Senior Compliance & Risk Specialist

Description

Senior Compliance & Risk Specialist

(IT Security-Senior Specialist)

WaTech: Join an exciting team!

Washington Technology Solutions (WaTech) is a national leader in adopting new, innovative technologies that transform the way Washingtonians receive state services. We provide information technology oversight and central services for Washington state government, all of which makes this an exciting time to join our team of experienced IT professionals. As a part of this agency, you will have a unique opportunity to help advance the latest IT technologies and practices used by state government to meet the needs of Washingtonians.

About the position

This position is a part of WaTech’s Office of Cybersecurity (OCS), which is focused on advancing the state’s leadership in cybersecurity across the public sector. OCS delivers core cybersecurity services, including the Security Operations Center (SOC), Computer Incident Response Team (CIRT), statewide security projects, and security policy and compliance oversight.

The Senior Compliance and Risk Specialist serves as a statewide subject matter expert in cybersecurity risk management and compliance. This position applies advanced knowledge of cybersecurity principles and practices to the most complex assignments, devises innovative methods to evaluate and mitigate risks, translates technical nuances for diverse audiences, and provides authoritative guidance to agency partners and staff. Through proactive risk management and collaborative support, this role safeguards Washington state’s information systems, supports secure digital services, ensures compliance with applicable state and federal requirements, and sustains public trust in government operations.

Duties

Some of what to expect in this role:

• Develop and execute a comprehensive cybersecurity risk assessment strategy across state agencies, applying nationally recognized frameworks, state policies and standards.
• Identify, analyze and prioritize cybersecurity risks based on impact, likelihood and risk tolerance thresholds applying consistent statewide methodologies.
• Provide agencies with forward-looking guidance on risk treatment options.
• Aggregate and communicate statewide risk posture by consolidating agency-level risk assessments into centralized reports and dashboards.
• Provide subject matter expertise to align Washington state IT security chapter policies and standards with national and federal frameworks.
• Identify systemic barriers to effective risk remediation and champion statewide-level solutions that improve agency adoption and strengthen overall resilience.
• Translate statewide cybersecurity policies and standards into practical, risk-informed guidance and tools.
• Provide senior-level consultation to agency leaders on interpreting and applying policy, bridging the gap between compliance requirements and operational realities.
• Continuously refine statewide reporting practices to incorporate new data sources, analytics and predictive insights that support forward-looking risk governance.
• Foster a statewide community of practice among agency CISOs, CIOs, and risk managers to share knowledge, strengthen collaboration and drive consistent adoption of risk management practices.

Qualifications

Here’s what we’re looking for:

• Ten years of experience in the field of information technology, including four years of recent experience in information security in each of the following areas:
  • Leading or conducting statewide cybersecurity risk assessments, including application of NIST RMF, NIST SP 800-53, ISO 27005, or equivalent frameworks.
  • Assessing security threats and recommending appropriate mitigation strategies and compensating controls across diverse IT environments (cloud, hybrid, on-premises).
  • Cybersecurity compliance management, including interpreting, implementing or auditing against IT security policies, standards and regulatory requirements (e.g., FISMA, HIPAA, CJIS, IRS Pub 1075).
  • Developing or operationalizing cybersecurity policies, standards or risk management frameworks.

A bachelor’s degree in computer science, business administration, information security, or a related field may substitute for four years of the required experience. A master’s degree in one of these fields may substitute for six years of the required experience.

• Knowledge of federal and state cybersecurity laws, regulations and compliance frameworks, including but not limited to FISMA, HIPAA, CJIS, PCI DSS, IRS Pub 1075, and FedRAMP.

Preference may be granted to applicants with the following:

• Professional certifications (demonstrating recognized expertise in risk, compliance and governance):
  • CISSP (Certified Information Systems Security Professional): Broad mastery of security domains, including governance, risk and compliance.
  • CISM (Certified Information Security Manager): Focused on governance, program management, and risk oversight, aligning well with statewide responsibilities.
  • CRISC (Certified in Risk and Information Systems Control): Specialized in IT risk identification, assessment and mitigation.
  • CISA (Certified Information Systems Auditor): Relevant for auditing against state and federal compliance standards.
  • CGRC (Certified in Governance, Risk and Compliance): NIST-specific (formerly CAP) certification demonstrating ability to apply RMF and federal standards.
  • CIPP/US (Certified Information Privacy Professional – U.S.): Useful for understanding regulatory privacy obligations that overlap with state security policy. Or equivalent.
• Knowledge of Zero Trust architecture principles and their integration into statewide cybersecurity risk management practices.
• Proficiency in applying automation, data analytics, and dashboarding tools to streamline statewide risk assessments, remediation tracking and executive reporting.
• Experience integrating supply chain risk management and vendor oversight into statewide risk frameworks, ensuring compliance with NIST 800-161 and federal directives.
• Experience applying business continuity and disaster recovery principles (COOP integration) within statewide risk management.
• Familiarity with emerging technology risk management (AI/ML, IoT, OT/SCADA, quantum) to future-proof policies and standards.

Supplemental Information

We value diversity and different perspectives:

WaTech is committed to providing equal access and opportunities to all qualified applicants and employees. We seek to attract and retain a diverse staff and welcome your experiences, perspectives and unique identity.

What WaTech offers:

As an employee of WaTech, you’ll have access to an outstanding employee benefits package that includes medical and dental plan options for you and your family, paid leave and holidays, retirement plan options and more.

While WaTech is headquartered in Olympia, Washington, which is near some of the country’s most scenic national parks, we are able to offer many of our positions telework and flexible schedule options to help support a healthy work-life balance.

To learn more about WaTech and what our employees enjoy about working here, please visit our website.

How to apply:

Applications for this recruitment will be accepted electronically. Please select the large “apply” button at the top of this announcement. You may need to create a profile and account in Washington state's automated application system. We invite you to include your name and pronouns in your material to ensure we address you correctly throughout the application process.

To be considered for this position you will need to:

• Submit a complete Online Application.
• Answer all required Supplemental Questions.
• Attach a Letter of Interest that addresses how your experience qualifies you for this role.
• Attach a Resume that clearly documents the work history, training, and education that makes you a viable and competitive candidate for this position.
• Attach a separate document with at least Three Professional References. This should include: reference name, nature of the relationship (i.e. company and supervisor, coworker, etc.), phone number, and email. References should be individuals you have worked with in the past five years, if possible, and include at least one current, or most recent supervisor. *We will not conduct reference checks without your signed release.

Note: Applications without the requested information identified above or containing supplemental question responses with comments such as "see resume" may lead to your application being disqualified from consideration.

Applicants wishing to claim Veterans Preference should attach a copy of their DD-214 (Member 4 copy), NGB 22, or signed verification of service letter from the United States Department of Veterans Affairs to their application. (Please redact any personally identifiable data such as social security number prior to submittal.)

Conditions of employment:

This position requires a background check. Information from the background check will not necessarily preclude employment but will be considered in determining the applicant's suitability and competence to perform in the position and is a continued condition of employment.

Recruitment process:

First round of application assessments will be conducted seven days after the initial job posting date. The hiring authority reserves the right to offer the position at any time after the initial seven-day job posting date during the recruitment process. It is to the applicant's advantage to apply as early as possible. This recruitment may be used to fill multiple positions.

Contact us: For inquiries about this position, please contact Rebekah Wilkes at (360) 407-8646 or email to Rebekah.Wilkes@WaTech.wa.gov

Persons requiring accommodation in the application process or for an alternative format may contact Human Resources at (360) 407-8242 or Human.Resources@watech.wa.gov.Persons of disability or those who are deaf or hard of hearing can call the Washington Relay Service by dialing 7-1-1 or 1-800-833-6388. WaTech complies with the employment eligibility verification requirements of the federal Form I-9. The selected candidate must be able to provide proof of identity and eligibility to work in the United States consistent with the requirements of that form on the first day of employment.