Senior Information Security Risk and Compliance Specialist
PPG · Pittsburgh, PA
- On site
- Full-time
- $120,000 / year
- Pittsburgh, PA
Job highlights
- Manage information security risks and compliance.
- Assess applications, infrastructure, and cloud security.
- Ensure adherence to NIST, ISO, and other frameworks.
- Conduct third-party vendor security reviews.
- Develop and implement risk mitigation strategies.
About the role
About the Role
PPG is seeking a Senior Information Security Risk and Compliance Specialist to join their dynamic team. In this critical role, you will be instrumental in identifying, evaluating, treating, and reporting on information security risks. Your work will directly support PPG's business objectives, ensuring compliance with regulatory requirements and adherence to industry frameworks such as NIST Cybersecurity Framework (CSF), NIST 800-53, ISO 27001, and internal security standards. You will also contribute to key areas including governance, control assurance, policy compliance, third-party risk assessments, and remediation tracking.
Key Responsibilities
- Participate in global IT risk management, cybersecurity compliance, and governance projects throughout their lifecycle, from planning and execution to reporting and remediation tracking.
- Conduct comprehensive information security risk assessments for applications, infrastructure, cloud solutions, and various business initiatives.
- Support control testing and compliance assessments against established frameworks like NIST CSF, NIST 800-53, ISO 27001, and internal policies.
- Assist in conducting third-party/vendor cybersecurity risk assessments during both onboarding and periodic review phases.
- Evaluate vendors based on security questionnaires, penetration testing results, and critical contractual security requirements.
- Collaborate effectively with business and IT teams to implement practical and achievable action plans for mitigating identified risks.
- Review work papers, planning documents, audit reports, and technical evidence to ensure the accurate identification of risks and issues.
- Communicate findings promptly and partner with control owners to develop robust remediation plans.
- Contribute to security governance committees, the development of metrics reporting, and risk dashboards.
- Develop detailed documentation of risks for critical systems, crown jewel assets, cloud environments, and key business processes.
- Review IT processes to identify control weaknesses and non-compliance issues, initiating necessary corrective actions.
- Provide essential support for Disaster Recovery, Business Continuity, and operational resilience planning initiatives.
- Assist in conducting tabletop exercises, incident response governance, and tracking lessons learned remediation.
- Support identity and access governance reviews, including privileged access, segregation of duties, and user recertifications.
- Develop and implement methods to monitor and measure risk, compliance, and assurance efforts using key metrics and KPIs.
- Interpret and apply applicable laws, regulations, and industry requirements to inform security controls and policy development.
- Perform Security Site Assessments at manufacturing plants, warehouses, laboratories, and office locations to evaluate physical security, cybersecurity controls, network infrastructure, operational technology (OT) environments, and compliance with corporate security standards.
Qualifications
- A minimum of 5 years of experience in IT, cybersecurity, audit, risk management, or a closely related discipline.
- A Bachelor's degree in Information Technology, Cybersecurity, Computer Science, Business, or a related field is preferred.
- Working knowledge of security frameworks such as NIST CSF, NIST 800-53, ISO 27001, and SOC frameworks.
- Experience supporting regulatory compliance programs such as SOX, PCI DSS, GDPR, or similar is considered a plus.
- Experience performing Third-Party Risk Assessments / Vendor Security Reviews is strongly preferred.
- A solid understanding of common security domains including IAM, network security, endpoint security, vulnerability management, logging/monitoring, and incident response.
- Familiarity with cloud security concepts for Azure, AWS, or Google Cloud is a plus.
- Experience utilizing governance, risk, and compliance (GRC) tools such as AuditBoard, Archer, ServiceNow, OneTrust, or similar is preferred.
- Relevant certifications such as Security+, CISA, CRISC, CISSP, ISO 27001 Lead Implementer/Auditor are a plus.
Key skills/competency
- Information Security Risk Management
- Cybersecurity Compliance
- NIST Cybersecurity Framework
- ISO 27001
- Third-Party Risk Assessment
- Control Testing
- Governance
- Policy Compliance
- Remediation Tracking
- IT Risk Assessment
Skills & topics
- Information Security
- Risk Management
- Compliance
- Cybersecurity
- NIST
- ISO 27001
- GRC
- Third-Party Risk Assessment
- IT Audit
- Specialist
How to get hired
- Customize your resume: Highlight your 5+ years of experience in IT, cybersecurity, audit, or risk management, emphasizing NIST, ISO, and GRC tools.
- Showcase relevant experience: Clearly demonstrate your expertise in third-party risk assessments and understanding of common security domains.
- Address qualifications: Mention your Bachelor's degree and any relevant certifications like CISSP, CISA, or CRISC.
- Tailor your application: Align your application with PPG's values and the specific requirements of the Senior Information Security Risk and Compliance Specialist role.
- Prepare for interviews: Be ready to discuss your experience with risk assessments, compliance frameworks, and your approach to security governance.
Technical preparation
Master NIST CSF, NIST 800-53, and ISO 27001.,Practice vendor risk assessment methodologies.,Familiarize with GRC tools like Archer.,Understand cloud security for Azure/AWS/GCP.
Behavioral questions
Describe a complex risk you mitigated.,How do you ensure compliance with policies?,How do you collaborate with cross-functional teams?,How do you handle conflicting priorities?
Frequently asked questions
- What are the key responsibilities for a Senior Information Security Risk and Compliance Specialist at PPG?
- The Senior Information Security Risk and Compliance Specialist at PPG will focus on identifying, evaluating, and reporting on information security risks. This includes performing risk assessments for applications and infrastructure, supporting compliance with frameworks like NIST and ISO, conducting third-party vendor assessments, and developing risk mitigation strategies. The role also involves supporting security governance, policy compliance, and operational resilience planning.
- What experience and qualifications are essential for this role at PPG?
- PPG requires at least 5 years of experience in IT, cybersecurity, audit, or risk management. A Bachelor's degree in a related field is preferred. Essential knowledge includes security frameworks like NIST CSF, NIST 800-53, and ISO 27001, as well as common security domains. Experience with third-party risk assessments is strongly preferred.
- Does PPG offer opportunities for professional development in information security?
- PPG is committed to employee growth and development, offering a fulfilling workplace with continuous learning opportunities. While specific cybersecurity training programs aren't detailed, the company's focus on embracing diverse ideas and fostering a proactive environment suggests a supportive atmosphere for skill enhancement in information security.
- How does PPG utilize AI in its hiring process for the Senior Information Security Risk and Compliance Specialist position?
- PPG uses AI tools to enhance the efficiency of their hiring process. However, it's important to note that AI tools do not make the final hiring decisions. Candidates can find more information about PPG's AI in hiring practices on their candidate resources page.
- What is the work arrangement for the Senior Information Security Risk and Compliance Specialist role at PPG?
- This position is a hybrid role, requiring the specialist to work from PPG's office located in Pittsburgh, PA.
- What security frameworks and regulations are most important for this Senior Information Security Risk and Compliance Specialist role at PPG?
- Key security frameworks for this role include NIST Cybersecurity Framework (CSF), NIST 800-53, and ISO 27001. The specialist will also interpret and apply applicable laws, regulations, and industry requirements, and familiarity with programs like SOX, PCI DSS, and GDPR is beneficial.