Position Summary:

The Senior Risk Specialist, Cybersecurity plays a key role in identifying, assessing, and managing cybersecurity risks across the organization. This individual will support the ongoing maturity of the cybersecurity risk management program, ensuring alignment with business objectives, regulatory obligations, and industry best practices.

Requiring deep expertise in cybersecurity frameworks and risk management principles, this role provides actionable insights to guide risk-informed decision-making and strengthen the organization’s overall security posture. The ideal candidate is analytical, collaborative, and capable of driving continuous improvement within a dynamic enterprise environment.

Key Accountabilities:

Risk Assessment & Analysis

• Lead comprehensive cybersecurity risk assessments across business units, applications, and infrastructure environments.
• Develop risk treatment plans in collaboration with control owners and track remediation progress.

Risk Management Framework

• Participate in the identification, documentation, and implementation of cybersecurity controls aligned with risk assessments and industry frameworks (NIST CSF, ISO 27001, SOC 2, CIS Controls, etc.).
• Support the implementation and maintenance of the organization’s cybersecurity risk management framework.
• Contribute to the ongoing evolution and refinement of the Cybersecurity Risk Management function, identifying opportunities for improvement and automation.
• Maintain the enterprise risk register, ensuring risks are accurately rated, tracked, and reported.

SOC 2 & Compliance

• Support annual SOC 2 Type 2 audits and compliance activities by collecting evidence, monitoring controls, coordinating with auditors, and ensuring adherence to applicable regulations.

Third-Party Risk Management (TPRM)

• Manage vendor risk by conducting due diligence (new and existing vendors/sub-processors), assessing risk levels, documenting findings, tracking remediation efforts, and maintaining the Cybersecurity risk register. Conduct vendor due diligence and ongoing assessments for new and existing third parties and sub-processors.
• Evaluate vendor security posture, identify risks, and document findings.

Collaboration & Communication

• Work collaboratively with internal teams (e.g., business, IT, Legal, Compliance) and external partners to identify and assess cybersecurity risks, and to manage the organization's overall risk posture.

Audit Support

• Participate in the testing of design and operating effectiveness of controls, documenting results and recommending corrective actions.

Reporting & Documentation

• Prepare clear and concise reports for leadership, summarizing risk assessments, mitigation plans, and control effectiveness.

Qualifications & Experience:

• Ability to obtain registration as a Category 1 Gaming Assistant with the Alcohol and Gaming Commission of Ontario is a condition of employment for a successful applicant.

Education

• A post-secondary education in Cybersecurity, Information Technology, Computer Science, Business, or a related discipline, or an equivalent combination of education, training, and practical experience.

Technical Skills

• Strong understanding of cybersecurity principles, including identity and access management (IAM), network and endpoint security, vulnerability management, and cloud security fundamentals.
• Practical experience assessing and interpreting technical controls across IT infrastructure, applications, and cloud environments (e.g., Microsoft 365, Azure, AWS, or equivalent).
• Working knowledge of security architectures and configurations, including firewalls, encryption, authentication, and logging mechanisms.
• Experience conducting or supporting technical risk assessments, translating technical vulnerabilities into business impact.
• Familiarity with cybersecurity frameworks (NIST CSF, ISO 27001, CIS Controls, SOC 2, etc.) and applying them to real-world environments.
• Ability to review and interpret vulnerability scan results, configuration baselines, or audit evidence with a risk-based mindset.
• Experience with risk assessment and reporting tools, dashboards, and GRC platforms (e.g., Archer, ServiceNow GRC, OneTrust, Power BI, Tableau, Excel).
• Understanding of data protection and privacy obligations (e.g. PIPEDA) and their intersection with cybersecurity controls.
• Strong analytical and problem-solving skills with the ability to balance technical and business considerations.
• Excellent communication and presentation abilities — able to explain complex technical risks in clear business terms.
• Familiarity with development and design of APIs is a plus.

Communication & Leadership

• Ability to translate complex technical risks into clear, concise business insights and influence decision-making at various levels.
• Strong communication, interpersonal, and presentation skills.

Certifications (Preferred)

• Professional certifications such as CISA, CRISC, or CISSP are highly desirable.