IT Risk Job Descriptions

Template

These job descriptions are part of ISACA’s IT Risk Starter Kit. They include
examples of basic qualifications for key roles in an IT Risk program. These job
descriptions are intended to be illustrative, not comprehensive, and should be
customized for each enterprise.
 IT Risk Officer
The IT risk officer is responsible for the overall delivery of the IT risk management practice. This position
drives the execution of highly complex and technical processes through the combination of oversight,
advisory and effective challenge activities across the enterprise. These activities include risk
identification and response, meeting regulatory requirements and consulting on technology strategies
and solutions. The IT risk officer oversees the IT risk team to ensure its work is managed, prioritized and
completed in alignment with enterprise business goals, drivers and commitments.

Behaviors:

 Excellent influencing and persuasion skills

 Superb communication skills including active listening and executive presentation
 Passion and expertise in technology and cybersecurity domains, with an ability to be confident,
respectful and articulate when registering dissenting or unpopular opinions
 Ability to collaborate effectively with colleagues, stakeholders and leaders across multiple
organizations to get consensus, socialize strategy and achieve objectives
 Personal resilience—the ability to stay optimistic and keep people focused during crises or times
of change

Desired Accomplishments:

 Establish a robust advisory and effective challenge model that will facilitate deeper risk
conversations and surface insights in support of strategic decision-making.
 Identify opportunities to influence risk-taking strategies and ensure that aggregate risk is
understood.
 Challenge and reinvent the methodology that the enterprise uses to measure IT risk.
 Influence peers and executives to take accountability for complex (and sometimes sensitive) IT
risk.
 Constructively debate trade-offs between different risk response approaches with other
business and IT partners.
 Enhance the business’ understanding of regulatory/compliance requirements and the
implications to the firm.
 Mentor and develop associates to meet their professional development goals.

Basic Qualifications:

 Bachelor’s degree or military experience

 At least ten years of progressive leadership in the areas of cybersecurity/business resiliency/IT
risk strategies, principles, processes and deliverables
 At least seven years of experience managing personnel
 At least one professional risk or security management certification, such as Certified in Risk and
Information Systems Control (CRISC), Certified Information Systems Auditor (CISA), Certified
Information Systems Security Professional (CISSP) or Open FAIR

Preferred Qualifications:

 Master’s degree
 IT Risk Analyst
The IT risk analyst supports the IT risk management practice, which ensures risk is proactively identified,
decisioned, communicated and monitored. The primary responsibilities of the IT risk analyst are to
perform assessments of potential risk exposures and prepare actionable risk reporting. In this role, it is
critical to foster strong working relationships with leaders in other areas of the enterprise to perform
evaluations of the enterprise risk posture and to offer independent advice regarding ways to reduce risk
in line with established risk appetites.

The successful candidate thinks strategically, is intellectually curious and is comfortable working in
undefined problem spaces. As a member of a growing enterprise, the IT risk analyst will be expected to
shape and further refine the risk program and will have the opportunity to operate with both autonomy
and empowerment from senior leadership.

Behaviors:

 Thinks critically and analytically, with the ability to express a point of view supported by data
(for both technical and nontechnical audiences)
 Raises concerns early and facilitates constructive problem-solving at all levels of the enterprise;
knows when to escalate
 Exhibits passion and expertise in technology and cybersecurity domains, with an ability to be
confident, respectful and articulate when registering dissenting or unpopular opinions
 Collaborates effectively with colleagues, stakeholders and leaders across multiple organizations
to get consensus, socialize strategy and achieve objectives
 Manages multiple parallel initiatives while maintaining superior results
 Is execution-oriented and self-motivated

Desired Accomplishments:

 Succinctly frame emerging threats and risk in alignment with the existing risk profile.
 Distill complex risk, process and control relationships into simple dashboards/reports.
 Demonstrate robust risk management oversight in supporting various internal audits and
regulatory exams.
 Support the development of the IT risk management practice, framework and methodologies.

Basic Qualifications:

 Bachelor’s degree or military experience

 At least three years of experience performing IT risk assessments

Preferred Qualifications:

 At least one professional risk or security management certification, such as Certified in Risk and
Information Systems Control (CRISC), Certified Information Systems Auditor (CISA), Certified
Information Systems Security Professional (CISSP), or Open FAIR
 Data science/analytics experience