Sr. Analyst, Cyber Security Governance, Risk & Compliance

The AZEK Company 

Location Chicago, IL; Wilmington, OH or Scranton, PA.

The AZEK Company (www.azekco.com) is a $1.2+ billion, and growing, industry-leading manufacturer of beautiful, low-maintenance building products, and is highly committed to accelerating the use of recycled materials. We use our expertise in materials science to engineer and manufacture high-quality, sustainable residential and commercial building products that improve lives and businesses. All of Azek’s products are designed to replace wood, metal and other traditional materials in a variety of applications. In June 2020, we completed a highly successful IPO (NYSE: AZEK). 

At AZEK, we don’t just accept diversity — we celebrate it, we support it, and we thrive on it for the benefit of our employees, our products, and our community. AZEK is proud to be an equal opportunity workplace and is an affirmative action employer. 

This position can be located at our corporate headquarters in the West Fulton Market District of Chicago, IL, or at our Wilmington, OH and Scranton, PA manufacturing facilities with a hybrid work schedule.

Position Summary:

AZEK is seeking a Cyber Security GRC Senior Analyst to help build out a successful cyber security GRC program. You will be expected to develop GRC processes and implement initiatives related to risk management, training and awareness, policy development, metrics, and security compliance. This role reports directly to the Chief information Security Officer (CISO) and is a key member of the cyber security team.

Position Description

Your primary duties and responsibilities will be: 

• Develop, enhance, and operationalize enterprise-wide cyber security policies, standards, and controls to mitigate risks and comply with applicable laws and regulations.
• Develop and operationalize a cyber security risk management program to identify risks across the organization, provide recommendations to mitigate risks, and work with business and IT stakeholders to implement controls.
• Create and maintain a cyber security risk register and work with stakeholders to develop corrective action plans to address risks.
• Work with IT and business stakeholders to perform ongoing compliance reviews in line with security policies, regulations (SOX, GDPR), and frameworks (NIST CSF, MITRE, PCI-DSS).
• Develop and deploy security training and awareness initiatives for the organization.
• Work with stakeholders on data classification and develop and operationalize a data loss prevention program across the organization.
• Participate in incident response tabletops, business continuity/disaster recovery testing, penetration testing, and other compliance activities and track progress of identified remediations.
• Remain current with emerging cyber security threats and advise relevant stakeholders on the appropriate course of action.
• Create and maintain KPIs and KRIs for the cyber security program.
• Manage security projects and execute tasks as a member of the AZEK cyber security team as assigned by management.

We believe the successful candidate will have:

• At least 3 years of hands-on cyber security GRC experience
• Bachelor's Degree or higher in an Information Technology discipline. As with all positions at AZEK, a satisfactory combination of education and professional experience will be considered.
• Professional certifications such as CRISC, CISM, CGEIT, GRCP are preferred.
• Expertise in industry frameworks such as NIST, ISO, MITRE, OWASP, PCI-DSS, SOX.
• Strong understanding of data privacy regulations such as CCPA, GDPR.
• Experience with performing cyber security risk assessments.
• Ability to understand technical language and translate to business risks.
• Strong analytical and problem-solving skills
• Strong verbal and written communication skills and ability to collaborate with stakeholders.
• Ability to deliver results in a fast-paced environment with competing and changing priorities.
• A passion for cyber security.

Core Competencies: 

• Action Orientation
• Drive for Results
• Business Acumen
• Problem Solving
• Risk Management 

Success Measures:

• Ninety (90) days:
  • Begin assessing and documenting cyber security risks within the environment.
  • Start to build relationships with stakeholders across the enterprise.
• Six (6) months:
  • Start to establish a cyber risk management program to manage enterprise and third-party risks.
  • Create cyber security policies and standards.
  • Start to establish a cyber security compliance program.
• One (1) year:
  • Effectively track cyber security risks and work with stakeholders to remediate.
  • Establish and report on KPIs and KRIs.