We are Domosapiens- uniquely skilled, passionate data lovers anchored in a culture of connectivity. We are transforming the way business is managed by putting real-time data into the hands of every decision maker across organizations. Diversity is valued here because homogenized teams create echo chambers; and nobody benefits from that. The insight garnered from diverse backgrounds, perspectives and lived experiences results in pioneering innovations across the organization and better experiences for our customers. The more diverse our talent, the more impactful the Domosphere becomes.  

Position Summary

The Senior Analyst, Cybersecurity Risk and Compliance is a key member of Domo’s Information Security, Risk and Compliance team responsible for evaluating and supporting initiatives covering information security, policy, risk management, data classification, vendor management, privacy, audit, and awareness. This position assists other members of the Information Security and Compliance team with identifying and assessing potential information security risks, recommending mitigations and helping the risk owners drive the implementation of mitigations to reduce the risk to an acceptable level. In addition, this position assists with performing security assessments and monitoring and tracking compliance status; developing and improving processes, procedures, standards and guidance; providing guidance on security control implementation; and defining and implementing process improvement and maturity initiatives. The position will also be responsible for assisting in developing policies and procedures and evaluating risks and controls to support the company’s Federal Information Security Management Act (FISMA) Security Accreditation (FedRAMP), ISO 27001, ISO 27018, SOC 1, SOC 2, HIPAA, HITRUST and other regulatory and compliance initiatives. Success in this role requires a good understanding of information security best practices, strong security knowledge, ability to understand and communicate risk and controls, organization, planning, good communication and writing skills.

Key Responsibilities

  • Lead the risk-based approach to help develop security strategy and lead and execute various risk-driven tasks based on those strategies;
  • Perform and/or facilitate information security risk assessments, report on findings and recommend mitigations;
  • Lead the program to effectively and efficiently analyze security risks using real-world security data and systems automation;
  • Lead and analyze the security of new or existing applications, product features, software, or specialized utility programs and provide risk recommendations;
  • Manage remediation of identified risks and vulnerabilities; identify those within the organization responsible for remediation tasks and negotiate dates for remediation to be complete;
  • Manage the tracking progress on remediation of identified risks and vulnerabilities and provide appropriate reporting to all constituents;
  • Support our Sec Ops, Sec Engineering, and Compliance teams to develop risk/vulnerability assessment programs to aid in the identification and mitigation of security risks and document specific security issues, propose resolution options, and interpret matters from the perspective of involved stakeholders;
  • Gather relevant information from internal and external assessments and/or audits of information technology systems and processes, interpret results, and develop and communicate recommendations to management;
  • Develop, build and maintain the controls matrix, in alignment with multiple compliance frameworks, including SOC 1 & SOC 2, ISO 27001, ISO 27018, FedRAMP, HITRUST, and HIPAA;
  • Lead establishing rules for risk analyses and security assessments which includes addressing controls defined by FIPS 199, NIST SP800-37, NIST SP800-53, NIST SP800-171 for both business operations and technical implementations throughout the company.

Job Requirements

  • Bachelors degree in Computer Science, Information Technology or related field or equivalent job experience;
  • Minimum of 5 years experience in security risk management, compliance, audit, and information security;
  • CISSP, CISM, CISA, CCSA or equivalent certification preferred;
  • Familiarity with enterprise-level compliance tools such as ServiceNow, Archer, IBM GRC or other industry equivalent software;
  • Knowledge and experience in FedRAMP, NIST SP 800-53 Rev 4, NIST SP 800-37, FISMA, NIST RMF, NIST FIPS 199, ISO 27001, ISO 27018, SSAE 18, HIPAA and HITRUST;
  • Experience in cloud-based environments for production applications, including Amazon Web Services, Microsoft Azure, GCP or other large scale cloud deployment;
  • Understanding of risks and controls as they pertain to firewalls, IDS/IPS systems, malware controls, URL filtering tools, anti-spam systems, BYOD controls, DLP, VPN, web application firewalls, endpoint security controls, OS hardening, multi-factor authentication, encryption key management, mobile device management, wireless security, full disk encryption, database security controls, containers, and network segmentation;
  • Good advisory skills; able to get acknowledgement and commitment on assessment results and proposed mitigations across stakeholders with different interests;
  • Strong analytical skills;
  • Relationship builder; able to create and maintain a trusted network on all levels;
  • Good communication, influencing and negotiating skills.

Domo is an equal opportunity employer.  

Apply for this Job

* Required

resume chosen  
(File types: pdf, doc, docx, txt, rtf)
cover_letter chosen  
(File types: pdf, doc, docx, txt, rtf)

Voluntary Self-Identification

For government reporting purposes, we ask candidates to respond to the below self-identification survey. Completion of the form is entirely voluntary. Whatever your decision, it will not be considered in the hiring process or thereafter. Any information that you do provide will be recorded and maintained in a confidential file.

As set forth in Domo’s Equal Employment Opportunity policy, we do not discriminate on the basis of any protected group status under any applicable law.

Race & Ethnicity Definitions

If you believe you belong to any of the categories of protected veterans listed below, please indicate by making the appropriate selection. As a government contractor subject to the Vietnam Era Veterans Readjustment Assistance Act (VEVRAA), we request this information in order to measure the effectiveness of the outreach and positive recruitment efforts we undertake pursuant to VEVRAA. Classification of protected categories is as follows:

A "disabled veteran" is one of the following: a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or a person who was discharged or released from active duty because of a service-connected disability.

A "recently separated veteran" means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service.

An "active duty wartime or campaign badge veteran" means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.

An "Armed forces service medal veteran" means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.

Form CC-305

OMB Control Number 1250-0005

Expires 05/31/2023

Voluntary Self-Identification of Disability

Why are you being asked to complete this form?

We are a federal contractor or subcontractor required by law to provide equal employment opportunity to qualified people with disabilities. We are also required to measure our progress toward having at least 7% of our workforce be individuals with disabilities. To do this, we must ask applicants and employees if they have a disability or have ever had a disability. Because a person may become disabled at any time, we ask all of our employees to update their information at least every five years.

Identifying yourself as an individual with a disability is voluntary, and we hope that you will choose to do so. Your answer will be maintained confidentially and not be seen by selecting officials or anyone else involved in making personnel decisions. Completing the form will not negatively impact you in any way, regardless of whether you have self-identified in the past. For more information about this form or the equal employment obligations of federal contractors under Section 503 of the Rehabilitation Act, visit the U.S. Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

How do you know if you have a disability?

You are considered to have a disability if you have a physical or mental impairment or medical condition that substantially limits a major life activity, or if you have a history or record of such an impairment or medical condition.

Disabilities include, but are not limited to:

  • Autism
  • Autoimmune disorder, for example, lupus, fibromyalgia, rheumatoid arthritis, or HIV/AIDS
  • Blind or low vision
  • Cancer
  • Cardiovascular or heart disease
  • Celiac disease
  • Cerebral palsy
  • Deaf or hard of hearing
  • Depression or anxiety
  • Diabetes
  • Epilepsy
  • Gastrointestinal disorders, for example, Crohn's Disease, or irritable bowel syndrome
  • Intellectual disability
  • Missing limbs or partially missing limbs
  • Nervous system condition for example, migraine headaches, Parkinson’s disease, or Multiple sclerosis (MS)
  • Psychiatric condition, for example, bipolar disorder, schizophrenia, PTSD, or major depression

PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete.