Sr Cybersec Gov&Risk Analyst

More than a career - a chance to make a difference in people's lives.

Build an exciting, rewarding career with us – help us make a difference for millions of people every day. Consider joining the Duke Energy team, where you'll find a friendly work environment, opportunities for growth and development, recognition for your work, and competitive pay and benefits.

This is the third level of the Cybersecurity Governance & Risk Analyst classification hierarchy.  Employees at this level solve more complex problems, in multiple areas of specialization, with general supervision.  Incumbents are expected to develop advanced skills and the ability to work with greater independence. They effectively apply fundamental concepts and procedures to work that is fairly complex and varied. 

In accordance with the North American Electric Reliability Corporation Critical Instructure Protection (NERC CIP) standards and Duke Energy’s IT503 Cybersecurity Program, Enterprise Technology Security & Compliance Enablement (ETSCE) is responsible for working closely with multiple Business Areas to ensure effective, efficient, and consistent adherence with the NERC CIP Standards and enterprise program to support a strong compliance culture across the organization.  ETSCE works to achieve and is responsible for asset inventory management and categorization, potential violation and self-report coordination, cause analysis, mitigation plans and risk assessments, NERC CIP project engagement, standard revisions, controls implementation, and ongoing compliance activities.

Job Summary

This role is primarily responsible for performing work with minimal supervision to include BES Asset Identification and Periodic Inventory Reviews in the form of NERC CIP field walkdowns as a member of the Walkdown Asset Management (WAM) team.  Daily activities include managing walkdown frequency, gathering documentation required to prepare for field walkdowns, executing field walkdowns, and compiling evidence gathering during field walkdowns in support of our NERC CIP program. 

The successful candidate must possess or develop a strong understanding of NERC CIP reliability standards and the Duke Energy IT503 Cybersecurity program to ensure CIP compliance processes are followed, activities are properly performed and documented, and evidence is prepared appropriately to validate proper compliance. The individual is expected to be knowledgeable in the use of compliance concepts and procedures, demonstrate critical thinking skills to identify potential issues, develop solutions, and take actions to resolve issues.

Responsibilities

• Conduct annual NERC CIP walkdown tasks and responsibilities at High/Medium/Low-Impact sites for periodic assessments and ongoing compliance

• Conduct classification and inventory reviews

• Maintain NSH documents and diagrams to ensure that they are accurate and remain up to date

• Perform PACS server testing

• Create and maintain documents and diagrams for BES cyber asset classification and inventory reviews

• Perform site-level vulnerability assessments and contribute to the enterprise program

• Serve as an interface between internal team members, Duke Energy compliance managers, Security Compliance, business areas, support groups, contractors, and vendors to facilitate appropriate communication and problem resolution

• Participates in periodic audit reviews facilitated by either external auditing organizations or regional electric reliability entities; demonstrates effective communication skills when presenting regulatory evidence

• Identifies problems, develops solutions, and takes actions to resolve more complex project or walkdown issues

• Ensure processes are being executed properly by the team and that tasks are completed on time and as expected

• Responds well to managers, easily coachable, and exhibits confidence and a proper level of assertiveness when needed

• Displays mature approach and ability to work under high stress situations

• Knowledgeable and proficient of tools and procedures for the NERC CIP Program

• Proactively engages in training and development programs to improve and maintain job performance and promote professional growth and development

Basic/Required Qualifications

• Bachelors degree in Cybersecuri or Other Related Degree

• Minimum of years Required Related Work Experience

• In lieu of Bachelors degree(s) AND 5 year(s) related work experience listed above, High School/GED AND 9 year(s) related work experience

Desired Qualifications

• Knowledge of NERC CIP Standards and compliance requirements and business applications such as Microsoft Excel and Visio

• Experience working in a regulated environment such as NERC CIP, SOX or HIPPA

• Experience with audits, controls, security, and related industry regulatory issues

• Demonstrated experience participating in a regional NERC CIP audit, including narrative creation and data request completion, and/or interfacing with internal and external auditor

• Previous experience working with networking

• IT or Cybersecurity certifications, such as those issued by GIAC, ISACA, or (ISC)2

• Knowledge of cybersecurity frameworks such as NIST or ISO

• General knowledge of Duke Energy’s core business, including SCADA and Energy Management Systems (EMS)

• Able to work effectively with broadly defined direction requiring a great degree of judgement, recognizes appropriate times to raise issues and provide status updates, and demonstrates ability to work independently with little direct supervision

• Experience working independently to drive aggressive project timelines and schedules

• Demonstrated global mind set and effective collaboration skills within and across different teams

• Strong interpersonal, process improvement, and documentation skills

• Knowledge of risk management processes (e.g., methods for assessing and mitigating risk) laws, regulations, policies, and ethics as they relate to cybersecurity and privacy

• Excellent interpersonal skills with the ability and willingness to share information and transfer knowledge to others

• Strong team player with the ability to effectively manage multiple tasks and assignments

• Demonstrates good listening skills and puts forth the effort to understand other points of view

• Has the ability to manage confidential information with a high degree of integrity

• 5+ years utility, cyber security, auditing, compliance, regulatory or related experience.

• Experience with at least three (3) years of NERC CIP Compliance

Working Conditions

• Hybrid Mobility Classification – Work performed between office, remote, and field locations; however, hybrid employees should live within a reasonable daily commute to their assigned work location

• Ability to work extended and/or non-business hours as required to meet regulatory compliance demands

• Must pass a personnel risk assessment including 7-year background screening and annual cyber security training

• Travel 70-80%

Travel Requirements

25-50%

Relocation Assistance Provided (as applicable)No

Represented/Union PositionNo

Visa Sponsored PositionNo

Posting Expiration Date

Tuesday, January 21, 2025

All job postings expire at 12:01 AM on the posting expiration date.

Please note that in order to be considered for this position, you must possess all of the basic/required qualifications.

Privacy

Do Not Sell My Personal Information (CA)

Terms of Use

Accessibility