Cybersecurity Analyst – Governance, Risk, and Compliance (GRC) – Houston, TX

</cx-social-share>

Primary Purpose

This role will lead initiatives to foster a strong cybersecurity culture across the organization, driving awareness programs and educational campaigns to our employees. The Cybersecurity Analyst is part of a broader cybersecurity team that ensures all system design, implementation, and standards protect Sempra’s network from cyber-attacks. The Analyst of Governance, Risk, and Compliance (GRC) is focused on preventing security threats and ensuring laws and industry standards are upheld, working with a cross-functional team of across various information security functions to conduct third-party assessments, cybersecurity clause review, exception request handling, SOC reviews, risk control evaluation, and threat intelligence monitoring.

Duties and Responsibilities

Technical Analysis & Delivery

• Supports the implementation of the governance & risk frameworks, policy creation & management, IT control management, and security audits & assessments.
• Manages issues and corrective actions plans identified in risk assessments through closure.
• Reviews cybersecurity clauses in contracts, applicability criteria, exceptions requests and mitigating controls in accordance with company policies and industry standards.
• Conducts SOC II reviews and audits.
• Monitors Cyber Threat Intelligence resources (such as Sempra, CISA, FBI, and others).
• Proposes and implements innovative ways to establish adequate controls, optimize risk management, and improve continuous monitoring.
• Coordinates cybersecurity assessments (such as maturity, risk, and penetration testing).
• Develops and monitors cybersecurity KRIs and KPIs.
• Increases the level of maturity in risk management and controls.

Communication & Stakeholder Management

• Designs, implements, and manages a comprehensive Cybersecurity Awareness Program, including phishing simulations, threat education campaigns, and targeted training for high-risk roles.
• Develops engaging content (videos, newsletters, infographics) to promote security best practices and reduce social engineering risks.
• Coordinates Cybersecurity Ambassadors Community and champions cultural change initiatives across business units.

Functional Area Leadership

• Acts as the primary point of contact for awareness-related metrics and reporting to leadership, ensuring visibility into human risk trends and program effectiveness.

Troubleshooting

• Maintains good operational relationships with 3rd party risk assessment managed service providers to perform risk assessments, develop mitigation plans, and ensure appropriate service levels.
• Ensures team works closely with System Engineers to implement security controls and patches based on capability and need.
• Contacts and coordinates vendor, carrier, and remote support when necessary to resolve high-impact security issues.
• Document problems and report to management, engineers and/or peers.

Performs other duties as assigned (no more than 5% of duties).

Qualifications

Education

• Bachelor’s Degree in Computer Science, Information Technology, or equivalent relevant work experience.

Experience

• 4+ years’ experience in Information Security, Cyber Security, or relevant roles.
• 2+ years’ experience managing Governance, Risk, and Compliance of an organization with a complex Information Technology environment.

Knowledge, Skills, and Abilities

• Bilingual in Spanish/English is a plus
• Proven experience in cybersecurity awareness program design and delivery, including phishing simulations and behavioral risk reduction strategies
• Strong communication and content development skills to engage non-technical audiences effectively
• Knowledge of adult learning principles and experience leveraging e-learning platforms or gamified training tool
• Strong understanding of security contract management and legal requirements.
• Hands-on experience of enterprise GRC tools (e.g., ServiceNow, Archer etc.).
• Ability to implement global regulatory requirements surrounding data security & privacy (e.g., GDPR, CCPA, CRPA etc.).
• Understanding of relevant cybersecurity regulations and agencies pertinent to utility environments.
• General understanding of cyber security operations functions, in areas such as incident response, security monitoring, threat and vulnerability, SOC and SOC service.
• General knowledge of OT network infrastructure, SCADA/DCS systems, data/communication systems, and management systems.
• General knowledge of security software architecture/programing concepts and security integration into SDLC.
• Ability to manage a diverse technical workforce in multiple locations; ability to coach.
• Personal drive and energy level to achieve superior results individually and through others.
• Proven experience in cybersecurity awareness program design and delivery, including phishing simulations and behavioral risk reduction strategies
• Strong communication and content development skills to engage non-technical audiences effectively
• Knowledge of adult learning principles and experience leveraging e-learning platforms or gamified training tools
• Strong understanding of security contract management and legal requirements.
• Hands-on experience of enterprise GRC tools (e.g., ServiceNow, Archer etc.).
• Ability to implement global regulatory requirements surrounding data security & privacy (e.g., GDPR, CCPA, CRPA etc.).
• Understanding of relevant cybersecurity regulations and agencies pertinent to utility environments.
• General understanding of cyber security operations functions, in areas such as incident response, security monitoring, threat and vulnerability, SOC and SOC service.
• General knowledge of OT network infrastructure, SCADA/DCS systems, data/communication systems, and management systems.
• General knowledge of security software architecture/programing concepts and security integration into SDLC.
• Ability to manage a diverse technical workforce in multiple locations; ability to coach.
• Personal drive and energy level to achieve superior results individually and through others.

Licenses and Certifications

• Standard certifications in Information Security (CISSP, CISM, CISA, or equivalent)
• Technical certifications (GRC related e.g. ISACA CRISC)

Note: The Company strives to ensure that employees are paid equitably and competitively. Starting salaries may vary based on factors such as relevant experience, qualifications, and education.

Sempra Infrastructure offers a competitive total rewards package that goes beyond base salary. This position is eligible for an annual performance-based incentive (bonus) as well as merit-based recognition. Company benefits include health and welfare (medical, dental, vision), employer contributions to retirement benefits, life insurance, paid time off, as well as other company offerings such as tuition reimbursement, paid parental leave, and employee assistance programs.