Info Security Analyst

Job Title: Info Security Analyst Location: 100% Remote Duration: 8 MonthsJob Description: The Senior Security Metrics and KRI Design Analyst is responsible for defining, governing, and driving adoption of enterprise security performance metrics, including Key Risk Indicators (KRIs), Key Performance Indicators (KPIs), and operational security metrics. This role partners with cyber domain leaders (IAM, SOC, Vulnerability Management, GRC, Cloud Security, AppSec, Third Party Risk, etc.) to translate security strategy and risk appetite into measurable outcomes, and to ensure metrics are implemented, trusted, automated, and consumed by operational teams and executives. This role is accountable for full lifecycle delivery: strategy -> design stakeholder alignment implementation data quality reporting continuous improvement. Key Responsibilities 1) Metrics Strategy, Design & StandardizationLead design and ongoing evolution of security metric taxonomy, ensuring consistent definitions for KRIs, KPIs, and operational measures.Build/maintain a security metrics library including: o metric definitions (name, intent, formula, thresholds) o risk mapping (control objectives, risk statements) o tiering and criticality (enterprise vs domain vs team level) o target ranges and escalation logicEnsure metrics align to: o enterprise risk appetite/tolerance o security strategy and OKRs o regulatory or audit expectations (as applicable) 2) Stakeholder Engagement & SocializationFacilitate working sessions with security leaders to drive alignment on: o metric definitions o thresholds / limits o performance expectations o ownership and action plansTranslate technical security outcomes into business-relevant language suitable for executives and non-technical stakeholders.Establish strong partnership with ERM, Audit, Compliance, and Technology leaders to ensure metric credibility and broad adoption. 3) Implementation Leadership (Build & Operationalize)Drive implementation of metrics into reporting workflows and tooling (e.g., Power BI/Tableau, Archer, ServiceNow, Splunk, Jira, CMDB, EDR platforms).Partner with data engineering teams to automate metric feeds and reduce manual reporting.Define data requirements and map sources to metric logic.Build repeatable metric operational procedures: o refresh cycles o validations o approvals o artifact retention 4) Reporting, Insights & Executive ReadoutsDevelop executive-ready reporting packages for: o Security leadership o Technology leadership forums o Risk committees / Board materials (as required)Provide analysis beyond the numbers: o trend drivers o root cause hypotheses o leading indicators vs lagging indicators o recommended actionsPrepare talking points and narrative summaries to ensure metrics drive decisions-not just reporting. 5) Data Quality, Controls, and Governance Establish controls to ensure metrics are: o accurate o complete o consistent across domains o traceable back to systems-of-recordImplement documentation, QA checkpoints, and periodic metric reviews (e.g., quarterly definition validation).Enforce metric governance and reduce metric sprawl. Key CompetenciesMetrics design + governance mindsetExecutive presence / ability to brief leadershipStrong facilitation and workshop leadershipAbility to balance precision with pragmatismData storytelling and narrative buildingOwnership mentality; proactive problem solver Deliverables / Success Measures (first 6-12 months)Established and published Security Metrics Library with approved KRIs/KPIsImplemented reporting for priority security domains with automated feedsBuilt executive dashboards with consistent definitions and thresholdsOperationalized review cadence: o monthly operational reporting o quarterly threshold/definition reviewsReduced manual reporting and improved trust in security metrics MUST-HAVE Hard Skills: 1.) 8+ years' experience in cybersecurity metrics, cyber risk reporting, cyber operations, GRC, or business intelligence supporting InfoSec/IT. 2.) Strong understanding of security domains such as: -SOC / incident response -vulnerability management -IAM / PAM -cloud security -AppSec / SDLC security -third party risk 3.) Excel (advanced), PowerPoint (executive storytelling) 4.) At least one BI tool (Power BI/Tableau/Qlik) SOFT SKILLS: 1.) Strong communication skills (written and verbal) 2.) Comfortable presenting and speaking to executives NICE-TO-HAVE 1.) Experience with frameworks such as NIST CSF, NIST 800-53, ISO 27001, CIS Controls 2.) Experience with metric automation sources/tools: -Splunk, Sentinel, CrowdStrike, Qualys/Tenable -ServiceNow (IRM/GRC/SecOps) -Archer 3.) Certifications (nice to have): -CISSP / CISM / CRISC -Security+ (if earlier-career senior) -ITIL Foundation 4.) Experience building KPI/KRI governance or measurement programs 5.) Prior banking or financial institution experience

Created: 2026-03-05