Senior IT Security Analyst

Summary of Purpose:

The Senior IT Security Analyst serves as INPO's primary cybersecurity risk authority, providing oversight and guidance to protect the organization's mission-critical operations in the nuclear power industry. The position, a combination of strategic and hands-on, is responsible for managing and maturing INPO's cybersecurity strategy and program to protect the organization's digital assets and ensure alignment with enterprise risk management objectives, by translating complex technical and regulatory risks into clear actions that reduce risk to INPO.

Essential Functions

• Matures INPO's cybersecurity program, aligning governance, controls, and reporting with NIST Cybersecurity Framework 2.0 and NIST AI Risk Management Framework by setting the standard for security at INPO
• Refines and maintains IT and security policies, standards, and procedures that operationalize DOE/DOC 810, NRC, and ISO requirements within INPO's compliance environment
• Maintains the IT risk register and applies assessment and maturity methods to drive consistent identification, analysis, and mitigation tracking across IT
• Ensures IT integrates risk considerations into technology initiatives, architecture decisions, and change management processes
• Translates technical risks into executive-level insights that inform prioritization, investment and strategic decisions for the CFO, IT Director, and Senior Leadership Team
• Produces monthly metrics and quarterly reports on risk posture, trends, maturity, and recommended actions
• Oversees third-party risk across SaaS, service providers, and supply chain to ensure external relationships meet risk tolerance and contractual/compliance obligations
• Coordinates IT audits, regulatory examinations, security awareness training, penetration testing, and independent assessments; drives timely remediation and continuous compliance
• Applies security intelligence from Security Operations Center (SOC)/Managed Detection and Response (MDR) vendors to inform actions, assessments and decision-making
• Monitors emerging cyber and AI risks, regulatory changes, and industry best practices for nuclear and critical infrastructure, updates strategy accordingly
• Performs hands-on configuration, monitoring and system administration of enterprise vulnerability management tools (e.g. Qualys) and Governance, Risk and Compliance (GRC) platforms (e.g. ServiceNow GRC, X-Analytics)
• Performs other duties as assigned

Knowledge, Skills, and Abilities

• Translates complex cybersecurity and compliance risks into executive-level insights for technical and non-technical stakeholders through advanced communication skills
• Demonstrates mastery in IT risk management, cybersecurity frameworks, and regulatory compliance, leading strategic risk initiatives and mentoring teams on risk assessment methodologies
• Proven ability to lead cross-functional teams in risk assessment and compliance initiatives while fostering continuous improvement in risk management practices
• Proven ability to deliver timely completion of risk mitigating actions, regulatory assessments and compliance programs
• Proven ability to analyze complex risk scenarios, threat intelligence, and compliance information to inform decision-making and risk mitigation strategies
• Maintains strict confidentiality of sensitive cybersecurity intelligence, risk assessments, and regulatory examination findings
• Demonstrates mastery in the relevant specialty area, spearheading initiatives, providing mentorship to team members, and championing innovation and strategic enhancements across the organization
• Advanced communication skills used to drive organization change initiatives and convey complex ideas and project strategies in a clear and compelling manner to stakeholders
• Proven ability to lead and collaborate with diverse teams to achieve common goals, while providing mentorship and guidance to team members, fostering a culture of continuous improvement and excellence
• Demonstrated ability to strategically allocate resources to manage a portfolio of programs; prioritizing tasks, meeting deadlines, and proactively mitigating program risks to ensure successful outcomes
• Advanced ability to use research, analysis, and stakeholder feedback to influence and execute program strategies while remaining up-to-date with industry regulations and compliance standards
• Advanced proficiency in solving complex and multifaceted problems using data, trend, and problem analysis to inform decision making improvements to the program portfolio
• Exemplifies exceptional ability to seek out learn from feedback, coaching, and new experiences. Anticipates challenges and leverages learnings to drive strategic innovation and mentor cross-functional teams
• Lead cross-departmental collaboration efforts to strategically harness collective creativity and drive significant innovation within the organization. Exhibit exceptional communication skills to effectively convey complex ideas and facilitate high-level discussions. Demonstrate a proven track record of impactful cross-functional projects, ensuring alignment and synergy among diverse teams
• Ability to work and maintain confidentiality of highly sensitive/private information

Education, Licenses, and Certifications

Required

• High School Diploma or GED

Preferred

• Bachelor's degree in cybersecurity, computer science, information technology, information assurance, network engineering or network security, or a related field of study
• Certified in Risk and Information Systems Control (CRISC)
• Certified Information Security Manager (CISM)
• Certified Information Systems Security Professional (CISSP)

Experience

Required

• Six or more years of professional work experience
• Four or more years of experience in risk management, audit, or cybersecurity governance in regulated industries

Preferred

• Six or more years of experience in risk management, audit, or cybersecurity governance in regulated industries
• Experience developing, implementing, and maturing GRC program maturity
• Nuclear industry or critical infrastructure experience with regulatory compliance requirements
• Third-party risk management experience including vendor assessments and supply chain risk analysis
• Executive reporting and stakeholder management experience with C-suite and Board-level presentations

Additional Requirements

Work Context

• Must be able to work prolonged periods of sitting at a desk and working on a computer
• Must be able to work under minimal supervision
• Must be able to sit, stand, walk, stoop, kneel, crouch, climb, and crawl
• Must be able to lift 25 pounds
• Must have a US state or territory issued Real ID compliant driver's license or identification card

Behaviors and Assessments/Additional Requirements

• All INPO employees are expected to abide by behavioral expectations as outlined in INPO's Core Values, Team Effectiveness Attributes, and Leadership Effectiveness Attributes
• Employment is dependent upon successfully completing a pre-employment background check and drug and alcohol test
• This position may require obtaining unescorted access status
• This position requires direct or indirect access to certain export-controlled technology, for which INPO may be required to obtain an export license in accordance with applicable U.S. export control laws and regulations. If an export license is required, any offer of employment at INPO for this position is contingent upon receipt of the export license or authorization

Equal Opportunity Employer/Protected Veterans/Individuals with Disabilities
This employer is required to notify all applicants of their rights pursuant to federal employment laws. For further information, please review the Know Your Rights notice from the Department of Labor.