Job Summary:
UFP Industries is seeking a Sr. Cybersecurity Risk Analyst to lead and mature their cybersecurity risk management program. This role involves identifying and assessing cybersecurity risks, ensuring compliance with regulatory requirements, and developing risk management processes while collaborating with IT teams.
Responsibilities:
• Lead the development and ongoing maintenance of the enterprise cybersecurity risk register, including risk identification, classification, ownership, and tracking.
• Conduct and lead risk assessments for systems, applications, projects, and business initiatives.
• Develop and implement risk management processes, methodologies, and reporting metrics.
• Facilitate risk review sessions with business and IT stakeholders to ensure accountability and transparency.
• Develop and track risk mitigation and remediation plans to closure.
• Support and maintain the organization’s CMMC compliance program, including control mapping, evidence collection, and audit readiness.
• Partner with internal stakeholders (IT, Legal, HR, Plant Operations) to ensure alignment with CMMC and other regulatory requirements.
• Assist in preparing documentation and responses for assessments, audits, and regulatory inquiries.
• Monitor evolving compliance requirements and translate them into actionable internal controls.
• Develop and mature a third-party cybersecurity risk management program.
• Conduct security risk assessments of vendors, SaaS providers, Software, and external partners.
• Evaluate vendor security posture, shared responsibility models, and contractual security requirements.
• Partner with procurement and legal teams to integrate security requirements into vendor onboarding and contracting processes.
• Collaborate with IT and engineering teams to develop, implement, and maintain cybersecurity standards and secure configuration baselines.
• Ensure security requirements are embedded into system design, architecture, and operational processes.
• Provide risk-based guidance on system hardening, segmentation, and control implementation.
• Support the development of policies, standards, and procedures that are practical, enforceable, and auditable.
• Communicate risk findings, trends, and recommendations to technical and non-technical stakeholders, including leadership.
• Develop reporting for executive audiences, including risk summaries, metrics, and program maturity updates.
• Support audit committee and leadership reporting as needed.
• Stay current on cybersecurity threats, regulatory changes, and industry best practices.
• Identify opportunities to improve risk visibility, coverage, and program efficiency.
• Mentor junior analysts and contribute to the maturity of the GRC function.
Qualifications:
Required:
• Bachelor’s degree in Information Security, Computer Science, or related field (or equivalent experience).
• 5+ years of experience in cybersecurity risk, governance, or compliance roles.
• Experience building or maintaining a cybersecurity risk register and risk management processes.
• Strong understanding of security frameworks (e.g., NIST, CMMC, ISO 27001).
• Experience conducting third-party/vendor risk assessments.
• Strong analytical, problem-solving, and risk evaluation skills.
• Ability to translate technical risks into business impact.
• Strong written and verbal communication skills.
Preferred:
• Experience supporting CMMC assessments or similar regulatory compliance programs.
• Familiarity with manufacturing or operational technology (OT) environments.
• Experience developing security standards or working closely with infrastructure and engineering teams.
• Professional certifications such as CISSP, CISM, CRISC, or similar.
Company:
UFP Industries manufactures and sells variety of products used in residential and commercial construction such as wood decks and lumbers. Founded in 1955, the company is headquartered in Michigan, USA, with a team of 10001+ employees. The company is currently Late Stage.