Sr Information Security Analyst – Defensive Security

Location: Pittsburgh, PA

Job Type: Full Time / Permanent

The Senior Information Security Analyst is a hands-on role focused on defensive security. This role requires a broad, deep level of ecommerce experience, technical expertise, and information security experience. The Senior Information Security Analyst collaborates with Information Technology leaders, architects, engineers, and administrators; outside service providers; business users; and Information Security to assess and manage risk; provide system, network, and data security consulting and assurance; design, select and deploy technical solutions and controls to meet security and business requirements; and implement secure system engineering processes, standards, and tools. The Senior Information Security Analyst is a mentor to security team members and an escalation resource.


  • Is the primary security resource that plays a key collaborative, influencing and consultative role in system, network, and data protection and secure system engineering lifecycle.
  • Drives the development, implementation, and operation of application security controls, practices, tools, and services.
  • Collaborates with and guides Information Technology leaders, architects, engineers, and administrators; outside service providers; business users; and Information Security to identify and implement security requirements and solutions:
    • Solution architecture, information architecture, security architecture
    • Risk assessment, threat modeling, and business systems analysis
    • Vulnerability management
    • Malware and endpoint protection
    • Enterprise Data Loss Prevention
    • Intrusion Prevention
    • Security consulting to staff and service providers
    • Penetration testing, remediation and verification
    • Solution review and assurance; release management and change control
    • Communication, facilitation and consensus building
  • Monitors security information and event management and logs for unusual events. Identifies trends and recommends solutions.
  • Reports to and advises management concerning residual risk, vulnerabilities and other security exposures, including misuse of information assets and noncompliance.
  • Collaborates with management to facilitate security and compliance reviews (e.g. PCI, SOX, Audits) and address any potential exceptions.
  • Collaborates on and influences the approach of critical IT projects to ensure that security issues are addressed throughout the project life cycle.
  • Designs and develops security processes, procedures, and supports service-level agreements (SLAs) to ensure that security controls are managed and maintained.
  • Specifies, develops and analyzes operational reports to monitor and track performance metrics are aligned with defined Service Level Agreements and security requirements.
  • Specifies, researches, evaluates and recommends information-security-related hardware and software, including developing business cases for security investments.
  • Serves as point of contact to solve complex problems by means of systematic and disciplined troubleshooting.
  • Develops and disseminates information security operations documentation.
  • Depending on the scope of the role, the Senior Information Security Analyst may be asked to fulfill one or more of the following duties.
  • Provides second- and third-level support and analysis during and after a security incident.
  • Guides security administrators, analysts and IT staff in the resolution of complex security incidents.
  • Helps lead security investigations as incident response coordinator.
  • Acts as a liaison between incident response leads and subject matter experts.
  • Collaborates with internal and external auditors and assessors. Receives audit findings, and manages the collection of responses and remediation plans with owners.
  • Influences the information security governance process to define control recommendations that are both efficient and effective.
  • Provides oversight and management of complex audit finding remediation.
  • Tracks and analyzes existing and proposed security-standard-setting groups, state and federal legislation and regulations pertaining to information security. Identifies regulatory changes that will affect information security policy, standards and procedures, and recommends appropriate changes.

Education & Experience:

  • Five to ten years’ defensive security experience.
  • Bachelor’s degree in information systems or equivalent work experience.
  • Information security certification preferred.
  • Broad and deep knowledge and understanding of information risk concepts and principles, as a means of relating business needs to security controls.
  • Broad and deep knowledge of defensive security frameworks, technical solutions, and leading practices.
  • Broad and deep knowledge of system and network engineering and systems integration.
  • In-depth knowledge of risk assessment and threat modeling methods, frameworks and technologies.
  • Knowledge of and experience in influencing, developing and documenting security architecture and plans, including strategic, tactical and project plans.
  • Deep experience with a variety of information security systems and tools, such as Security Information and Event Management, Application Vulnerability Management, Infrastructure Vulnerability Management, Intrusion Detection/Prevention, Web Content Filtering, Anti-Virus/Malware and Data Loss Prevention.
  • Expertise in PCI and SOX requirements.
  • Accountable for attention to detail and accuracy in performing job functions and influences other team members.
  • Role model for security integrity and confidentiality to information and access required to perform job duties.
  • Strong analytical skills and complex problem management experience. Relies on experience and judgment to plan and accomplish goals
  • Demonstrate creativity and business acumen combined with analysis, critical thinking and problem-solving skills
  • Comfortable facilitating risk, business impact, control and vulnerability assessments.
  • Broad, deep experience in developing, documenting and maintaining security policies, processes, procedures and standards. Experience with scripting and security automation.
  • Expertise in network infrastructure, including routers, switches, firewalls, and the associated network protocols and concepts.
  • Strong analytical problem-solving skills to analyze complex security requirements and relate them to appropriate security controls.
  • Ability to interact with personnel at all levels and across all business units and organizations, and to add value to business imperatives.
  • Strong written and verbal communication skills.
  • A strong customer/client focus, with the ability to manage expectations appropriately, to provide a superior customer/client experience and build long-term relationships.