the enterprise.

POSITION INFORMATION

• Salary or Pay Range: $122,300.00 - $259,900.00
• Salary Frequency: Monthly
• Monthly Salary Range: $10,191.67 - $21,658.33
• Salary Grade: Grade 27
• UC Job Title: IT SCRTY ANL 5
• UC Job Code: 000662
• Number of Positions: 1
• Appointment Type: Staff: Career
• Percentage of Time: 100%
• Shift (Work Schedule): M-F
• Location: UCDHAS Building (HSP165)
• Union Representation: 99 - Non-Represented (PPSM)
• Benefits Eligible: Yes
• This position is hybrid (mix of on-site and remote work)

Benefits

Outstanding benefits and perks are among the many rewards of working for the University of California. UC Davis offers a full range of benefits, resources and programs to help you bring your best self to work, as well as to help you and your family achieve your health, wellness, financial and career goals. Learn more about the benefits below and eligibility rules by visiting either our handy Benefits Summary for UC Davis Health Employees or Benefits Summary for UC Davis Employees and our Benefits Page.

If you are represented by a union, benefits are negotiated between the University of California (UC) and your union and finalized in a contract. Read your bargaining unit's employment contract, stay abreast of current negotiations and learn about collective bargaining at UC: https://ucnet.universityofcalifornia.edu/labor/bargaining-units/index.html

• High quality and low-cost medical plans to choose from to fit your family's needs
• UC pays for Dental and Vision insurance premiums for you and your family
• Extensive leave benefits including Pregnancy and Parental Leave, Family & Medical Leave
• Paid Holidays annually as stipulated in the UC Davis Health Policies or Collective Bargaining Agreement
• Paid Time Off/Vacation/Sick Time as stipulated in the UC Davis Health Policies or Collective Bargaining Agreement
• Continuing Education (CE) allowance and Education Reimbursement Program as stipulated in the UC Davis Health Policies or Collective Bargaining Agreement
• Access to free professional development courses and learning opportunities for personal and professional growth
• WorkLife and Wellness programs and resources
• On-site Employee Assistance Program including access to free mental health services
• Supplemental insurance offered including additional life, short/long term disability, pet insurance and legal coverage
• Public Service Loan Forgiveness (PSFL) Qualified Employer & Student Loan Repayment Assistance Program for qualified roles
• Retirement benefit options for eligible roles including Pension and other Retirement Saving Plans. More information on our retirement benefits can be found here

Physical Demands

• Standing - Frequent 3 to 6 Hours
• Walking - Frequent 3 to 6 Hours
• Sitting - Frequent 3 to 6 Hours
• Lifting/Carrying 0-25 Lbs - Occasional Up to 3 Hours
• Pushing/Pulling 0-25 Lbs - Occasional Up to 3 Hours
• Bending/Stooping - Occasional Up to 3 Hours
• Squatting/Kneeling - Occasional Up to 3 Hours
• Keyboard use/repetitive motion - Occasional Up to 3 Hours

Mental Demands

• Sustained attention and concentration - Frequent 3 to 6 Hours
• Complex problem solving/reasoning - Frequent 3 to 6 Hours
• Ability to organize & prioritize - Frequent 3 to 6 Hours
• Communication skills - Frequent 3 to 6 Hours
• Numerical skills - Occasional Up to 3 Hours
• Constant Interaction - Occasional Up to 3 Hours
• Customer/Patient Contact - Occasional Up to 3 Hours
• Multiple Concurrent Tasks - Frequent 3 to 6 Hours

Work Environment

UC Davis is a smoke and tobacco free campus effective January 1, 2014. Smoking, the use of smokeless tobacco products, and the use of unregulated nicotine products (e-cigarettes) will be strictly prohibited on any UC Davis owned or leased property, indoors and outdoors, including parking lots and residential space.

Special Requirements - Please contact your recruiter with questions regarding which activities apply by position

• This is a critical position, as defined by UC Policy and local procedures, and as such, employment is contingent upon clearing a criminal background check(s) and may include drug screening, medical evaluation clearance and functional capacity assessment
• This position is designated as a mandated reporter under CANRA and UC policy, and employment is contingent on compliance with applicable policies, procedures and training requirements

Misconduct Disclosure Requirement: As a condition of employment, the final candidate who accepts a conditional offer of employment will be required to disclose if they have been subject to any final administrative or judicial decisions within the last seven years determining that they committed any misconduct; received notice of any allegations or are currently the subject of any administrative or disciplinary proceedings involving misconduct; have left a position after receiving notice of allegations or while under investigation in an administrative or disciplinary proceeding involving misconduct; or have filed an appeal of a finding of misconduct with a previous employer.

A Culture of Opportunity and Belonging

At UC Davis, we're committed to solving life's most urgent challenges and building a healthier, more resilient world. We believe in growing through every challenge, continually striving to improve, and welcoming new perspectives that strengthen our community. We recognize that a vibrant and innovative organization values both individual strengths and shared purpose. The best ideas often emerge when people with different experiences come together.

As you consider joining UC Davis, we invite you to explore our Principles of Community, our Clinical Strategic Plan and strategic vision for research and education. We believe you belong here. The University of California, Davis is an Equal Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, age or protected veteran status.

To view the University of California's Anti-Discrimination Policy, please visit: https://policy.ucop.edu/doc/1001004/Anti-Discrimination

Because we want you to feel seen and valued, our recruitment process at UC Davis supports openness and authenticity. Research shows that some individuals hesitate to apply unless they meet every qualification. You may be an excellent fit for this role-or the next one. We encourage you to apply even if your experience doesn't match every listed requirement. #YouBelongHere

To learn more about our background check program, please visit: https://hr.ucdavis.edu/departments/recruitment/ucd/selection/background-checks