Cybersecurity Risk Analyst

at  Amer Sports

Hybrid, Garching bei München
Are you passionate about safeguarding businesses from cybersecurity threats? Do you excel in risk analysis and want to make a significant impact in a global environment? Amer Sports is seeking a dedicated Cybersecurity Risk Analyst to join our team in Munich. In this role, you will work closely with business and IT teams to identify, assess, and mitigate cybersecurity risks, ensuring our projects are secure by design.

Tasks

• Risk Assessment & Security by Design: Conduct security risk assessments in line with ISO 27005 and internal methodologies, ensuring security is embedded throughout project lifecycles, from initial analysis to final delivery. Collaborate with project teams to provide security recommendations, document assessments, and track remediation plans.
• Security Review & Technical Support: Evaluate security architectures, cloud and network integrations, and critical applications, identifying objectives and defining remediation plans. Assist Sec DevOps teams and security champions with CI/CD security, API security, and secure architecture, acting as a cybersecurity expert and advisor.
• Stakeholder Engagement & Framework Enhancement: Serve as a cybersecurity e, advising business and IT stakeholders on best practices and security solutions. Lead or contribute to projects aimed at improving security frameworks, maturity levels, and developing KPI/KRI dashboards to monitor progress.
• Control & Compliance Management: Oversee the implementation of security controls, working closely with the GRC team to ensure compliance and create actionable plans. Maintain and update the cybersecurity risk register, tracking strategic and operational risks, and ensuring effective communication with all relevant parties.
• Training & Awareness: Lead risk awareness training sessions for new product owners and project managers, fostering a culture of cybersecurity within the organization. Organize and manage penetration tests, vendor audits, and other security validation efforts to ensure infrastructure and applications meet security standards before going live.

Requirements

• Experience: Minimum of 5 years in a similar role or in GRC-related positions (IT audit, risk management, advisory) within a similar industry.
• Certifications: One or more of the following certifications is highly desirable:
• ISO27001 Lead Auditor or Lead Implementer
• Risk Manager ISO 27005

• Risk Assessment & Security by Design: Conduct security risk assessments in line with ISO 27005 and internal methodologies, ensuring security is embedded throughout project lifecycles, from initial analysis to final delivery. Collaborate with project teams to provide security recommendations, document assessments, and track remediation plans.
• Security Review & Technical Support: Evaluate security architectures, cloud and network integrations, and critical applications, identifying objectives and defining remediation plans. Assist Sec DevOps teams and security champions with CI/CD security, API security, and secure architecture, acting as a cybersecurity expert and advisor.
• Stakeholder Engagement & Framework Enhancement: Serve as a cybersecurity e, advising business and IT stakeholders on best practices and security solutions. Lead or contribute to projects aimed at improving security frameworks, maturity levels, and developing KPI/KRI dashboards to monitor progress.
• Control & Compliance Management: Oversee the implementation of security controls, working closely with the GRC team to ensure compliance and create actionable plans. Maintain and update the cybersecurity risk register, tracking strategic and operational risks, and ensuring effective communication with all relevant parties.
• Training & Awareness: Lead risk awareness training sessions for new product owners and project managers, fostering a culture of cybersecurity within the organization. Organize and manage penetration tests, vendor audits, and other security validation efforts to ensure infrastructure and applications meet security standards before going live