Senior Security Operations Analyst (Security Risk Management)

You will be a critical part of the Security GRC team, passionate about driving both adoption and scaling of practices at strategic, tactical, and operational levels. We strive to build standards and best practices to help us drive better decision-making and maintain a secure environment across Expedia Group! You will be providing thought leadership to a passionate and motivated team of risk practitioners, leading as foremost experts with unmatched skills, capabilities, and experience, bringing risk quantification to Expedia Group.

You will be responsible for bringing subject matter expertise andbeing a foremost expert in quantitative risk analysis and cyber and operational risk managementincluding the risk management lifecycle (ISO 31000-2018)

We are a growing, highly visible, and highly agile team where collaboration, communication and critical thinking thrive.

What you'll do:

• Conduct top-down strategic and risk assessments using risk quantification

• Conduct bottom-up tactical and operational risk assessments using risk quantification

• Conduct Cost/Benefit and Return on Investment analysis for risk owners

• Conduct customized risk scenario modeling for unique use-cases

• Provide thought leadership and expertise to the GRC Risk Management Team as it pertains to risk quantification and the risk management lifecycle

• Coordinate and prepare meetings such as risk council, security review board and working committees to review, call out and report security risks

• Contribute towards efforts that enable us to scale the risk program across the company

• Work closely with internal GRC and Security teams to gather data elements required to fulfill the risk management lifecycle

• Translate risk concerns and business requirements into measurable risk scenarios

• Own, maintain, and improve the risk management lifecycle

• Present risk assessments results to all levels of the organization as needed

• Be a subject matter expert resource to the team and the business for all things risk management and risk quantification

Who you are:

• 7+ years of practical experience in Risk Management, Technology, Security, IT Audit or other similar risk consulting or risk advisory functions

• 3+ years of experience specializing in FAIR analysis

• Possess domain level knowledge in the field ofrisk management frameworks such as FAIR (Factor Analysis of Information Risk)and ISO 31000-2018

• Ability to work with both the business and security/technical teams to translate complex concepts and ideas into distillable information

• Solid understanding of Enterprise Risk Management Frameworks and Principles

• Experience working with multi-functional teams such as controllership, security architecture, internal audit, and security operations

• Exemplary interpersonal skills that translate to all levels of the organization

• Experience with Enterprise/IT/Technology/Security risks or operational risk management functions

• Excellent presentation, verbal, and written communication skills; comfortable with leading discussions and/or training sessions

• Efficient at creating and maintaining documentation and standard operating procedures

• Certified inOpenFAIR, CRISC, CISSP or other risk-related disciplines

• The position would require employee to obtain OpenFAIR certification if not already held

• Knowledge of statistical concepts and probability

• Knowledge of GRC technology platforms and workflows

• Risk management consulting experience (Big 4 preferred)

• Practical quantitative risk analysis experience - preferably with Factor Analysis of Information Risk (FAIR)

• Practical expertise with KRI, KCI, KPI creation and long-term management

• Experience owning and driving risk items through the risk management lifecycle

• Experience with the RiskLens & MetricStream