Senior Cybersecurity Risk Analyst

Join AIR as a Senior Cybersecurity Risk Analyst. This is a key role within AIR’s Information Security Office, responsible for coordinating and driving institution‑wide security initiatives. The Senior Cybersecurity Risk Analyst will apply technical expertise across advanced security testing, continuous threat exposure management, and red‑team initiatives while leading risk and assurance activities, internal assessments, continuous monitoring, and client security questionnaire responses. 

This position will support data governance efforts, including information security plan reviews. If you are ready to make a significant impact and excel in a fast-paced environment, this role is for you. The position requires broad expertise across application security testing, risk identification and treatment, and security assessment and authorization activities. This position reports to Director, Head of Information Security.

This remote position offers hybrid work flexibility to work from one of AIR’s U.S. office locations with occasional travel required for meetings, training sessions, and conferences. 

Founded in 1946 and headquartered in Arlington, Virginia, the American Institutes for Research (AIR) is a nonpartisan, not-for-profit organization that conducts behavioral and social science research and delivers technical assistance to address some of the most pressing challenges in the United States and globally. We generate evidence and apply data-driven solutions that expand opportunities and improve lives for all.

Essential job functions include but are not limited to:

• Drive and perform vulnerability management activities, including scanning, analyzing, reporting, and tracking network, container, application, and static code findings in collaboration with cross-functional teams.
• Execute application security testing and findings analysis, including DAST, SAST, continuous threat exposure management activities, and targeted red teaming engagements.
• Lead cyber risk management efforts by identifying risks, developing and reporting treatment plans, and maintaining the enterprise risk registry.
• Oversee and drive the remediation of findings utilizing standard Plan of Action and Milestones (POA&M) processes resulting from both internal and external security controls assessment, vulnerability assessments, and security testing.
• Execute and contribute to internal controls assessments for AIR web applications, secure data enclaves, general support systems, and other key systems to support internal and external client security requirements.
• Respond to client data security and privacy questionnaires with accuracy and subject‑matter expertise.
• Perform and drive continuous monitoring activities to ensure ongoing compliance with internal policies and external regulatory requirements.
• Support data governance by conducting information security plan reviews and contract reviews.
• Serve as AIR’s HIPAA Security Officer, ensuring compliance with HIPAA Security Rule requirements.
• Support third party risk management activities, including evaluating new software and artificial intelligence (AI) use cases.
• Duties, responsibilities, and activities may change, or new ones may be assigned at any time based on business needs.

Qualifications:

Education, Knowledge, and Experience

• Bachelor’s degree and at least 9 years of relevant experience in information security.
• A major cybersecurity certification from ISC2, ISACA, OffSec, or SANS.
• A minimum of 5 years of hands‑on experience with vulnerability management and security testing tools, including DAST, SAST, and SCA.
• At least 5 years of experience securing and testing cloud environments such as Azure, AWS, or Google Cloud.
• A track record of 2+ years of experience conducting cyber risk and assurance activities, including applying relevant security frameworks.
• Strong understanding of key standards, including NIST SP 800‑53, 800‑171, and 800‑88.
• The candidate should be able to obtain a Level 6C Security clearance (Public Trust Position).

Skills

• Exceptional communicator with the ability to translate complex technical concepts for diverse audiences and a strong team‑oriented mindset, consistently fostering effective collaboration across virtual, cross‑functional, and diverse teams.
• Proven ability to operate with a high degree of independence, exercising sound judgment and initiative, while also engaging collaboratively to support shared goals and team success.
• Highly adaptable in fast‑moving environments, with the capability to prioritize, balance, and drive multiple concurrent workstreams to timely, high‑quality outcomes.
• Advanced analytical, critical‑thinking, and problem‑solving skills, demonstrating disciplined attention to detail and a commitment to delivering accurate, high‑quality results.
• Deep understanding of common attack techniques, vectors, and tools used by threat actors, along with strong capabilities in cyber incident response, forensic log analysis, and incident handling procedures.
• Extensive knowledge of native cloud security, compliance frameworks, and security posture management solutions, including CNAPP.
• Proven ability to analyze static and dynamic application security testing results and assess cyber risks across systems and processes.
• Strong grasp of emerging technology trends, including AI governance and associated risk management practices.

#LI-MP1 #LI-Remote