Product Security Risk & Compliance Analyst

Job Title: Product Security Risk & Compliance Analyst

Remote Position

Job Summary:

We are seeking a Product Security Risk & Compliance Analyst Contractor to support the ongoing development of cybersecurity risk management capabilities within a leading engineering business unit. This role is ideal for an experienced professional with a strong background in cyber risk governance, product security, and secure software development lifecycles (S-SDLC)-particularly in IoT and network-connected device environments. This individual will help drive the maturity of the product security risk register, provide expert guidance to risk owners, and support compliance and security incident response readiness. This will be done while ensuring alignment with frameworks and regulatory standards such as MITRE ATT&CK, EMB3D, CVE/CWE, OWASP IoT/AppSec, NIST 218, and ETSI IoT.

Key Responsibilities:

Serve as a subject matter expert supporting product-focused cyber risk, compliance, and governance initiatives for a broad network device product line.

Collaborate with security, engineering, and product teams to identify, assess, and manage cybersecurity risks related to IoT and networked devices.

Support the development and continuous improvement of a Product Security Risk Register, including documentation of risks, ownership, remediation and mitigation plans, communication, and closure timelines.

Lead and document risk assessments, including threat, likelihood, criticality, and impact modeling, while providing actionable mitigation recommendations.

Assist in establishing and evolving governance models aligned with internal policies and external standards/regulations.

Support security compliance and audit initiatives, including both company-led and market certification-related efforts.

Assist in coordinating risk response activities for escalated vulnerabilities or product security incidents.

Contribute to the creation and tracking of KPIs, risk metrics, and dashboards, and support communication of risk posture to leadership.

Interface with ServiceNow GRC modules across business units for structured risk tracking and reporting.

Collaborate across product, engineering, security, and compliance teams to enhance security posture throughout the product lifecycle.

Required Qualifications:

3+ years in a cybersecurity risk analyst or governance role.

8+ years of direct experience in a cybersecurity role.

Strong understanding of IoT and networked device security threats, vulnerabilities, controls, and mitigations.

Hands-on experience with risk management programs, product security assessments, and compliance frameworks.

Working knowledge of CVE and CWE scoring systems and cyber risk scoring methodologies.

Familiarity with MITRE ATT&CK, EMB3D, and threat modeling.

Solid understanding of secure SDLC practices and integrating security controls into product development.

Excellent communication skills with the ability to translate complex cyber risks into actionable business insights.

Familiarity with Slack/Teams, Jira, and Confluence.

Preferred / Nice-to-Have Skills:

Hands-on experience with ServiceNow (especially GRC modules).

Experience supporting product certifications, internal audits, or regulatory compliance.

Exposure to vulnerability scanning tools and manual security assessments.

Moderate scripting skills (e.g., Python, PowerShell, Bash) for automation or analysis.

Experience contributing to security quality feedback loops within product teams.

Experience developing or applying cyber risk scoring frameworks to assessment findings.