SAP GRC/ IT Risk Senior Consultant I

At Allstate, great things happen when our people work together to protect families and their belongings from life's uncertainties. And for more than 90 years, our innovative drive has kept us a step ahead of our customers' evolving needs. From advocating for seat belts, air bags and graduated driving laws, to being an industry leader in pricing sophistication, telematics, and, more recently, device and identity protection.

Job Description
The Security Governance Senior Consultant II / Senior Security Governance Specialist is responsible for designing, executing, and evaluating cybersecurity governance, risk management, and compliance (GRC) activities to protect enterprise information, technology assets, and business operations. This role serves as a senior individual contributor with deep expertise in cyber risk assessment, regulatory interpretation, control evaluation, and risk-based decision support.

The role partners closely with technology, business, legal, compliance, privacy, and internal audit teams to ensure cybersecurity risks are identified, assessed, communicated, and managed in alignment with regulatory requirements, industry standards, and organizational risk appetite.

• Lead and execute enterprise, business-unit, and technology-specific cyber risk assessments, including inherent risk identification, control adequacy evaluation, residual risk determination, and risk prioritization
• Develop, enhance, and operationalize cyber risk assessment methodologies, frameworks, and assessment artifacts aligned to recognized standards (e.g., NIST CSF, NIST SP 800-53, ISO/IEC 27001, CIS, COBIT)
• Translate business and technical risks into clear, actionable risk statements, supported by evidence-based control evaluation and impact analysis
• Drive risk-based decision-making by clearly articulating risk exposure, control gaps, and mitigation options to stakeholders.

• Research, interpret, and apply global and regional cybersecurity regulations and requirements (e.g., NYDFS 500, GLBA, PCI DSS, SOX ITGCs, data protection and privacy regulations, contractual security requirements)
• Analyze regulatory guidance, enforcement actions, and industry advisories to inform governance programs and risk posture

• Design, enhance, and execute cybersecurity governance programs, policies, standards, procedures, and control requirements aligned to business and regulatory needs
• Identify process gaps, control deficiencies, and maturity weaknesses; recommend risk-based remediation strategies and pragmatic control improvements
• Contribute to the evolution of enterprise cybersecurity risk assessment (ECRA) capabilities, including risk taxonomies, metrics, and reporting
• Support continuous monitoring and re-assessment of cyber risks as business, technology, and threat landscapes evolve

• Act as a trusted risk advisor to technology, engineering, and business leaders by explaining complex cybersecurity and regulatory topics in a practical, business-relevant manner
• Develop and deliver risk assessment summaries, executive briefings, and governance reports tailored for senior leadership, risk committees, and audit stakeholders
• Provide guidance and mentorship to less-experienced team members on cyber risk assessment techniques, regulatory interpretation, and governance best practices

• Strong understanding of: Cybersecurity risk management concepts (threats, vulnerabilities, impact, likelihood, controls) Cloud, SaaS, and third-party risk considerations Identity & access management, data protection, network security, vulnerability management, and secure SDLC concepts
• Hands-on experience with: NIST CSF, NIST SP 800-53, ISO 27001/27002, CIS Controls, COBIT Regulatory frameworks relevant to financial services, insurance, or regulated industries

• Ability to translate technical risks into business-impact-focused language
• Strong analytical, documentation, and critical-thinking skills
• Proven ability to influence without authority and work across matrixed organizations
• High attention to detail with strong judgment in risk interpretation and prioritization

• 10-14 years of progressive experience in cybersecurity risk management, security governance, compliance, audit, or related cybersecurity roles (Preferred)
• Experience in large, complex, and regulated environments strongly preferred