Lead Security Control Assessor

As a Lead Security Control Assessor, you will be responsible for leading the assessment and evaluation of security controls across systems and processes both on-premise and in the cloud, to ensure they effectively mitigate risks and comply with regulatory and industry standards. You will oversee and conduct security control testing, to verify the design, implementation, and operational effectiveness of controls. In this role, you will work in an agile environment, ensuring the quality of security assessments through thorough testing, automation, and collaboration with cross-functional teams and various stakeholders.

Summary of Primary Responsibilities

• Design and deliver repeatable testing methodologies to support control assurance testing, including automated testing steps for cloud environments.
• Ensure control tests are well-planned, including risk identification, sampling, selection of controls, testing methods, and reporting criteria.
• Lead control testing teams to perform design and operating effectiveness testing of information security controls, including fieldwork, testing, and reporting activities.
• Provide quality assurance for control testing documentation produced during testing, ensuring accurate and timely completion of all required control testing documentation.
• Identify and document control deficiencies, including root causes, risk descriptions, consistent issue ratings, and recommendations for improvement.
• Create and present reports of control testing findings to stakeholders, socialising any findings effectively.
• Serve as the primary contact with business stakeholders for the controls tests you lead, ensuring the quality of control testing engagements and stakeholder communications, including regular status updates.
• Contribute to the efficiency of the control testing program by ensuring KPIs are measurable, that testing materials are standardised.

Requirements:

• A bachelor's degree in computer science, management information systems, relevant field, or equivalent demonstrable experience.
• 3+ years' experience leading a team of control assessors.
• 8+ years of experience performing IT Audit or Information Security control assessments, with specific experience in testing cloud security controls.
• Professional certification such as CISA, CISM, CISSP, ISO 27001 Lead Auditor, or equivalent.
• Knowledge of industry standards and frameworks such as NIST 800-53, ISO 27001/27002, CIS Controls, COBIT.
• Experience with current automated and manual industry methods for evaluating security controls on Perm and in cloud environments.
• Capable of communicating complex information in an organised manner, both verbally and in writing.
• Skilled in utilising stakeholder feedback to improve existing processes and future engagements.
• Strong relationship management skills, demonstrating commitment to delivering quality results.

Technical Skills

• Knowledge of security controls provided by tools such as Sailpoint, Rapid7, Wiz.io, MS Defender a plus.
• Experience with cloud security controls within environments such as AWS and Azure.
• Experience leveraging automation, data driven testing techniques and generative AI to gain efficiency in control assurance.
• Experience creating queries and reports using RSA Archer and Service-Now.
• Familiarity with Kanban boards and Jira.

Desired Competencies:

• Big 4 accounting experience preferred.
• Strong knowledge of cybersecurity principles and organisational requirements relevant to confidentiality, integrity, availability, authentication, and non-repudiation.
• Ability to apply security governance, risk, and control principles.
• Proficiency in automation and data analytics tools (e.g., Excel, Tableau, Alteryx, and Power-BI).
• Ability to apply critical reading/thinking skills to identify systemic issues from analysing testing data.
• Ability to facilitate small to medium sized group meetings and communicate complex ideas.
• Agile working methodology experience.