Int. Security Business Advisor with TRA, third-party risk, cloud/application security review, and stakeholder advisory experience to support enterprise security assessments in a regulated payments environment.
Type: Permanent/FTE
Location: Toronto (West End - Hybrid, 3x/week)
Role Overview
Our client is seeking an Analyst III, Security Business Advisory & Consulting to support security, regulatory, and risk advisory activities across new and existing enterprise initiatives.
This role sits within a business-facing cybersecurity advisory function that is engaged early in projects to help identify security risks, assess control requirements, and provide practical guidance to business, infrastructure, cloud, engineering, architecture, and delivery teams.
The successful candidate will support threat and risk assessments, third-party and supplier security risk assessments, internal security reviews, cloud and infrastructure change assessments, application and API security reviews, and risk treatment discussions. This is an advisory and risk assessment role, not a hands-on penetration testing, code development, cloud engineering, or formal security architecture role.
The right candidate will bring strong foundational cybersecurity knowledge, practical risk assessment experience, and the communication maturity to translate technical security concerns into clear business language. They must be comfortable working with demanding technical stakeholders, challenging risk assumptions tactfully, and helping teams move forward with defensible security and compliance decisions.
What You’ll Do
1. Conduct assigned threat and risk assessments for new and existing applications, services, platforms, cloud environments, infrastructure changes, and enterprise technology initiatives.
2. Perform third-party and supplier security risk assessments to evaluate vendor security posture, control gaps, and potential business impact.
3. Support internal security risk assessments related to cloud migrations, infrastructure changes, new systems, new platforms, and application or service introductions.
4. Review solution designs, architecture documentation, security findings, pen test reports, code scan outputs, vulnerability findings, and control assessment results to identify meaningful security risks.
5. Assess application, API, cloud, infrastructure, and secure SDLC considerations from a security advisory perspective.
6. Translate security policies, standards, regulatory obligations, and control requirements into practical project and delivery guidance.
7. Provide pragmatic, risk-based security advice to business, infrastructure, cloud, engineering, architecture, and delivery teams.
8. Challenge proposed designs or delivery decisions when security, compliance, or operational risks are not adequately addressed.
9. Help teams prioritize findings based on business impact, exploitability, technical context, compensating controls, and realistic remediation options.
10. Support risk treatment and risk acceptance discussions by documenting residual risk, remediation options, compensating controls, decision rationale, and audit-ready evidence.
11. Communicate complex cybersecurity issues in plain business language to technical and non-technical stakeholders.
12. Promote secure design and application security practices aligned to OWASP and secure SDLC principles.
13. Support audit, compliance, and regulatory evidence-gathering activities as required.
14. Collaborate with senior advisors, security architects, technology teams, and business stakeholders to support consistent security advisory outcomes across the enterprise.
Required Qualifications
15. Bachelor’s degree in Information Security, Computer Science, Information Technology, or a related field, or equivalent practical experience.
16. 4 to 6+ years of experience in information security, cybersecurity advisory, security risk assessment, GRC, application security review, cloud security review, technology risk, or a related security consulting function.
17. Experience conducting or supporting threat and risk assessments, security reviews, control assessments, third-party risk assessments, or advisory engagements across technology initiatives.
18. Working knowledge of security and risk frameworks such as PCI DSS, NIST Cybersecurity Framework, ISO/IEC, and OWASP.
19. Ability to interpret technical security outputs such as pen test reports, code scan findings, vulnerability results, CSPM findings, IaC scan outputs, architecture diagrams, and security control gaps.
20. Practical understanding of application security, cloud security, infrastructure risk, secure architecture principles, and secure SDLC / DevSecOps control considerations.
21. Demonstrated ability to translate security risks, control requirements, and regulatory expectations into clear business and technical guidance.
22. Strong stakeholder management skills, including the ability to influence, challenge, and gain alignment with technical and business teams without direct ownership of the underlying solution.
23. Experience supporting remediation planning, compensating control discussions, residual risk documentation, and risk acceptance decisions.
24. Strong written communication skills with the ability to produce clear, audit-defensible security assessment documentation.
25. Ability to work independently across multiple priorities while knowing when to escalate complex or high-risk matters to senior advisors, security architects, or leadership.
Preferred Qualifications
26. Security certification such as CISSP, CISM, CCSP, CRISC, GIAC, Security+, or equivalent.
27. Experience in payments, financial services, banking, insurance, fintech, telecom, healthcare, SaaS, or another regulated environment.
28. Experience with PCI DSS or payment-related security environments.
29. Experience working with cloud environments such as AWS, Azure, or multi-cloud platforms from a security assessment or advisory perspective.
30. Experience reviewing application, API, infrastructure, cloud, or vendor security risks.
31. Consulting or internal advisory experience where success depended on influencing stakeholders without direct authority.
32. Experience working in a mid-sized organization or broad advisory role where responsibilities were not highly siloed.
Ideal Candidate Profile
The ideal candidate is a cybersecurity advisor or senior security analyst who is technically competent, business-oriented, and comfortable working across multiple types of security risk assessments.
They do not need to be a deep technical specialist in penetration testing, application security engineering, cloud architecture, or DevSecOps engineering. However, they should understand enough to assess risk, ask the right questions, interpret technical findings, prioritize what matters, and explain the business impact clearly.
Strong candidates will be able to provide examples of conducting threat and risk assessments, reviewing third-party or internal security risks, translating frameworks such as PCI DSS, NIST, ISO, or OWASP into practical requirements, and influencing stakeholders toward appropriate remediation or risk acceptance decisions.
This role is best suited for someone who can operate as a trusted advisor rather than an enforcer: pragmatic, confident, clear in communication, and able to balance security requirements with delivery realities in a regulated enterprise environment.