Sr Cybersecurity Analyst - Risk

JOB DESCRIPTION

Flexible hybrid work environment, 4 days a week in the office.

Why GM Financial?

GM Financial is the wholly owned captive finance subsidiary of General Motors and is headquartered in Fort Worth, U.S. We are a global provider of auto finance solutions, with operations in North America, South America and the Asia Pacific region. Through our long-standing relationships with auto dealers, we offer attractive retail financing and lease programs to meet the needs of each customer. We also offer commercial lending products to dealers to help them finance and grow their businesses.

At GM Financial, our team members define and shape our culture - an environment that welcomes new ideas, fosters integrity and creates a sense of community and belonging. Here we do more than work - we thrive.

• Demonstrated proficiency developing and updating cybersecurity policies, standards and procedures referencing NIST 800-53 controls and the NIST Cyber Security Framework, including implementing revisions in accordance with updates in relevant regulatory or industry cybersecurity practices
• Experience with audit management and tracking of remediation items and/or findings to completion
• Demonstrated capability to collaborate with business partners to manage cybersecurity needs
• Experience with development of security requirements to protect the company from external and internal threats
• Experience with documentation and reporting of policy or procedure discrepancies and/or change requests
• Ability to initiate, facilitate and promote cybersecurity within the organization and monitor adherence to cybersecurity policies, standards and controls

• Demonstrated proficiency understanding and implementing cybersecurity policies, standards and procedures referencing NIST 800-53 controls and the NIST Cyber Security Framework.
• Experience with risk management and technical risk assessment processes ensuring compliance with policies and regulatory requirements
• Proven experience in assessing cybersecurity risk associated with third-party vendors, including the evaluation of vendor security documentation, risk scoring, and alignment with organizational risk tolerance.
• Demonstrated capability to collaborate with business partners to manage cybersecurity needs
• Proven experience in assessing cybersecurity risk associated with third-party vendors, including the evaluation of vendor security documentation, risk scoring, and alignment with organizational risk tolerance.
• Experience with the development of security requirements to protect the company from external and internal threats
• Experience with documentation and reporting of policy or procedure discrepancies and/or change requests
• Ability to initiate, facilitate and promote cybersecurity within the organization and monitor adherence to cybersecurity policies, standards and controls
• Experience coaching and mentoring junior members, providing guidance on risk assessment methodologies and cybersecurity best practices to support their professional development and ensure consistent application of security standards across the team.
• Perform other duties as assigned
• Conform with all company policies and procedures
• Expertise in evaluating vendor security posture, reviewing documentation (e.g., SOC 2, SIG, CAIQ) and identifying control gaps.
• Deep understanding of cybersecurity and risk management frameworks e.g. NIST, ISO
• High level understanding of technology infrastructure, security concepts and platforms
• Demonstrated success in project management and leading collaborative programs
• Understanding of technical controls (e.g., firewalls, IDS/IPS, endpoint protection) and how they relate to risk posture.
• Strong understanding of application layer protocols including HTTP, SSH, SSL and DNS
• Knowledge and ability to stay abreast of the latest security and privacy legislation, regulations, advisories, alerts and vulnerabilities
• Proficiency with GRC platforms (e.g., Archer, QuickBase) or similar tools for tracking risks and remediation.
• Familiarity with SOX, PCI-DSS and other relevant regulations impacting cybersecurity risk.
• Knowledge of IT security processes and controls as well as IT infrastructure and networking technical knowledge
• Ability to translate technical risk findings into business-impact language for stakeholders and leadership.
• Ability to think strategically and make collaborative decisions
• Ability to apply structured analysis methods to various types of data to establish trends, determine variability and business impact
• Communicates quickly, clearly, concisely, appropriately and intelligently
• Foster open communication, speaks with impact, listens to others, and writes effectively
• Ability to effectively communicate with vendors on cybersecurity risk assessments.
• Effective planning, time management, negotiation and delegation skills
• Expert level IT security processes and controls knowledge as well as IT infrastructure and networking technical knowledge
• Ensure effective communication and partnership with all departments at GMF and serve as a liaison of Cybersecurity and first point of contact for cybersecurity risk concerns
• Ability to approach problems with an open-mind and create new and innovative ideas and methods
• Experience with technical writing
• Experience in documentation tools such as Visio and Microsoft Office products
• Advanced information security standards/frameworks (ie, NIST Cybersecurity Framework, ISO 27001) skills
• Strong analytical skills
• Creative, Innovative, problem-solving and maximizing your potential to solve problems and improve methods
• Think positively when faced with obstacles, build on others ideas, think logically and intuitively
• Detail oriented
• Understanding of cloud technologies and concepts
• Familiarity with DevOps and Agile development processes

• Bachelor's Degree in related field or equivalent work experience strongly preferred
• 5-8 years of experience in large and complex business environments with a successful track record implementing cybersecurity risk management programs. Big 4/Consulting experience is strongly preferred.

• Information Security Certifications strongly preferred