Cyber Security Analyst

Cyber Security Analyst
 
Contract period: 29/09/2025 - 31/12/2027
Location: Primary location is Stavanger, or Oslo/Fornebu with rotation to Stavanger on scheduled basis. 

Key responsibilities and tasks

Cyber Risk Analysis

• Be part of the project team and assist in testing and validating technical solutions that could potentially be a cyber threat.
• Identify and work with the project teams to assess risks and guide teams and suppliers to implement more robust solutions if necessary.
• Work with project and operations teams providing identification, assessment, and management of cybersecurity risks across systems, applications, and business processes.
• Perform needed threat modelling and vulnerability risk assessments to support secure system design and implementation.
• Through the established base and project organization, be part of monitoring workforce working to identify internal and external threat landscapes and provide actionable intelligence to stakeholders.
• In the context of cyber, develop and maintain risk registers and present findings to senior leadership and other relevant stakeholders.
• Collaborate with IT and business units to define risk treatment plans and track mitigation efforts.

Governance, Risk & Compliance (GRC)

• Maintain and enhance the Information Security Management System (ISMS) and ensure alignment with ISO 27001, NIST CSF, and other relevant frameworks.
• Conduct regular compliance reviews, gap analyses, and audits to ensure adherence to internal policies and external regulations (e.g., GDPR, PCI DSS, HIPAA).
• Support the development and maintenance of security policies, standards, procedures, and guidelines.
• Prepare and present reports for internal and external audits, certifications, and regulatory reviews.
• Lead risk and control assessments, including third-party risk reviews and vendor due diligence.

Collaboration

• Act as a subject matter expert on cyber risk and GRC best practices.
• Work alongside project, operations and supplier teams with the “one team” mindset, enabling collaboration and positive progress to ensure an infrastructure and systems portfolio with the least number of cyber threats.
• Work cross-functionally with OT, IT, audit, suppliers, system vendors, hardware vendors and business units to embed security into organizational culture and processes.

Risk Assessments

• Conduct risk assessments to identify vulnerabilities and threats to the organization's information systems, temporary project offices, data transport methods, and more.
• This work will be performed primarily during commissioning and handover to operations phase of the project. This means there will be a steady stream of systems evaluations and follow-ups with project teams and vendors on technical details.
• Hands-on penetration testing where needed. This will be determined based on risk processes and project priorities.
• System design review.

Risk Mitigation

• Develop and implement strategies to mitigate identified risks and reduce the organization's exposure to cyber threats.
• Follow up on specific implementations of improvements to systems design and configurations.

Compliance Management

• Ensure compliance with relevant regulations, standards, and best practices (e.g., GDPR, ISO 27001, NIST).
• On a detailed level, this also dictates that the project-specific requirements might require workarounds that trigger related systems to adjust to comply with cyber requirements, leading to the fact that completed analysis of systems might have to be reevaluated.

Policy Development

• Implement and maintain cybersecurity and GRC policies, procedures, and frameworks.

Incident Response

• Coordinate incident response efforts, including investigation, containment, eradication, and recovery.

Threat Monitoring

• Work with operational teams in IT and OT to ensure we monitor and analyze emerging cyber threats and vulnerabilities, providing timely updates and recommendations.

Physical site inspection

• When required, travel to project site to do physical inspection with relevant teams, like IT, OT and Security. Follow up on any previous findings, and evaluate if new threats needs to be raised as risks and mitigated.

Documentation Management

• Maintain accurate and up-to-date documentation of project-related GRC processes, procedures, and incident response plans.

Stakeholder Communication

• Communicate effectively with stakeholders at all levels, providing clear and actionable insights on cybersecurity and compliance matters.

Vulnerability Management

• Conduct regular vulnerability assessments and penetration testing to identify and address security weaknesses.

Continuous Improvement

• Continuously evaluate and improve the organization's cybersecurity and GRC practices to enhance overall security posture.

Qualification requirements

• Bachelor’s degree in information technology, Cybersecurity, or a related is requested but not necessary if relevant experience and/or certification is in place.
• Minimum of 10+ years of combined experience in cyber risk management, IT & OT security, or GRC roles.
• In-depth knowledge of cybersecurity frameworks (NIST, ISO 27001, CIS, etc.).
• Strong understanding of regulatory compliance requirements and risk assessment methodologies.
• Professional certifications such as CISSP, CISM, CRISC, CISA, or similar strongly preferred.
• Excellent analytical, problem-solving, and communication skills.
• Ability to manage multiple priorities in a fast-paced environment with minimal supervision.
• The candidate must be able to demonstrate genuine interest in the field of cyber security, and show evidence of being a true “hands-on white hacker” type of person.
• Good knowledge of the English and Norwegian languages (both written and verbal).

Desirable attributes

• Many years with hand on experience finding vulnerabilities in digital systems.
• Deeper understanding of how hardware and software actually works
• Experience with both IT and OT systems, and what typically separates these environments and also how systems and suppliers work within these environments.
• Experience with GRC tools (e.g., Archer, ServiceNow GRC, RiskLens).
• Familiarity with cloud environments (AWS, Azure, GCP) and related security challenges.
• Passion for continuous improvement and proactive risk management.
• Be self-motivated with a willingness to learn from others and work with minimum direction.
• Actively seeks out know-how and best practice, related to own area of contribution.
• Anticipate future situations and plans to meet them.
• Bias for action - do things before being asked to or forced to by events.
• Willingly takes the lead when challenges occur.
• Actively promotes open and effective communication.
• Strong planning and organizing ability.
• Actively promotes a positive team environment, demonstrating shared commitment to the success of the team and the wider project organization.
• Being a team player is key for our progress, but if you discover cyber threats in a design you must have the guts to stand up for your findings and opinions and be resolute speaking up in a crowd.
• Actively engages and respects contributions of others, in face-to-face or virtual meetings.
• Seeks to develop self and coach others to help their development.
• Build networks to enhance effectiveness and share knowledge.
• Focuses effort and prioritizes work to deliver business value.

With over 90 years' combined experience, NES Fircroft (NES) is proud to be the world's leading engineering staffing provider spanning the Oil & Gas, Power & Renewables, Chemicals, Construction & Infrastructure, Life Sciences, Mining and Manufacturing sectors worldwide. With more than 80 offices in 45 countries, we are able to provide our clients with the engineering and technical expertise they need, wherever and whenever it is needed. We offer contractors far more than a traditional recruitment service, supporting with everything from securing visas and work permits, to providing market-leading benefits packages and accommodation, ensuring they are safely and compliantly able to support our clients.