Cyber Risk Assessment Expert (Remote - Home Based Worker)

The Cyber Risk Assessment Expert is part of Allstate Information Security (AIS) within Governance, Risk, & Compliance (GRC). This role will be a subject matter expert within our Cyber Risk Assessment Team and will drive maturity and growth in our cyber risk assessment program and methodology to ensure the accurate reporting of residual risk to stakeholders, driving informed, risk based decisioning. This will include the benchmarking of our processes, identification and design of enhancements, and implementation of innovative process changes to drive simplification, affordability and connectivity/synergy across risk services within AIS and across the enterprise.

The successful candidate will be required to collaborate across business and security within the Allstate enterprise and Family of Companies to identify, assess and mature capabilities to report residual risk of cyber related controls. This role will also collaborate with security process owners to drive optimization of our cyber risk analysis services, and the accuracy in residual risk reporting to business level leaders and our Board of Directors. In this highly visible role, there will be exposure to varying levels of leadership across the enterprise and family of companies. A broad range of professional skills along with strong interpersonal and communications skills will be required for problem-solving, objective based decisioning, and collaboration with virtual cross-functional work groups. This resource is expected to serve as a subject matter expert and trusted advisor that can clearly articulate Allstate security policies, standards, control requirements and risk to both technical and business audiences alike.

• Lead design an approach to ensure the transparent reporting of risk impacts to technical assets and business operations to support leadership in risk-based security decisions
• Drive strategic maturity and innovation within the cyber risk assessment program to drive simple, affordable, connected solutions that reduce assessment fatigue and drive informative, effective assessments
• Execute on agreed upon methodology to identify, assess, and report on cyber risk in Board level
• Challenge the status quo to drive maturity, effectiveness and accuracy within and across our cyber risk services
• Recommend operationally feasible and cost-effective solutions to reduce risk, as appropriate
• Partner directly with data and service owners to drive data quality and accuracy to improve the overall effectiveness of the cyber risk quantification process
• Drive automation within workflows and residual risk methodology to drive resource efficiency and self-service capabilities
• Drive sound cyber risk reporting and accountability across Allstate business units and family of companies
• Help our partners proactively maintain a strong cybersecurity preparedness and response posture
• Drive key stakeholder education to support the continued engagement and awareness of program requirements
• Help facilitate review of changes in company processes, standards and technology to ensure the alignment to cyber risk evaluation processes and reporting
• Responsible for building effective working relationships, making sound decisions, successfully making changes, initiating action and achieving results as a trusted advisor

• 5+ years of Information Security/IT risk assessment or consulting experience
• Relevant postsecondary education and/or industry standard certifications preferred (i.e., CRISC, CISM, CISA, CISSP, CompTIA, SANS Institute/GIAC)
• Strong analytical and organizational skills, ability to effectively manage multiple, competing projects/priorities and teams while achieving targeted completion results
• Effective written, verbal communication skills. Ability to tailor communication style to audience at hand
• Ability to effectively work with technical and non-technical resources, able to partner with multiple business groups, managers, and network architects or engineers
• Take complete ownership over assigned objectives and is able to work independently in a "semi-structured" environment, but recognizes when guidance is needed from program management and senior leaders
• Ability to write quality documentation and/or presentations is a must
• Ability to work across organizational boundaries and levels is a must
• Proficient in MS Office Pro Suite and SharePoint
• Ability to stay up to date with the current cybersecurity threat landscape to account for changing circumstances when evaluating security risks, maintain technical proficiency via self or formal training
• Good understanding of IT security best practices by applying depth and breadth of expertise in multiple domains and security disciplines
• Working knowledge of: PCI DSS 3.2, HIPAA applicable security / privacy controls, Sarbanes-Oxley (SOX) 404, ISO/IEC 27000 family of standards, NIST 800-53, NIST cybersecurity framework, and COBIT
• General knowledge of common application security architecture and vulnerabilities (e.g. OWASP Top 10), attack techniques and remediation tactics/strategies
• General familiarity with common enterprise infrastructure (OS platforms, directory services, networking infrastructure, appliances, middleware, common security infrastructure)