Sr. Analyst, Cybersecurity

8116 – Midtown Office – 2220 W. Broad Street, Richmond, Virginia, 23220

CarMax, the way your career should be!

Do you want to play a key role in enhancing the Cybersecurity program for a Fortune 200 company and national brand that has also been listed on the Fortune 100 Best Places to Work for the past 17 years in a row? Do you enjoy working in a collaborative environment where your ideas can help shape the direction and development of critical cybersecurity capabilities?

Do you want to work with a team of talented professionals that have in-depth technical knowledge and be the subject matter expert in technology governance, risk management, compliance, and audit requirements?

Then your job search begins and ends here….

About this job

A Sr. Technology Risk Analyst with experience in the areas highlighted below. This is a unique opportunity to work at a Fortune 200 company and national brand to expand your skills and influence a growing Cybersecurity Program. This opportunity provides the ability to work with the Technology teams to effectively manage technology risk and perform risk assessments and control design to improve efficiency and effectiveness of the internal controls. You will design and facilitate cybersecurity risk assessments on existing technology and processes and to accommodate new business areas as well as changes in our risk profile. You will assist the technology teams in identifying risks, developing recommendations to mitigate risk, execute SSAE 18 reviews of key third-party service providers, manage information security policies, and assist with the company-wide information security awareness program, including design and management of the annual Information Security Training.

What you will do – Essential Responsibilities

• Support, execute and maintain a framework for technology risk management including validation and classification methods.

• Design and perform information security risk assessments, understanding threats, vulnerabilities and exposures associated with confidentiality, integrity and availability of information.

• Perform information security risk assessments on third party service providers based on type, service and weighted on risk.

• Help develop related processes and procedures to ensure and enforce compliance with all company policies, applicable laws, and regulatory requirements regarding information security, privacy, and data integrity as well as reducing vulnerabilities.

• Assist with the development and delivery of information security risk related training and awareness programs.

• Perform analysis of security vulnerabilities developing risk-based business recommendations.

• Serve as the technology risk management expert on initiatives.

• Provide expertise and direction to CarMax’s® sourcing and legal teams including suggestions on leading practices, industry standards and guidance in the interpretation and implementation of 3rd party network connection or technology and business processes to meet information security standards.

• Administer governance, risk and compliance systems and processes owned by the department.

• Assist in preparation of accurate and timely communications of risks, recommendations and conclusions as well as evaluating management mitigation plans.

• Assist in developing automated risk assessment tools and processes.

• Gathers data, conducts analyses, and prepares related risk reporting.

• As an integral member of the team, exhibiting ownership, follow through, initiative, awareness and effective communication with peers and management and ability to speak to details of information risk management

Information Risk Methodology:

• Ability to help design and implement industry standard technology risk management practices across the enterprise.

• Champion of the information risk management methodology by demonstrating ownership of the design aspects of the operations lifecycle.

• Passionate about support & ownership of threat areas of Cybersecurity.

• Consistently shows the ability to mentor others in the assessment of technology risk as it relates to CarMax’s® data.

• Understand level of risks and exposure as it relates to systems, services, and networks.

• Driver of security awareness type activities with proven results.

Here’s the technology part…

Qualifications and Requirements

• Ability to understand the business requirements as well as provide a proposal of the appropriate information risk resolution to computer threats.

• Broad understanding of the business processes supported across all team’s environments.

• Collaborate with the Privacy and Legal teams for assessment improvements.

• Strong understanding of key compliance regulations such as Sarbanes-Oxley, GLBA, HIPPA and Payment Card Industry (PCI), plus external Cybersecurity and privacy regulations.

• Experience in execution of an enterprise and technology risk framework, including the identification, assessment, and mitigation of risk: understanding how to balance the company’s risk appetite and its overall impact.

• Understanding of network controls, cloud controls, user administration, authentication methods, file permissions, groups, and domain concepts.

• Demonstrated ability to compare alternative information security risk approaches and methodologies while assessing risk both quantitatively and qualitatively to meet the business needs.

• Proven experience with influencing without direct authority to gather requirements and translate risks into actions.

• Excellent communication skills to include but not limited to verbal and written communication; delivering organized presentations; able to tailor message to the audience; and facilitate group discussions with diplomacy and seek diverse opinions.

• Excellent analytical, troubleshooting, and problem-solving skills and performs well under fast paced, high pressure or stressful situations.

• Demonstrated flexibility in a fast paced and agile environment with strong organization and time management skills.

• Ability to learn the business processes implemented in the team’s applications. Demonstrated flexibility.

• Assist with influencing the information security risk direction of others to drive corporate risk acceptance to successful completion within the technology Risk standards and guidance.

• Ability to help develop and deliver information security awareness training and business understanding across all lines of business.

• Ability to drive through obstacles and time constraints to successfully deliver to completion

• Assist in developing dynamic approaches to the implementation of and technology risk program utilizing a variety of methods, both manual and automated, to provide both qualitative and quantitative results.

• Dedication and commitment to world class service and to exceeding customer expectations.

• Desire to keep current with technology and emerging technology risk trends.

• Expertise solving technical problems and presenting solutions which impact all areas of their team’s systems environments.

• Ability to evaluate long term impacts when making recommendations and decisions.

Education and/or Experience:

• Bachelor’s degree in Business/ Computer Science/Information Systems with IT audit, risk or compliance experience or equivalent military experience.

• Industry certification Certified in Risk and Information Systems Control (“CRISC”), or in the process of obtaining the CRISC required. One or more of the following industry recognized certifications recommended: CISA, CISM, BCBP, CIA, PCI, CISSP.

• In depth knowledge of information security, risk management industry frameworks and standards NIST, COSO, OWASP, ISO-27001/2, SANS, Cobit and ITIL.

• 5+ years working experience with enterprise and technology risk management programs, privacy, data security and control issues with technologies.

• Previous working experience and knowledge of two or more security functions (IT Risk Assessor, QSA, Security Specialist, IT Auditor).

About CarMax

CarMax disrupted the auto industry by delivering the honest, transparent and high-integrity experience customers want and deserve. This innovative thinking around the way cars are bought and sold has helped us become the nation’s largest retailer of used cars, with over 200 locations nationwide.

Our amazing team of more than 25,000 associates work together to deliver iconic customer experiences. Along the way, we help every associate grow their career and achieve their best, at work and in their community. We are recognized for our commitment to training and diversity and are one of the FORTUNE 100 Best Companies to Work For®.

CarMax is an equal opportunity employer, and all qualified candidates will receive consideration for employment without regard to age, race, color, religion, sex, sexual orientation, gender identity, genetic information, national origin, protected veteran status, disability status, or any other characteristic protected by law.

Our Commitment to Diversity and Inclusion:

CarMax is committed to bringing together people from different backgrounds and perspectives, providing employees with a safe, welcoming, and inclusive work environment.

CarMax is an equal opportunity employer, and all qualified candidates will receive consideration for employment without regard to age, race, color, religion, sex, sexual orientation, gender identity, gender expression, genetic information, national origin, protected veteran status, disability status, and any other characteristics protected by law.

Upon an applicant’s request, CarMax will consider reasonable accommodation to complete the CarMax Job Application.

Upon an applicant’s request, CarMax will consider reasonable accommodation to complete the CarMax Job Application.

Job ID : JR-091778