• Implement and tune cloud security controls (IAM, logging, vulnerability management, configuration baselines, incident readiness). • Configure security tooling and integrations to produce repeatable evidence for authorization and ConMon. • Support remediation and hardening workstreams, including vulnerability scan remediation support. • Help automate evidence exports/reporting inputs where feasible and keep operations sustainable post-authorization.

• Leverage AI-powered security tooling to continuously monitor for threats, anomalies, and policy violations across cloud and application environments • Respond to and resolve or escalate security incidents; use AI-assisted analysis to accelerate root cause investigation and postmortem documentation • Investigate and resolve security violations by providing postmortem analysis that illuminates causes, solutions, and AI-informed preventative measures • Use AI tools to model attack scenarios and prioritize remediation efforts based on risk • Assess, design, implement, automate, and document security solutions for public and private cloud environments • Implement "security as code" using cloud services and CI/CD components • Develop baseline cloud, container, and application security standards and integrate them into CI/CD pipelines • Work with diverse technical and business stakeholders on security best practices • Document security systems, procedures, and controls; drive compliance through adherence to information security policies

• Lead the design, develop, and implementation of incident response playbooks • Perform incident response and coordination • Lead in the assessment of system design and change • Be part of a weekly on-call rotation • Lead the design, develop, and implement engineered solutions that are reliable and maintainable • Support in detection engineering • Identify areas of the business that require security improvement and translate that into a workable solution • Influence and align the team’s vision and strategy • Collaborate cross functionality to support delivery of roadmap items and projects

Role Description The Governor’s Office of Information Technology (OIT) is seeking a Senior Security Engineer (Risk) to join the Office of Information Security (OIS). Our team is currently advancing a strategic transformation to modernize our Risk Management capabilities. We are evolving our security oversight into a highly integrated, automated maturity model designed to provide a data-driven view of the state's threat landscape. As the Senior Security Engineer (Risk), you will serve as a technical leader and subject matter expert dedicated to the identification, quantification, and mitigation of technical risk across the state enterprise. This role requires a seasoned professional with demonstrated leadership experience who can provide technical guidance across the organization and offer strategic direction during complex security evaluations. A primary function of this role is performing comprehensive technical risk assessments on diverse systems and services to ensure they align with the state’s security posture. You will be a key contributor in enabling the creation of a Third-Party Risk Management (TPRM) program designed to scale significantly, performing assessments for a high volume of vendors with efficiency and precision. You will act as a senior technical liaison between system engineers, project managers, and executive leadership, translating high-level vulnerabilities into actionable risk narratives. Your work will directly support the risk management strategic roadmap, ensuring state technology remains resilient through consistent, expert-level evaluation. Key Job Responsibilities - Cross-Functional Technical Guidance & Collaboration: Act as a key security advisor and collaborator for teams across the organization. Partner with technical teams to provide technical guidance on risk mitigation and serve as a technical point of escalation during daily standups. - Perform Complex Risk Assessments: Execute deep-dive technical risk assessments for high-profile state systems, evaluating control implementations across various technical environments. - Support Scalable TPRM Architecture: Design a TPRM program capable of handling an enterprise volume of vendors, defining technical standards for reviewing documentation and establishing automated intake workflows. - Strategic Roadmap Contribution: Support the execution and refinement of the risk management strategic roadmap, driving milestones related to risk intake maturity. - Enable Automation (ServiceNow IRM): Support the transition from legacy workflows to automated processes within the ServiceNow IRM module, ensuring real-time risk visibility. - Threat Landscape Visibility: Partner with data and engineering teams to build "Top 10" Enterprise Risk Dashboards in Splunk, contributing actionable insights for leadership. Qualifications - At least five (5) years of professional experience in security engineering, technical risk management, or high-level systems administration with a focus on security. - Demonstrated experience in a technical leadership capacity, such as serving as a team lead or managing project workstreams. - Proven experience in the full risk lifecycle, including performing risk assessments and developing remediation strategies. Requirements - Additional appropriate education will substitute for the required experience on a year-for-year basis. - Training or Certification (CRISC, CISSP, CISA) related to the work assigned will be credited towards substitution for experience and/or education. Preferred Qualifications - Demonstrated experience utilizing industry security frameworks (such as NIST 800-53, CJIS, IRS Pub 1075, or SOC 2). - Experience validating security controls in various environments, including on-premise infrastructure and modern cloud architectures. - Experience implementing, configuring, or operationalizing the ServiceNow IRM/GRC module. - Previous experience working within or building a high-volume Third-Party Risk Management program. - Experience using Splunk or similar tools to visualize and report on risk metrics. - Ability to "hit the ground running" to meet aggressive roadmap goals. Conditions of Employment - OIT employees must comply with any screening procedures in place at state entity locations. - A pre-employment background check will be conducted as part of the selection process. - Positions supporting certain agencies will require a pre-employment drug test. - This position may require travel within the specified geographic area. Supplemental Information If this posting indicates “remote from anywhere in CO,” periodic reporting to the primary state work location is required. All remote work must be performed in Colorado. Candidates from out of state will be considered, but must relocate and reside in Colorado on the first day of their new position. The State of Colorado strives to create a Colorado for All by building and maintaining workplaces that value and respect all Coloradans through a commitment to equal opportunity and hiring based on merit and fitness. The Governor's Office of Information Technology is committed to the full inclusion of all qualified individuals. Our agency will assist individuals who have a disability with any reasonable accommodation requests related to employment.