Find your next role

• Job ID: 54177
• Job Category: Information & Technology
• Division & Section: Office of the CISO, Cyber Operations
• Work Location: , Metro Hall, 55 John Street, Toronto (Hybrid)
• Job Type & Duration: Full-time, Permanent
• Salary: $122,305.00 - $163,639.00, PSG #TM5098 and wage grade 8.
• Shift Information: Monday to Friday, 35 hours per week per week
• Affiliation: Non-Union
• Number of Positions Open: 2
• Posting Period: 24-FEB-2025 to 3-MAR-2025

The Senior Specialist (Risk Management) supports the Manager of Risk Management (Centre of Excellence) and the Chief Information Security Officer (CISO) in maintaining a city-wide cybersecurity program that enhances organizational protection. This role provides strategic expertise in cyber risk management by identifying, assessing, and mitigating risks across City divisions, agencies, and corporations. Leading the development and execution of governance, risk, and compliance (GRC) frameworks, this position ensures alignment with regulations, best practices, and corporate policies while overseeing risk remediation planning, monitoring compliance efforts, and advising senior leadership on key risk-related decisions.

A key responsibility includes overseeing the implementation of risk mitigation strategies in collaboration with stakeholders. The Senior Specialist leads the GRC program by developing policies, frameworks, and controls to manage enterprise risks while providing expert guidance on regulatory compliance, internal controls, and risk mitigation strategies to support business objectives. Monitoring emerging risks, industry trends, and regulatory changes allows for proactive adjustments to risk management approaches. Additionally, risk reports, dashboards, and presentations for executive leadership highlight key exposures and recommended actions. Training programs are also developed and delivered to promote a risk-conscious culture across the organization.

Collaboration with senior leaders and cross-functional teams integrates risk management into strategic planning and decision-making. Research into emerging developments, corporate policies, legislation, and government initiatives ensures the organization remains informed and proactive. Budget input is provided to maintain control over expenditures within approved limits. As a subject matter expert, the Senior Specialist identifies potential exposures, conducts reviews, and offers strategic advice on cybersecurity issues, ensuring risks are detected, mitigated, and properly managed. Acting as the primary point of contact for cyber risk matters, this role determines cybersecurity requirements for business strategies and develops security strategies within industry-accepted frameworks.

Additional responsibilities include evaluating and recommending technical solutions and professional services, identifying emerging security technologies, and analyzing organizational impacts of new requirements. Innovative solutions are coordinated using conflict resolution and negotiation skills to address sensitive and complex cyber risk matters. Transformation strategies focused on security are developed, integrating and managing new or existing technology systems to improve operational efficiency and enhance threat detection, response, and remediation capabilities. Significant cyber risk issues are escalated to senior management when necessary, with expert assessments and recommendations provided on confidential organizational matters.

To ensure the security of the City’s cyber infrastructure, the Senior Specialist participates in the development, implementation, and monitoring of security tools that collect confidential information on infrastructure and application vulnerabilities. Close collaboration with senior management addresses active internal and external cyber threats, with recommendations made to mitigate risks and immediate action taken as needed. Responsibilities also include assessing organizational risks, recommending policy and structural changes, and proactively identifying gaps and opportunities for improvement.

Working with multidisciplinary teams, this role formulates and executes project plans using established project management methodologies. Cyber risk activities performed by project teams are monitored, while processes and controls are reviewed to ensure compliance with the City’s information risk policies and standards. Coordination of project resources, prioritization of tasks, and support for cybersecurity policy and procedure development are also key functions.

Clear and comprehensive information-sharing is essential in this role. The Senior Specialist communicates with stakeholders, clients, and project managers regarding technical decisions, solution delivery, business processes, and risk mitigation strategies. Formal contractual documents, including RFX and Service Level Agreements, are prepared and overseen while ensuring accurate reporting of key risk metrics aligned with the City’s cyber risk appetite.

Building and maintaining strong relationships with internal and external stakeholders is crucial. This position establishes partnerships to advance cyber programs, participates in executive-level meetings to review the City’s cybersecurity posture, and stays current on emerging threats, trends, and technologies. By leveraging subject matter expertise, the Senior Specialist continuously enhances risk management strategies, ensuring the City remains resilient against evolving cyber risks.

What you bring to the role

• Post-secondary degree in Business, Technology or related discipline or an equivalent combination of education and related experience.
• Extensive experience in Risk Management primarily focused on cyber risk management, coupled with extensive knowledge of elements of risk, including vulnerability, threat, likelihood, impact, mitigation, and remediation.
• Extensive expertise in Information Security or Governance, Risk & Compliance (GRC).
• Extensive experience in conducting third-party assessments, especially on small and medium-sized service providers.
• Extensive experience in a Soc 2 Type II report and SOC 27001 Certification.
• Experience developing and implementing cyber policies and standards across an enterprise.
• Experience in conducting PCI assessments or preparing an organization for PCI audits.
• Experience conducting risk assessments based on NIST cyber security framework and related standards.
• Experience leading a team (internal or external resources) with strong interpersonal skills to work independently and collaboratively with others in a multidisciplinary team setting.
• Preferred Certifications (at least two in the list): CISSP, CISA, CISM, CRISC.
• Excellent written & verbal communication skills with the ability to communicate effectively at all levels including leadership, business partners, project stakeholders, divisional teams and vendors).
• Ability to assess communications gaps and opportunities and to develop new content strategies that deliver on business objectives.
• Creative, critical, analytical and strategic thinker with the ability to problem, solve and identify solutions to unusual and complex problems.
• Ability to achieve business objectives through influencing and effectively working with key stakeholders.
• Ability to prioritize and effectively manage competing priorities, projects and initiatives while adhering to strict deadlines within a fast paced environment.
• Highly organized, proactive, self-motivated team player who takes initiative and is able to work independently.
• Ability to create content, toolkits and awareness materials that support the success of transformative divisional programs.
• Self-motivated with desire to go above and beyond required tasks and ability to work extremely well under pressure while maintaining a high level of professionalism.
• Transferable skills, including business transformation and decision-making, are equally important. Being able to think on your feet and show good judgment are especially valuable in this field. Professionals in cyber security must be able to react quicky and strategically to cyber-related incidents.

Notes:

• A normal work week is 35 hours, however, unforeseen situation may require extended hours of work with little or no prior notice. In case of a cyber incident or breach, rotation shift, continuous extended hours may be required with little or no prior notice.
• The successful candidate will be subject to a police check, background check, psychological assessment and/or any other checks on a regular basis as the Office of the CISO handles highly sensitive and confidential information.

Equity, Diversity and Inclusion

The City is an equal opportunity employer, dedicated to creating a workplace culture of inclusiveness that reflects the diverse residents that we serve. Learn more about the City’s commitment to employment equity.

Accommodation

The City of Toronto is committed to creating an accessible and inclusive organization. We are committed to providing barrier-free and accessible employment practices in compliance with the Accessibility for Ontarians with Disabilities Act (AODA). Should you require Code-protected accommodation through any stage of the recruitment process, please make them known when contacted and we will work with you to meet your needs. Disability-related accommodation during the application process is available upon request. Learn more about the City’s Hiring Policies and Accommodation Process.