Cyber Security Analyst – Bærum

 • Full time position as consultant in a project organization
• Requesting startup September 2025, or when the right candidate is available. Phased startup with less than full time as a part of engadement is acceptable.
• Estimated end date H2-2027
• Primary work location Stavanger or Oslo / Fornebu with rotation to Stavanger on scheduled basis.

Key responsibilities
Cyber Risk Analysis
• Be part of the project team and assist in testing and validating technical solutions that could potentially be a cyber threat.
• Identify and work with the project teams to assess risks and guide teams and suppliers to implement more robust solutions if necessary.
• Work with project and operations teams providing identification, assessment, and management of cybersecurity risks across systems, applications, and business processes.
• Perform needed threat modeling and vulnerability risk assessments to support secure system design and implementation.
• Through the established base and project organization, be part of monitoring work force working to identify internal and external threat landscapes and provide actionable intelligence to stakeholders.
• In the context of cyber develop and maintain risk registers and present findings to senior leadership and other relevant stakeholders.
• Collaborate with IT and business units to define risk treatment plans and track mitigation efforts.

Governance, Risk & Compliance (GRC)
• Maintain and enhance the Information Security Management System (ISMS) and ensure alignment with ISO 27001, NIST CSF, and other relevant frameworks.
• Conduct regular compliance reviews, gap analyses, and audits to ensure adherence to internal policies and external regulations (e.g., GDPR, PCI DSS, HIPAA).
• Support the development and maintenance of security policies, standards, procedures, and guidelines. 
 • Prepare and present reports for internal and external audits, certifications, and regulatory reviews.
• Lead risk and control assessments, including third-party risk reviews and vendor due diligence.

Skills within collaboration
• Act as a subject matter expert on cyber risk and GRC best practices.
• Work alongside project, operations and supplier teams with the “one team” mindset, enabling collaboration and positive progress to ensure we reach the common goal of an infrastructure and systems portfolio with the least number of cyber threats.
• Work cross-functionally with OT, IT, audit, suppliers, system vendors, hardware vendors and business units to embed security into organizational culture and processes.
• Being a team player is key for our progress, but if you discover cyber threats in a design you must have the guts to stand up for your findings and opinions and be resolute speaking up in a crowd.

Primary tasks
• Risk Assessments:
o Conduct risk assessments to identify vulnerabilities and threats to the organization’s information systems, temporary project offices, data transport methods, and more.
o This work will be perfomed primarily during commissioning and handover to operations phase of the project. This means there will be a steady stream of systems evaluations and follow-ups with project teams and vendors on technical details.
o Hands-on penetration testing where needed. This will be determined based on risk processes and project priorities.
o System design review

• Risk Mitigation:
o Develop and implement strategies to mitigate identified risks and reduce the organization’s exposure to cyber threats.
o Follow up on specific implementations of improvements to systems design and configurations.

• Compliance Management:
o Ensure compliance with relevant regulations, standards, and best practices (e.g., GDPR, ISO 27001, NIST).
o On a detailed level this also dicates that the project specific requirements might require work arounds that trigger related systems to adjust to comply with cyber requirements, leading to the fact that completed analysis of systems might have to be reevaluated.

• Policy Development:
o Implement and maintain cybersecurity and GRC policies, procedures, and frameworks.

• Incident Response:
o Coordinate incident response efforts, including investigation, containment, eradication, and recovery.

• Threat Monitoring:
o Work with operational teams in IT and OT to ensure we monitor and analyze emerging cyber threats and vulnerabilities, providing timely updates and recommendations.

• Physical site inspection:
o When required travel to project site to do physical inspection with relevant teams like IT, OT and Security. Follow up on any previous findings, and evaluate if new threats needs to be raised as risks and mitigated.

• Documentation Management:
o Maintain accurate and up-to-date documentation of project related GRC processes, procedures, and incident response plans.

• Stakeholder Communication:
o Communicate effectively with stakeholders at all levels, providing clear and actionable insights on cybersecurity and compliance matters.

• Vulnerability Management:
o Conduct regular vulnerability assessments and penetration testing to identify and address security weaknesses.

• Continuous Improvement:
o Continuously evaluate and improve the organization’s cybersecurity and GRC practices to enhance overall security posture.