Cybersecurity Analyst - Governance, Risk, and Compliance (GRC)

Primary Purpose

This role will lead initiatives to foster a strong cybersecurity culture across the organization, driving awareness programs and educational campaigns to our employees. The Cybersecurity Analyst is part of a broader cybersecurity team that ensures all system design, implementation, and standards protect Sempra's network from cyber-attacks. The Analyst of Governance, Risk, and Compliance (GRC) is focused on preventing security threats and ensuring laws and industry standards are upheld, working with a cross-functional team of across various information security functions to conduct third-party assessments, cybersecurity clause review, exception request handling, SOC reviews, risk control evaluation, and threat intelligence monitoring.

Duties and Responsibilities

Technical Analysis & Delivery

Supports the implementation of the governance & risk frameworks, policy creation & management, IT control management, and security audits & assessments️.

Manages issues and corrective actions plans identified in risk assessments through closure.

Reviews cybersecurity clauses in contracts, applicability criteria, exceptions requests and mitigating controls in accordance with company policies and industry standards.

Conducts SOC II reviews and audits.

Monitors Cyber Threat Intelligence resources (such as Sempra, CISA, FBI, and others).

Proposes and implements innovative ways to establish adequate controls, optimize risk management, and improve continuous monitoring.

Coordinates cybersecurity assessments (such as maturity, risk, and penetration testing).

Develops and monitors cybersecurity KRIs and KPIs.

Increases the level of maturity in risk management and controls.

Communication & Stakeholder Management

Designs, implements, and manages a comprehensive Cybersecurity Awareness Program, including phishing simulations, threat education campaigns, and targeted training for high-risk roles.

Develops engaging content (videos, newsletters, infographics) to promote security best practices and reduce social engineering risks.

Coordinates Cybersecurity Ambassadors Community and champions cultural change initiatives across business units.

Functional Area Leadership

Acts as the primary point of contact for awareness-related metrics and reporting to leadership, ensuring visibility into human risk trends and program effectiveness.

Troubleshooting

Maintains good operational relationships with 3rd party risk assessment managed service providers to perform risk assessments, develop mitigation plans, and ensure appropriate service levels.

Ensures team works closely with System Engineers to implement security controls and patches based on capability and need.

Contacts and coordinates vendor, carrier, and remote support when necessary to resolve high-impact security issues.

Document problems and report to management, engineers and/or peers.

Performs other duties as assigned (no more than 5% of duties).

Qualifications

Education

Bachelor's Degree in Computer Science, Information Technology, or equivalent relevant work experience.

Experience

4+ years' experience in Information Security, Cyber Security, or relevant roles.

2+ years' experience managing Governance, Risk, and Compliance of an organization with a complex Information Technology environment.

Knowledge, Skills, and Abilities

Bilingual in Spanish/English is a plus

Proven experience in cybersecurity awareness program design and delivery, including phishing simulations and behavioral risk reduction strategies

Strong communication and content development skills to engage non-technical audiences effectively

Knowledge of adult learning principles and experience leveraging e-learning platforms or gamified training tool

Strong understanding of security contract management and legal requirements.

Hands-on experience of enterprise GRC tools (e.g., ServiceNow, Archer etc.).

Ability to implement global regulatory requirements surrounding data security & privacy (e.g., GDPR, CCPA, CRPA etc.).

Understanding of relevant cybersecurity regulations and agencies pertinent to utility environments.

General understanding of cyber security operations functions, in areas such as incident response, security monitoring, threat and vulnerability, SOC and SOC service.

General knowledge of OT network infrastructure, SCADA/DCS systems, data/communication systems, and management systems.

General knowledge of security software architecture/programing concepts and security integration into SDLC.

Ability to manage a diverse technical workforce in multiple locations; ability to coach.

Personal drive and energy level to achieve superior results individually and through others.

Proven experience in cybersecurity awareness program design and delivery, including phishing simulations and behavioral risk reduction strategies

Strong communication and content development skills to engage non-technical audiences effectively

Knowledge of adult learning principles and experience leveraging e-learning platforms or gamified training tools

Strong understanding of security contract management and legal requirements.

Hands-on experience of enterprise GRC tools (e.g., ServiceNow, Archer etc.).

Ability to implement global regulatory requirements surrounding data security & privacy (e.g., GDPR, CCPA, CRPA etc.).

Understanding of relevant cybersecurity regulations and agencies pertinent to utility environments.

General understanding of cyber security operations functions, in areas such as incident response, security monitoring, threat and vulnerability, SOC and SOC service.

General knowledge of OT network infrastructure, SCADA/DCS systems, data/communication systems, and management systems.

General knowledge of security software architecture/programing concepts and security integration into SDLC.

Ability to manage a diverse technical workforce in multiple locations; ability to coach.

Personal drive and energy level to achieve superior results individually and through others.

Licenses and Certifications

Standard certifications in Information Security (CISSP, CISM, CISA, or equivalent)

Technical certifications (GRC related e.g. ISACA CRISC)

Equal Opportunity Employer Minorities/Women/Protected Veterans/Disabled