Water Business Operations Security Analyst or Senior Analyst

JOB LOCATION

Aurora, Colorado 80016-2946

City of Aurora, Colorado

It is an exciting time to work for the City of Aurora, we're growing and looking for dedicated and collaborative individuals to join our team of talented and valued employees. Excellent organizations have a set of principles, or core values, that are used to implement their mission and vision. Those values represent the touchstone for the organization, guiding the decisions of the individuals and the organization. At the City of Aurora, we demonstrate our excellence by modeling the CORE 4 Values of:Integrity,Respect, Professionalism, andCustomer Service, and we welcome all who share these values to apply.

Why Work for Aurora?

• Make a difference in the lives of real people every day
• Diverse community
• Competitive total compensation package
• Well-Funded General Employees Retirement Plan
• Light rail station minutes away
• On-site fitness center and overall employee well-being programs Internal educational programs to assist with career advancement
• Access to innovation workspaces

PRIMARY DUTIES & RESPONSIBILITIES

Hiring Salary:

Analyst: $86,772 - $108,466/year

Senior Analyst: $99,788 - $124,736/year

This position will be posted until filled. However, it is subject to close at any time once a qualified pool of applications is obtained.

OVERVIEW OF JOB
Aurora Water is seeking an experienced cybersecurity professional to oversee and enhance the security posture of our critical infrastructure in compliance with the latest industry standards. The successful Business Operations Security Analyst or Senior Analyst (BOSA) candidate will lead cybersecurity initiatives to protect the water utilities' Operational Technology (OT) and Information Technology (IT) environments ensuring resilient and secure water services. They will balance the needs of cybersecurity against the production needs of a water utility. They will engage all levels of the business to identify risk and work with both business leadership and the Chief Information Security Officer (CISO) to design and execute on risk assessment, remediation, and the maturation of information protection processes that will support AW's compliance with industry, federal, and legal requirements as well as city security and privacy requirements. This includes adhering to guidance from the American Water Works Association (AWWA).

The role will report through the Aurora Water organization, with a line of responsibility to the CISO. The role will serve as a communicator, ensuring alignment and understanding between all parties to achieve optimal security outcomes. This role will closely coordinate with the Information Security Office's (ISO) Engagement team to evaluate and consult around information security and privacy risk.
 

Common Primary Duties & Responsibilities

• Drive adoption of good information and system protection practices by building strong business relationships, understanding the business risk and needs, and collaborating with the business as a trusted subject matter expert (SME) to support inquiries and adopt innovative technologies
• Coordinate with AW leadership and the CISO to develop metrics and reporting, as well as quarterly Customer Business Reviews (CBRs) to inform the business and ISO on program efficacy and effectiveness, as well as identify risks and solutions
• Offer business strategies and processes to ensure security-by-design, regulatory compliance and requirements for confidentiality, availability and integrity are met
• Research, compile, and consistently present information on the cost and benefits of different risk mitigation approaches to enable management to make informed decisions
• Partner with Risk & Compliance to assess new IT or OT software products, applications, and platforms for potential security risk and vulnerabilities
• Ensure that new software purchases have Master Service Agreements {MSA) appropriate for the risk presented
• Build a culture of cybersecurity through developing and delivery of cybersecurity training to staff
• Support the development of comprehensive cybersecurity strategy aligned with AWWA guidelines, Water Infrastructure Act and NIST Standards
• Review Incident Response plans for the OT network and conduct regular exercises to ensure readiness.
• Create and prioritize plans to restore SaaS systems quickly after an incident and ensure proper testing
• Coordinate risk assessments and penetration testing of AW OT infrastructure and the AW IT technology portfolio, and report findings and recommendations for resolution Track risk findings and coordinate with the appropriate parties on remediation efforts for identified vulnerabilities, especially those that could impact critical operations
• Inform the Security Operations and Risk & Compliance divisions on how best to deploy security tooling based around the production needs of the utility
• Partner with the Security Operations and Risk & Compliance divisions of the ISO, OT Networking staff, and IT Networking staff to ensure security tooling is deployed, tuned, and effective in meeting governance requirements and adhering to regulatory requirements
• Coordinate the resolution of confidentiality, availability, and data integrity issues with stakeholders and partners
• Respond to emergencies and other incidents as required and participate in investigations and remediation efforts
• Serve as the cybersecurity coordinator between ISO and AW during internal and external audits, working with the CISO, Risk and Compliance, and AW leadership to ensure audit requests are fulfilled and progress to address findings is measured
• Stay up to date with relevant legislation, industry standards, and best practices to ensure the ISO is prepared to secure against emerging threats
• Participate in Water Information Sharing & Analysis Center (WaterlSAC)
• Performs other related duties and special projects as assigned

Senior Analyst Additional Duties:

• Lead the assessment of security controls to safeguard control system OT networks
• Develop and present formalized risk assessments and mitigation strategies at the direction of the CISO
• Maintain performance metrics and participate in Customer Business Reviews (CBRs)
• Create and lead tabletop and functional exercises for incident response planning
• Provide leadership in aligning security tools and policy with operational needs
• Serve as lead SME for cybersecurity initiatives specific to Enterprise IT and OT  for Aurora Water.. This includes collaborating with Security Operations and OT in the design and implementation of layered security controls to prevent disruption of critical water operations
• Support and assist the ISO in the performance of forensic investigations following cybersecurity events and incidents , synthesizing technical findings into executive-level reports and recommendations for preventive action
• Support and assist the ISO in the performance of vendor security evaluations for third-party technology solutions, act as a SME in the negotiation of security terms in Master Service Agreements (MSAs), Statements of Work (SOWs), and Data Sharing Agreements (DSAs), and oversee treatment and resolution. 
• Represent Aurora Water on interagency working groups, cybersecurity task forces, and emergency preparedness committees focused on infrastructure resilience and threat intelligence sharing
• Develop and maintain a multi-year cybersecurity roadmap, incorporating regulatory compliance milestones (e.g., America’s Water Infrastructure Act), evolving threat landscapes, and emerging technologies in coordination with the CISO and OT.
• May mentor Analyst-level team members, review their work, and act as technical escalation point
• Performs other related duties and special projects as assigned

This job description is not designed to cover or contain a comprehensive listing of activities, duties or responsibilities that are required of the employee. Duties, responsibilities, and activities may change, or new ones may be assigned at any time with or without notice.

MINIMUM QUALIFICATIONS & WORKING CONDITIONS

An equivalent combination of education, certifications, training, and experience that demonstrates required knowledge, skills, and abilities may be considered.

Education: 

• Bachelor’s degree in computer science, Information Technology, engineering, or a related field.

Experience: 

• Minimum of 4 years of experience in cybersecurity that includes information security, audit, technology risk assessment, or operations of OT, SCADA, or ICS environments
• Senior Analyst: Minimum of 6 years of experience in cybersecurity that includes information security, audit, technology risk assessment, or operations of OT, SCADA, or ICS environments