GRC Security Analyst II

Essential Utilities, Inc. delivers safe, clean, reliable services that improve quality of life for individuals, families, and entire communities. Operating as the Aqua (water and wastewater services) and the Peoples and Delta (natural gas) brands, Essential serves approximately 5.5million people across 10 states. We are committed to sustainable growth, operational excellence, a superior customer experience, and premier employer status – including a competitive and comprehensive benefits package as well as a commitment to career growth opportunities. We are advocates for the communities we serve and are dedicated stewards of natural lands, protecting more than 7,600 acres of forests and other habitats throughout our footprint. Our company is one of the most significant publicly traded water, wastewater service and natural gas providers in the U.S. The primary responsibilities of the GRC Security Analyst II (Governance & Risk) are to ensure the security and integrity of the organization's information systems, with a specific focus on risk & vulnerability management as well as security compliance. The Security Analyst will frequently engage with both technical teams and business process owners to analyze risk, communicate risk posture, and develop effective remediation strategies. Essential Duties Manage execution of both enterprise-wide and focused risk, threat, and vulnerability assessments, including but not limited to Security Awareness, Vulnerability, Configuration, and Third-Party Assessments. Analyze and prioritize risk, vulnerability, and compliance findings to define remediation priorities using all available data sources; partner with technology and business stakeholders to socialize and implement remediation plans. Define and manage qualitative and quantitative metrics and reporting to measure the success of vulnerability, third‑party, security awareness, configuration, and asset management remediations. Lead ongoing vulnerability management processes, working with IT and business stakeholders to prepare vulnerability remediation plans, track progress, and reduce overall vulnerability exposures. Participate in development, implementation and operation of control/compliance frameworks and security best practices based on ISO 27001/27002, NIST (800-30, Cyber Security Framework/CSF), COBIT, Critical Security Controls, CIS Configuration Benchmarks. Monitor compliance with security configuration standards for servers, endpoints, software, and networking platforms based on CIS Benchmarks. Work closely with IT, development, and operations teams to integrate security practices into the software development lifecycle (SDLC) and IT operations. Lead or assist with vendor and third‑party risk assessments. Create and maintain documentation of security solutions, services, configurations, and processes. Work closely with engineers focused on intrusion detection, incident response and security operations to manage risk related to existing and emerging threats. Collaborate with other security engineers to analyze, process, integrate, communicate, and respond to threat intelligence. Participate in or lead development, improvements and updates to continually improve security controls, policies, guidelines, processes, and procedures. Develop and deliver security awareness training programs for employees to enhance their understanding of security best practices and ensure that security and risk management are integrated into the corporate culture. Lead development and operation of the security awareness program to ensure ongoing integration into the corporate culture. Implement and maintain controls for compliance and privacy; liaise with internal and external audit teams as needed. Provide escalation support for the Information Technology Help Desk as required. Work off‑hour maintenance windows and participate in rotating on‑call shift periodically. Work alone or function effectively as part of a team. Perform all other duties as assigned by management. Minimum Qualifications Bachelor's degree in Information Technology, Computer Science, Cyber Security, Security and Risk Analysis, or Information Assurance. 3–5 years of Governance & Risk experience. Current certification of at least one of: CISSP, GIAC (GSEC, GSNA), CRISC, CISA, CISM, CCSP, SSCP, CAP, CSSLP, CSX Practitioner (or intent to obtain within 12 months). Knowledge, Skills, & Abilities Experience with assessment tools such as Qualys PolicyCompliance, CIS‑CAT, and other vulnerability management platforms across multiple modules (Vulnerability Management, Policy Compliance, Continuous Monitoring, Web Application Scanning, Asset Management). Experience leading security awareness program development, including phishing assessment campaigns; creation of innovative campaigns using provider and custom‑developed tools/training adaptable across a diverse employee population; aligning the program with enterprise risks and measuring impact. Experience with GRC platforms, RSA Archer knowledge is a strong positive. Strong written and verbal communication skills for working directly with technical teams and business stakeholders. Excellent organizational skills, ability to multi‑task, prioritize workload and delegate responsibilities. Strong analytical skills for assessing and prioritizing security risks. Ability to promote a security‑conscious culture within the organization. Ability to adapt to evolving threats, technologies, and organizational needs. Ability to understand and integrate security into project and application lifecycles for enterprise IT systems. General knowledge of security‑related technologies: Active Directory, database platforms, web server platforms, middleware, PKI, cloud computing (Office365, Azure). Experience using statistical, quantitative, and qualitative analysis techniques. Proactive approach to staying informed on latest security threats, vulnerabilities, and industry best practices. Essential Utilities, Inc. is an Equal Opportunity/Affirmative Action employer. Equal employment opportunity is provided to all employees and applicants without regard to race, color, religion, sex, national origin, age, pregnancy (including childbirth and related medical conditions), disability, veteran status, genetic information, sexual orientation, gender identity or expression, or any other characteristic protected by applicable law. #J-18808-Ljbffr