Cyber Risk Analyst

Role Summary

The Cyber Risk Analyst will be responsible for developing, implementing and monitoring a strategic, comprehensive enterprise cybersecurity and cyber risk management program. The Cyber Risk Analyst will be an active member of risk management committees and will own the cyber Third Party Risk Management (TPRM) program. This role can be based in San Diego, CA with a hybrid model requiring office presence three days per week on average.

Responsibilities

• Conduct risk assessments and audits of IT systems, applications, and third-party vendors.
• Perform contract reviews with a focus on cybersecurity terms and third-party risk implications.
• Develop and maintain risk registers, mitigation plans, and incident response strategies.
• Perform and maintain Business Impact Analysis (BIA) of key systems and vendors.
• Maintain the Business Continuity and Disaster Recovery Plan (BCDRP).
• Collaborate with stakeholders across Legal/Compliance/Privacy, Procurement, IT, and various business units to implement security controls and improve overall risk posture.
• Maintain and enhance Governance, Risk, and Compliance (GRC) tools, such as OneTrust.
• Align cyber risk activities with relevant regulatory requirements (CCPA, U.S. SEC, GDPR, NIS 2 Directive, etc.).
• Support SOX and ITGC compliance efforts, including audit preparation, evidence collection, and control testing.
• Contribute to the development and maintenance of security policies, procedures, and training programs.
• Prepare risk reports for senior leadership and non-technical stakeholders, translating technical findings into business-relevant insights.
• Ensure that all actions, both internally and externally, on Acadia’s behalf are in compliance with laws, regulations, policies, and Acadia values.
• Other responsibilities as assigned.

Qualifications

• Bachelor’s degree in Cybersecurity, Information Systems, Risk Management, or a related field. Targeting 3 years of progressively responsible experience in cyber risk, information security, or IT audit. Advanced certifications (CISM/CRISC/CISA/FAIR/CISSP) strongly preferred. An equivalent combination of relevant education and experience may be considered.

Skills

• Proven ability to conduct risk assessments and audits of IT systems, applications, and third-party vendors.
• Strong understanding of regulatory frameworks and standards including NIST, ISO 27001, SOX, GDPR, NIS 2 Directive, and FAIR.
• Skilled in developing and maintaining risk registers, mitigation plans, and incident response strategies.
• Proficient in GRC platforms such as OneTrust, with experience in tool configuration and workflow optimization.
• Strong analytical, organizational, and communication skills.
• Ability to translate technical risk findings into actionable insights for senior leadership and non-technical stakeholders.
• Ability to manage multiple priorities and work cross-functionally in a fast-paced environment.
• Ability to travel on occasions.

Education

• Bachelor’s degree in Cybersecurity, Information Systems, Risk Management, or related field.

Additional Requirements

• Travelas needed to fulfill responsibilities and support third-party assessments.
• Regular standing, walking, sitting, and use of hands in a standard office environment; occasional lifting up to 20 pounds; ability to travel independently overnight as required.