Senior Information Risk Analyst

8901 - Corp Office West Crk - 12800 Tuckahoe Creek Parkway, Richmond, Virginia, 23238CarMax, the way your career should be! 

Do you want to play a key role in enhancing the Cybersecurity program for a Fortune 200 company and national brand that has also been listed on the Fortune 100 Best Places to Work for the past 21 years in a row? Do you enjoy working in a collaborative environment where your ideas can help shape the direction and development of critical cybersecurity capabilities? 

Do you want to work with a team of talented professionals that have in-depth technical knowledge and be the subject matter expert in technology governance, risk management, compliance, and audit requirements?

Then your job search begins and ends here….

Who we are looking for:

A Senior Technology/Information Risk Analyst with experience in the areas highlighted below.  This is a unique opportunity to work at a Fortune 200 company and national brand to expand your skills and influence a growing Information Risk Management Program.  This opportunity provides the ability to work with the Technology teams to effectively manage information risk and perform risk assessments. You will work with senior risk management and technology professionals to design and facilitate cybersecurity risk assessments on existing technology, processes to accommodate new business areas as well as changes in our risk profile and provide support across our information risk management framework activities. You will assist the Cybersecurity, technology, compliance, and information risk teams in identifying risks, developing recommendations to mitigate risk, manage information security policies, and assist with the company-wide information security awareness program, including design and management of the annual Information Security Training. 

The Day to Day:

• As a key member of a high performing information risk management team, support, execute and maintain a framework for information risk management including validation, weighting, and classification methods.

• Perform information security risk assessments, understand threats, vulnerabilities and exposures associated with confidentiality, integrity and availability of information.

• Help develop related processes and procedures to ensure and enforce compliance with all company policies, applicable laws, and regulatory requirements regarding information security, privacy, and data integrity as well as reducing vulnerabilities.

• Assist with the development and delivery of information security risk related training and awareness programs.

• Assist with analysis of security vulnerabilities, developing risk-based business recommendations.

• Administer governance, risk and compliance systems and processes owned by the department. 

• Assist in preparation of accurate and timely communications of risks, recommendations and conclusions as well as evaluating management mitigation plans.

• Assist in developing automated risk assessment tools and processes.

• Gathers data, conducts analyses, and prepares related risk reporting.

• As an integral member of the team, exhibiting ownership, follow-through, initiative, awareness and effective communication with peers and management and ability to speak to details of information risk management

Information Risk Methodology:

• Ability to help design and implement industry standard technology risk management practices across the enterprise.

• Champion the information risk management methodology by demonstrating ownership of the design aspects of the operations lifecycle.

• Passionate about support & ownership of threat areas of Cybersecurity.

• Understand level of risks and exposure as it relates to systems, services, and networks.

• Driver of security awareness type activities with proven results.

Here's the technology part…

Experience with the following required:

• Ability to understand the business requirements as well as provide a proposal of the appropriate information risk resolution to computer threats.

• Ability to understand the business processes supported across all team’s environments.

• Understanding of key compliance regulations such as Sarbanes-Oxley, GLBA, HIPPA , CFPB, and Payment Card Industry (PCI), plus external Cybersecurity and privacy regulations.

• Experience in execution of an enterprise and technology risk framework, including the identification, assessment, and mitigation of risk: understanding how to balance the company’s risk appetite and its overall impact.

• Understanding of network controls, cloud controls, user administration, authentication methods, file permissions, groups, and domain concepts.

• Demonstrated ability to compare alternative information security risk approaches and methodologies while assessing risk both quantitatively and qualitatively to meet the business needs.

• Excellent communication skills to include but not limited to verbal and written communication; delivering organized presentations; able to tailor message to the audience; and facilitate group discussions with diplomacy and seek diverse opinions.

• Excellent analytical, troubleshooting, and problem-solving skills and performs well under fast paced, high pressure or stressful situations.

• Ability to learn the business processes implemented in the team's applications. Demonstrated flexibility.

• Proven ability to effectively communicate remediation and prevention approaches via leading practices.

• Ability to help develop and deliver information security awareness training and business understanding for business partners, engineers, developers, and analysts.

• Ability to drive through obstacles and time constraints to successfully deliver to completion

• Dedication and commitment to world class service and to exceeding customer expectations.

• Desire to learn and keep current with technology and emerging technology risk trends.

• Possess strong organization and time management skills.

• Demonstrated flexibility in a fast paced and agile environment. 

• Expertise solving technical problems and presenting solutions which impact all areas of their team’s systems environments.

• Excellent analytical, troubleshooting, and problem-solving skills.

• Ability to evaluate long term impacts when making recommendations and decisions.

Education and/or Experience:

• Bachelor's degree in Business/ Computer Science/Information Systems with IT audit, risk or compliance experience or equivalent military experience.

• Industry certification required, i.e. Certified in Risk and Information Systems Control (“CRISC”), or in the process of obtaining the CRISC, CISA, CISM, BCBP, CIA, PCI, CISSP.

• Knowledge of information security, risk management industry frameworks and standards NIST, COSO, OWASP, ISO-27001/2, SANS, Cobit and ITIL.

• 5+ years working experience with enterprise and technology risk management programs, privacy, data security and control issues with technologies.

• Previous working experience and/or knowledge of two or more security functions (IT Risk Assessor, QSA, Security Specialist, IT Auditor).

Work Location and Arrangement: This role will be based out of the Richmond, VA Technology Innovation Center.  Associates based in Richmond work onsite 4 days per week. 

Work Authorization: Applicants must be currently authorized to work in the United States on a full-time basis. Sponsorship will not be considered for this specific role.

About CarMax

CarMax disrupted the auto industry by delivering the honest, transparent and high-integrity experience customers want and deserve. This innovative thinking around the way cars are bought and sold has helped us become the nation’s largest retailer of used cars, with over 250 locations nationwide.

Our amazing team of more than 25,000 associates work together to deliver iconic customer experiences. Along the way, we help every associate grow their career and achieve their best, at work and in their community. We are recognized for our commitment to training and diversity and are one of the FORTUNE 100 Best Companies to Work For®.

Our Commitment to Diversity and Inclusion:

CarMax is committed to bringing together people from different backgrounds and perspectives, providing employees with a safe, welcoming, and inclusive work environment.

CarMax is an equal opportunity employer, and all qualified candidates will receive consideration for employment without regard to age, race, color, religion, sex, sexual orientation, gender identity, gen

Upon an applicant's request, CarMax will consider reasonable accommodation to complete the CarMax Job Application.