Job Description Summary
Based in one of GE's major US operations or remote and reporting to the Senior Advisor – Cyber Security Assurance, the Sr. Risk Assessor will work collaboratively with business technology audit teams to provide centralized services and cyber security expertise as well as conduct technical and cybersecurity audit and advisory engagements across BU processes and technology through inquiry, data analysis, and in-depth technical testing.
GE is in the midst of a significant and public transformation of its portfolio, leadership, operations and culture. One of the top priorities within this transformation is the Internal Audit function. GE is currently evolving the function, focusing more on the development of deep, data-driven, modern audit expertise and experience to serve as a true business partner for the audit committee and executive leaders, while still maintaining its commitment to talent development, both within and outside the function.
The Cyber Assurance function within the Internal Audit team has built several capabilities in its first year its transformation and we are look for a team member who can continue to scale, maintain, and improve its capabilities. This role will apply critical thinking and cyber security expertise to build out and execute centralized services to enable business audit teams. In audit engagements, this role will efficiently leverage available data to analyze the operating effectiveness of enterprise-wide controls through the lens of an industry-tailored risk profile and audit methodology.
The Cyber Security Sr. Risk Assessor will assist the Senior Advisor – Cyber Security Assurance in this hands-on role leading project teams and will leverage a defined methodology to execute and participate in IT and cybersecurity focused technical audits and advisories (e.g., external discovery and reconnaissance). The role requires a strong technical background and proficiency in OSINT (Open-Source Intelligence), cyber reconnaissance, penetration testing and Red Team offensive experience.
The Cyber Assurance Sr. Risk Assessor will engage in planning activities, fieldwork, testing and identification of findings, analysis of results, crafting and communicating findings to management, developing remediation strategies in partnership with the business, identifying key themes and determining root causes across different business audits. The role will also assist with the development of testing and reporting materials and be able to validate remediation action plans.
- Executes IT and cyber focused technical audits and advisories (e.g., external discovery and reconnaissance) and will conduct penetration testing to identify risks and control deficiencies.
- Identifies security or control breakdowns and provides recommendations on how to minimize or address risks with relevant technical solutions across networks, systems, applications, etc.
- Performs hands on penetration testing of systems and applications, and reviews findings to address vulnerabilities.
- Performs offensive Cybersecurity tasks such as attack mitigation, ethical hacking, penetration testing, and threat detection etc.
- Develops risk and threat models to illustrate potential attack vectors and exploitation of enterprise networks.
- Collaborates across audit teams to build a contemporary, comprehensive, and efficient audit program including templates, technical testing methodologies, and in-depth technical guidance.
- Owns the team’s cloud-based lab environment for testing/learning tools and audit methodologies and assists in piloting tools and technology used by audit teams in fieldwork.
- Supports design and implementation of lines of defense structures across enterprise organizations to drive continuously improving governance and risk management.
- Acts as trusted advisor across technology and non-technology audit teams and leaders to translate cyber topics into business context and educate teams on overall understanding of GE’s security posture.
- Supports analysis activities to review cross-functional and cross-business unit cyber related audit findings to identify systemic issues and opportunities for leadership and business owners to improve control framework implementation and management.
- Enhances, aligns, maintains, and educates businesses on cyber threat, program, control, and risk frameworks in coordination with audit teams and GE technology/cyber teams.
- Provides expertise around current and appropriate research regarding emerging technology risk topics and serve as the subject matter expert on cyber threats relevant to GE.
- Reviews audit workpapers to ensure they are clear, complete, and well-organized.
- Conducts in-depth inquiry and data analysis to understand complex cyber and technology operations, assess risk based on industry risk profile, and develops project scope for complex and cross-functional process areas, leveraging business knowledge and expertise.
Professional Experience/Success Profile
- Bachelor's Degree in Computer Science or in "STEM" Majors (Science, Technology, Engineering and Math) or Business Administration with a minor in Computer Information Technology is preferred.
- Hands-on cybersecurity experience, including offensive Cybersecurity methodologies and activities such as ethical hacking, attack mitigation, network security control, and penetration testing.
- Experience with hands on penetration testing, utilizing tools such as NMAP/ZenMap, Linux-Exploit-Suggester, MobSF, Radare, and Wireshark.
- Knowledge of a combination of any of the following inclusive of Cyber Control Frameworks (NIST 800-53, CIS Top 20, etc.); Cyber Program Frameworks (ISO 27001, NIST CSF, etc.); Cyber Risk Management - Frameworks (FAIR, ISO 27005, NIST 800-39, 800-37, 800-30, etc.) preferred.
- 3 years of professional experience in IT Governance, IT Risk, IT Audit, IT - Operations or related fields preferred ideally with a Fortune 1000 companies or Big 4 assurance organization.
- CISSP, CEH, OSCP, CRISC, CCNP, GIAC certifications, or a combination of other information security certifications preferred by not required.
- Strong understanding and experience of managing technology risk within the context of industrial and highly regulated environments preferred.
- Proficient in common security tools and tactics such as NMAP, Shodan, Censys, OSINT, Nessus, Kali Linux, Metasploit, Maltego, Burp Suite, Nipper, and Network Detective Pro.
- Experience with Industrial Control Systems/Supervisory Control/Internet of Things (ICS/SCADA/IOT) devices and software.
- Lean Process orientation is a plus; passion to help improve operations continuously.
- Quantitative and qualitative analysis skills; ability to take large volumes of complex information and present it in a clear and concise manner; uses data and a cogent problem-solving methodology in decision making and impact assessment are a plus.
- Ability to foster cross-disciplinary collaboration throughout the organization. Capability to work with minimal supervision with a multi-disciplinary team in a fast-paced environment and meet strict deadlines while managing multiple priorities.
- Excellent active listening, verbal, written, and presentation communication skills across both technical and non-technical audiences.
Work Authorization is required. We will not sponsor work visas now or in the future for this role.