Cybersecurity Risk Analyst

About EOTSS

The Executive Office of Technology Services and Security (EOTSS) is the Commonwealth’s lead IT and cybersecurity organization, providing enterprise technology services to over 125 agencies and 43,000 employees. EOTSS delivers secure, reliable digital services that support residents, businesses, and state operations.

Position Summary

The Cybersecurity Risk Analyst supports the Enterprise Risk Management (ERM) program and contributes to Governance, Risk, and Compliance (GRC) activities across the Commonwealth. The incumbent performs risk assessment, compliance monitoring, audit support, and program coordination functions.

This role requires demonstrated experience in cybersecurity, IT risk, or compliance and the ability to manage multiple assignments in a collaborative, multi-agency environment.

The primary work location for this role will be at One Ashburton Place Boston, Massachusetts 02108. The work schedule for this position is Monday through Friday, 9:00AM – 5:00PM EST. This position is expected to follow a hybrid model of reporting to work that combines in-office workdays and work from home days as needed.

Duties and Responsibilities

• Conduct cybersecurity and enterprise risk assessments, including identification of threats, vulnerabilities, and impacts
• Document and track risk mitigation strategies and remediation activities
• Evaluate and document control effectiveness aligned to established frameworks (e.g., NIST, CIS, ISO)
• Execute ERM program processes, including third-party risk reviews and tabletop exercises
• Track program deliverables, risks, issues, and dependencies across initiatives
• Maintain risk registers, documentation, and reporting artifacts
• Assist in development and maintenance of ERM policies, procedures, and templates
• Prepare reports and communications for technical and non-technical stakeholders
• Coordinate with agency stakeholders to support timely completion of risk and compliance activities
• Support process improvement initiatives, including automation of manual workflows
• Perform other duties as assigned

Required Qualifications

• At least one (1) to three (3) years of experience in cybersecurity, information technology, risk management, compliance, or audit
• Knowledge of enterprise risk management principles, with emphasis on cybersecurity risk
• Familiarity with cybersecurity and control frameworks (e.g., NIST, CIS Controls, ISO 27001)
• Understanding of IT environments, including applications, infrastructure, and third-party vendors
• Ability to support audit and compliance activities, including control evaluation
• Strong organizational skills and attention to detail
• Ability to manage multiple assignments and meet deadlines
• Effective written and verbal communication skills
• Ability to work independently and as part of a team

Preferred Qualifications

• Bachelor’s degree in Cybersecurity, Information Technology, Risk Management, or related field
• Experience with ServiceNow IRM or other Governance, Risk, and Compliance (GRC) tools or platforms
• Experience with third-party/vendor risk management processes
• Experience working in a public sector or regulated environment

Competencies

• Analytical Skills: Ability to assess risk, evaluate controls, and interpret data
• Attention to Detail: Accuracy in documentation, tracking, and reporting
• Communication: Clear and effective communication with technical and business stakeholders
• Organizational Skills: Ability to prioritize and manage multiple tasks
• Collaboration: Works effectively across teams and agencies
• Adaptability: Adjusts to changing priorities and evolving risk environments