Information Security Risk Analyst

Job Summary:
The Security Risk Analyst supports the organization's cybersecurity program by identifying, analyzing, and tracking technology and business risks. This role plays a key part in enabling risk-informed decisions, ensuring that cybersecurity threats are assessed and mitigated in alignment with internal policies and regulatory frameworks.

This role is eligible for our Flex Persona. For candidates local to our Boston, MA and Hingham MA offices.

What We Need:

Blue Cross Blue Shield of Massachusetts (BCBSMA) is looking for a Security Risk Analyst to join the Cybersecurity Governance and Assurance Team. The Security Risk Analyst supports the organization's Cybersecurity program by assisting in maintaining its information security and compliance posture. This involves:

• Supporting governance, risk management, and control assurance activities.
• Enabling risk-informed decisions under the direction of senior security professionals
• Ensuring that cybersecurity threats are assessed and mitigated in accordance with internal policies and regulatory frameworks.

Your Day to Day:

• Cyber Risk Assessments: Conduct risk assessments on applications, systems, business processes, and third parties using structured methodologies (e.g., NIST 800-30, FAIR).
• Risk Register Maintenance: Document and track identified risks, vulnerabilities, and findings in the security risk register with appropriate severity and ownership.
• Threat and Vulnerability Correlation: Collaborate with threat intelligence and vulnerability management teams to map technical exposures to business risks.
• Risk Scoring and Reporting: Use qualitative and quantitative risk models to assess likelihood and impact; support risk dashboards and executive summaries.
• Residual Risk Analysis: Work with system and control owners to evaluate control gaps, proposed mitigation plans, and residual risk acceptances.
• Business Impact Analysis (BIA) Support: Contribute to BIAs by identifying cybersecurity risks affecting mission-critical business functions and services.
• Security Consultation: Participate in project and change review processes to identify and advise on emerging risks before go-live (e.g., cloud migrations, new vendors).
• Policy & Framework Mapping: Assist in mapping identified risks to NIST CSF, HIPAA, ISO 27001, and other frameworks to ensure controls are adequate.
• Support for Internal/External Audits: Provide risk documentation and evidence in support of internal audit and external compliance obligations (e.g., SOC 2, HITRUST).
• Risk Review Coordination: Facilitate recurring risk review meetings with IT, business units, and security leadership to track and update mitigation efforts.

We're Looking for:

• Education: Bachelors in Cybersecurity, Information Systems, or Risk Management.
• Experience: 2-5 years in cybersecurity, risk analysis, or compliance
• Certifications: CRISC, CISA, or Security+ preferred
• Tools Knowledge: Archer, LogicGate, ServiceNow GRC, RiskRecon, Splunk, Tenable, Excel/Power BI

What You Bring:

• Detailed-oriented with strong sense of accountability
• Eagerness to learn information security and governance practices
• Ability to analyze complex data, identify patterns, and assess risks.
• Ability to communicate (written & verbal) and collaborate with various business partners to manage enterprise security risks.

What You'll Gain:

• In-depth knowledge of security governance frameworks, risk management methodologies, and regulatory compliance requirements.

High school degree or equivalent required unless otherwise noted above

The job posting range is the lowest to highest salary we in good faith believe we would pay for this role at the time of this posting. We may ultimately pay more or less than the posted range, and the range may be modified in the future. An employee's pay position within the salary range will be based on several factors including, but limited to, relevant education, qualifications, certifications, experience, skills, performance, shift, travel requirements, sales or revenue-based metrics, and business or organizational needs and affordability.

This job is also eligible for variable pay.

We offer comprehensive package of benefits including paid time off, medical/dental/vision insurance, 401(k), and a suite of well-being benefits to eligible employees.

Note: No amount of pay is considered to be wages or compensation until such amount is earned, vested, and determinable. The amount and availability of any bonus, commission, or any other form of compensation that are allocable to a particular employee remains in the Company's sole discretion unless and until paid and may be modified at the Company's sole discretion, consistent with the law.

WHY Blue Cross Blue Shield of MA?

We understand that theconfidence gapandimposter syndromecan prevent amazing candidates coming our way, so please don't hesitate to apply. We'd love to hear from you. You might be just what we need for this role or possibly another one at Blue Cross Blue Shield of MA. The more voices we have represented and amplified in our business, the more we will all thrive, contribute, and be brilliant. We encourage you to bring us your true colors, , your perspectives, and your experiences. It's in our differences that we will remain relentless in our pursuit to transform healthcare for ALL.

As an employer, we are committed to investing in your development and providing the necessary resources to enable your success. Learn how we are dedicated to creating an inclusive and rewarding workplace that promotes excellence and provides opportunities for employees to forge their unique career path by visiting ourCompany Culturepage. If this sounds like something you'd like to be a part of, we'd love to hear from you. You can also join ourTalent Communityto stay "in the know" on all things Blue.

At Blue Cross Blue Shield of Massachusetts, we believe in wellness and that work/life balance is a key part of associate wellbeing. For more information on how we work and support that work/life balance visit our "How We Work" Page.