Lead Security Analyst, Grc

Cronos Group is an innovative global cannabinoid company with international production and distribution across five continents. Cronos Group is committed to building disruptive intellectual property by advancing cannabis research, technology and product development. With a passion to responsibly elevate the consumer experience, Cronos Group is building an iconic brand portfolio. Cronos Group’s portfolio includes PEACE NATURALS, a global health and wellness platform and adult-use brand Spinach.

The Lead Security Analyst plans, monitors and executes compliance on all Cronos Group’s North American IT controls in alignment with requirements from the Security Operations Center (SOC). They play a critical role in identifying, escalating, and guiding remediation efforts with a heavy focus on continuous improvement in control processes.

**What you'll be doing**:

- Lead and execute the annual internal NIST CSF risk assessment
- Develop and implement a risk register process; perform quarterly risk register reviews and manage and monitor remediation and exceptions of risk
- Perform third party vendor security risk assessments
- Perform ITGC and NIST CSF security controls review, testing, and validation
- Initiate and assist with semi-annual and annual user access reviews for SAP, collecting evidence of necessary approvals to verify access levels are provided appropriately
- Drive a continuous improvement mentality, identifying opportunities to improve, standardize, and strengthen internal controls and compliance
- Build and maintain strong partnerships throughout the business to proactively identify existing and emerging risks and develop and update internal controls and corresponding documentation
- Collaborate with process owners to ensure controls testing is executed timely and accurately including updating master data files, evaluating test results, and developing remediation plans as needed In partnership with the Director, GRC and Internal Audit team, support efforts to raise awareness and knowledge of internal controls throughout the company, providing training to employees related to their controls responsibilities
- Perform user account reviews and privileged account reviews
- Develop and report metrics to measure the effectiveness of the GRC program

**You’ll need to have**:

- Bachelor's degree in information security, technology, risk management, business management or other related field
- 7+ years of IT audit, risk management, technology, compliance or other directly related experience
- In-depth knowledge in various key areas including Information Security, Identity and Access Management, Data Governance, Application Development and IT infrastructure principles, policies and procedures
- Knowledge of data and cyber technical control formation and implementation practices
- Knowledge of regulatory frameworks such as SOX, SOC 2, SEC, HIPAA, PCI and GDPR
- Experience using GRC tools such as AuditBoard to execute and manage audits, risk assessments, vendor security assessments, and risk register reviews Knowledge of industry security frameworks such NIST CSF, ISO 27001, and HITRUST CISA or CRISC certification highly desired
- Working knowledge with enterprise solutions including SAP and Onestream a plus
- Exceptional communication skills to articulate technical possibilities and limitations of systems to non-technical colleagues
- A knack for identifying and tackling “hard problems”, thinking creatively, and getting things done. You stay current on technology and are passionate about figuring out how to make processes, systems, functions, and experiences better
- Roll up the sleeves attitude with comfort transitioning between tactical execution and strategic thinking
- Capable of building trust with stakeholders, positioning yourself as a trusted advisor to your business partners
- Sound decision making skills; can swiftly assess risks, analyze complex situations and determine next course of action
- Adaptable and organized; capable of managing efforts and dynamically prioritizing multiple work-streams with a positive attitude