Senior Cyber and Technology Risk Analyst

Please reference the schedule and minimum qualifications listed below before applying.

If you need assistance with filling out our application form or during any phase of the application, interview, or employment process, please notify our Human Resources Team at 801-366-6947 option 1 or email [email protected] and every reasonable effort will be made to accommodate your needs in a timely manner.

Job SummaryThe Senior Cyber and Technology Risk Analyst serves as a member of the Cyber and Technology Risk Management team in our second line of defense. This role participates in the design and implementation and maturity of our cyber and technology risk management program. The Senior Cyber and Technology Risk Analyst provides subject-matter expertise, guidance and monitoring of the first line Cybersecurity and Technology control environment and teams to support effective management of cyber, technology, and data risk within the Credit Union’s risk appetite. This role operates with established risk frameworks and governance structures and guidance from senior team leaders. Complex or enterprise level decisions remain subject to leadership review and approval.

Job Description

LOCATION

Mountain America Center - Hybrid

9800 S Monroe St
Sandy, UT 84070

SCHEDULE

Full Time; this is a hybrid schedule with some weekly in office expectation, based on business need.

To be effective, an individual must be able to perform each job duty successfully.

• Contribute to strategic direction and participate in the execution of roadmap to enhance MACU’s cybersecurity and technology risk management capabilities. Help shape priorities, sequencing, and success measures for assigned program areas.
• Actively assist leadership in developing project plans, roadmaps and status reporting for risk assessments, control testing, standards and training documentation, and other risk management activities.
• Develop and implement testing approaches and strategies to assess the design and operating effectiveness of controls. Lead the design, conduct, and document tests of controls, process walkthroughs, and risk assessments to evaluate design and effectiveness.
• Intake, triage, analyze, and rate (inherent/residual) cybersecurity and technology risks in collaboration with subject matter experts and risk owners. Facilitate alignment and drive completion of risk treatment decisions. Coordinate and perform continuous monitoring of risk treatment activities.
• Assess risk and control gaps of IT systems, processes, and procedures. Ensure control gaps and other risk issues are documented and reported. Review remediation plans and provide feedback to ensure plans are sufficient to ensure sustainable remediation. Monitor remediation progress, identify blockers, and escalate concerns when risk reduction is not on track.
• Evaluate and provide guidance to first line of defense Cybersecurity and Technology teams related to their standards, processes, controls, and risk exceptions.
• Research, understand, and interpret regulations and frameworks that relate to cybersecurity, technology, privacy, and data. Stay aware of changes and educate key stakeholders regarding changes to existing and new regulations and recommended response considerations for MACU. Work closely with the risk owners and Legal, Risk Management, and Compliance teams to ensure compliance with applicable laws and regulations.
• Develop and maintain procedures and training related to risk frameworks, standards, and roles and responsibilities for first line Cybersecurity and Technology teams to ensure effective identification of risks, implementation of controls, monitoring of controls, and reporting on the control environment and any corresponding issues or risks. Improve adoption by translating expectations into actionable guidance and job aids.
• Actively identify and lead implementation of process improvements and efficiencies.
• Support regular and ad-hoc reporting on findings, metrics, and recommend mitigations to first and second line of defense leadership. This includes ad-hoc and scheduled meetings with leadership and risk owners.
• Coordinate and oversee third-party independent risks assessments as necessary to improve the IT risk program and control environment. Define scope, evaluate outputs, and ensure recommendations are actionable.
• Review and provide guidance and quality control for technology and security related Key Risk Indicators (KRIs). Improve the reliability, definition, and thresholds so KRIs drive decisions and action.
• Lead special projects and perform other duties as assigned.

KNOWLEDGE, SKILLS, and ABILITIES

The requirements listed are representative of the knowledge, skills, and/or abilities required.  Reasonable accommodations may be made to enable individuals with disabilities to perform the essential job functions.

Education and Experience

• Bachelor’s degree in Information Security, Computer Science, Information Management, Business or related field or equivalent combination of education and work experience. Advanced degree or equivalent work experience preferred.
• 5+ years of similar or related experience in first or second-line of defense cybersecurity, technology, or data risk management and/or IT audit or related consulting or professional services.
• Experience in leading the evaluation of security and technology controls against cyber, technology, and privacy regulations, standards and frameworks (e.g., FFIEC, ISO 27001, NIST CSF, NIST AI RMF, COBIT, SOC2, PCI, ITIL, DORA, FAIR, etc.).
• Experience leading the development and documentation of IT processes and controls.
• Experience with Archer or other GRC automation tools preferred.
• Experience working in banking, financial services, or other regulated environment preferred.
• Working knowledge of major regulatory/legal frameworks (US/international) driving requirements across technology organizations preferred.
• Working knowledge of risk/control issues in relation to evolving technology (e.g., blockchain, AI/Machine Learning, cloud, quantum computing, etc.) preferred.

Licenses, Certifications, Registrations

• Certification from recognized security, technology, or risk management body (e.g., CISSP,CEH, CISA/CISM, CRISC, GIAC, FAIR, etc.) is preferred.

Knowledge & Skills

• Advanced understanding of the purpose, application, and integration of enterprise‑wide cybersecurity and technology risk concepts. Demonstrated ability to analyze technology and security risk solutions, independently scope and execute risk assessments, and assess complex risk scenarios across domains such as vulnerability management, resilience, SDLC, infrastructure, cloud, data governance, and AI governance.
• Strong working knowledge and applied experience with cyber, technology, and privacy regulations, standards, and frameworks (e.g., FFIEC, ISO 27001, NIST CSF, NIST AI RMF, COBIT, SOC 2, PCI, CCPA, ITIL, DORA, FAIR). Applies subject-matter expertise to interpret regulatory intent, assess applicability, identify gaps, and translate requirements into practical expectations for first line teams.
• Proven ability to independently manage and prioritize work in a fast‑paced environment with competing demands. Demonstrates sound judgment when navigating ambiguity, balancing risk, regulatory expectations, and business objectives, and proactively identifying when to escalate or recalibrate priorities.
• Excellent written and verbal communication skills, with demonstrated experience drafting and reviewing policies, standards, procedures, control documentation, and risk assessments. Ability to clearly articulate risk, control gaps, and recommendations to technical teams, business partners, and senior management in a concise, actionable manner.
• Demonstrated initiative and continuous learning mindset, with the ability to apply new knowledge, emerging risks, and evolving best practices to improve program maturity. Willingness to take on stretch assignments and lead problem‑solving efforts for complex or novel risk topics relevant to MACU.
• Strong collaborative problem‑solving and stakeholder engagement skills. Demonstrated ability to gather and synthesize information from diverse sources, exercise independent judgment, and support and drive resolution of issues through influence rather than authority, while maintaining a strong customer‑service orientation.
• Consistently strong contributor to team effectiveness and quality outcomes. Understands how individual work connects to broader enterprise risk objectives and strategic priorities. Provides informal mentorship, peer review, and knowledge sharing to elevate overall team capability and consistency.
• Proficient in Microsoft Office tools, including Copilot, with the ability to leverage technology to improve analysis, documentation quality, efficiency, and reporting.

PHYSICAL ABILITIES / WORKING CONDITIONS

Physical Demands

Ability to sit, talk and hear consistently

Vision Requirements

Close vision (clear vision at 20 inches or less)

Distance vision (clear vision at 20 feet or more)

Color vision (ability to identify and distinguish colors)

Weight Lifted or Force Exerted

Ability to lift up to 10 pounds frequently and up to 25 pounds occasionally

Environmental

There are no unusual environmental factors (such as a typical office)

Noise Environment

 Moderate noise (business office with computers and printers, light traffic)

***This Job is not eligible to be performed in Colorado or Connecticut, either remotely or in-person.***

Mountain America Credit Union is an EEO/AA/ADA/Veterans employer.