Back to jobs

Senior Cybersecurity Risk Analyst

US-Remote

Join AIR as a Senior Cybersecurity Risk Analyst. This is a key role within AIR’s Information Security Office, responsible for coordinating and driving institution‑wide security initiatives. The Senior Cybersecurity Risk Analyst will apply technical expertise across advanced security testing, continuous threat exposure management, and red‑team initiatives while leading risk and assurance activities, internal assessments, continuous monitoring, and client security questionnaire responses. 

This position will support data governance efforts, including information security plan reviews. If you are ready to make a significant impact and excel in a fast-paced environment, this role is for you. The position requires broad expertise across application security testing, risk identification and treatment, and security assessment and authorization activities. This position reports to Director, Head of Information Security.

This remote position offers hybrid work flexibility to work from one of AIR’s U.S. office locations with occasional travel required for meetings, training sessions, and conferences. 

About AIR:

Founded in 1946 and headquartered in Arlington, Virginia, the American Institutes for Research (AIR) is a nonpartisan, not-for-profit organization that conducts behavioral and social science research and delivers technical assistance to address some of the most pressing challenges in the United States and globally. We generate evidence and apply data-driven solutions that expand opportunities and improve lives for all.

Responsibilities:

Essential job functions include but are not limited to:

  • Drive and perform vulnerability management activities, including scanning, analyzing, reporting, and tracking network, container, application, and static code findings in collaboration with cross-functional teams.
  • Execute application security testing and findings analysis, including DAST, SAST, continuous threat exposure management activities, and targeted red teaming engagements.
  • Lead cyber risk management efforts by identifying risks, developing and reporting treatment plans, and maintaining the enterprise risk registry.
  • Oversee and drive the remediation of findings utilizing standard Plan of Action and Milestones (POA&M) processes resulting from both internal and external security controls assessment, vulnerability assessments, and security testing.
  • Execute and contribute to internal controls assessments for AIR web applications, secure data enclaves, general support systems, and other key systems to support internal and external client security requirements.
  • Respond to client data security and privacy questionnaires with accuracy and subject‑matter expertise.
  • Perform and drive continuous monitoring activities to ensure ongoing compliance with internal policies and external regulatory requirements.
  • Support data governance by conducting information security plan reviews and contract reviews.
  • Serve as AIR’s HIPAA Security Officer, ensuring compliance with HIPAA Security Rule requirements.
  • Support third party risk management activities, including evaluating new software and artificial intelligence (AI) use cases.
  • Duties, responsibilities, and activities may change, or new ones may be assigned at any time based on business needs.

Qualifications:

Education, Knowledge, and Experience

  • Bachelor’s degree and at least 9 years of relevant experience in information security.
  • A major cybersecurity certification from ISC2, ISACA, OffSec, or SANS.
  • A minimum of 5 years of hands‑on experience with vulnerability management and security testing tools, including DAST, SAST, and SCA.
  • At least 5 years of experience securing and testing cloud environments such as Azure, AWS, or Google Cloud.
  • A track record of 2+ years of experience conducting cyber risk and assurance activities, including applying relevant security frameworks.
  • Strong understanding of key standards, including NIST SP 800‑53, 800‑171, and 800‑88.
  • The candidate should be able to obtain a Level 6C Security clearance (Public Trust Position).

Skills

  • Exceptional communicator with the ability to translate complex technical concepts for diverse audiences and a strong team‑oriented mindset, consistently fostering effective collaboration across virtual, cross‑functional, and diverse teams.
  • Proven ability to operate with a high degree of independence, exercising sound judgment and initiative, while also engaging collaboratively to support shared goals and team success.
  • Highly adaptable in fast‑moving environments, with the capability to prioritize, balance, and drive multiple concurrent workstreams to timely, high‑quality outcomes.
  • Advanced analytical, critical‑thinking, and problem‑solving skills, demonstrating disciplined attention to detail and a commitment to delivering accurate, high‑quality results.
  • Deep understanding of common attack techniques, vectors, and tools used by threat actors, along with strong capabilities in cyber incident response, forensic log analysis, and incident handling procedures.
  • Extensive knowledge of native cloud security, compliance frameworks, and security posture management solutions, including CNAPP.
  • Proven ability to analyze static and dynamic application security testing results and assess cyber risks across systems and processes.
  • Strong grasp of emerging technology trends, including AI governance and associated risk management practices.

Disclosures: Applicants must be currently authorized to work in the U.S. on a full-time basis. Employment-based visa sponsorship (including H-1B sponsorship) is not available for this position. Depending on project work, qualified candidates may need to meet certain residency requirements.

American Institutes for Research is an equal employment opportunity/affirmative action employer. All qualified applicants will receive consideration for employment without discrimination on the basis of age, race, color, religion, sex, gender, gender identity/expression, sexual orientation, national origin, protected veteran status, or disability. AIR adheres to strict child safeguarding principles. All selected candidates will be expected to adhere to these standards and principles and will therefore undergo reference and background checks. AIR maintains a drug-free work environment. 

ACCESSIBILITY NOTICE: If you need a reasonable accommodation for any part of the employment process due to a physical or mental disability, please send an email to Taliba Boone at tboone@air.orgor call 202.403.5000.

Fraudulent Job Scams Warning & Disclaimer: AIR is aware of individuals falsely presenting themselves as AIR representatives. Fraudulent job scams seek to extract sensitive information or money from victims. To protect yourself, please be aware that AIR recruitment will only email you from an “@air.org” domain. Please take extra caution while examining the email address, for example jdoe@air.org is correct and jdoe@aircareers.org is not a legitimate AIR email address. If you are unsure of the legitimacy of a communication you have received, please reach out torecruitment@air.org. If you see a job scam, or lose money to one, report it to the Federal Trade Commission (FTC) atReportFraud.ftc.gov. You can also report it to your state attorney general. Find out more about how to avoid scams atftc.gov/scams.

AIR’s Total Rewards Program, is designed to reward our staff competitively and motivate them to achieve our critical mission. This position offers the anticipated annual salary as listed. Salary offers are made based on internal equity within the institution and external equity with competitive markets. Please note this is the annual salary range for candidates that are based in the United States.

#LI-MP1 #LI-Remote

AIR’s Total Rewards Program, is designed to reward our staff competitively and motivate them to achieve our critical mission. This position offers the anticipated annual salary as listed. Salary offers are made based on internal equity within the institution and external equity with competitive markets. Please note this is the annual salary range for candidates that are based in the United States.

Anticipated Annual Salary Range

$157,000 - $180,000 USD

Create a Job Alert

Interested in building your career at American Institutes for Research? Get future opportunities sent straight to your email.

Apply for this job

*

indicates a required field

Resume/CV*

Accepted file types: pdf, doc, docx, txt, rtf

Select...
Select...
Select...
Select...
Select...

NOTE: Selecting “no” will not eliminate you from consideration for a job. Message and data rates may apply, depending on your mobile phone service plan. At any time, you can get more help by replying HELP to these texts, or you can opt out completely by replying STOP.  

View AIR's SMS/Text Terms of Service and Text/SMS Message Privacy Policy.

Select...

GDPR Notice: When you apply to a job on this site, the personal data contained in your application will be collected by the Controller, American Institutes for Research (“AIR”), which is located at 1400 Crystal Drive, 10th Floor, Arlington, VA 22202 USA and can be contacted by emailing Taliba Boone, Senior Recruitment Operations Specialist. AIR’s recruitment-related activities include scheduling and conducting interviews for applicants, evaluating and assessing results thereof, and such other tasks as are otherwise needed in the recruitment and hiring processes.  Such processing is legally permissible under Art. 6(1)(f) of Regulation (EU) 2016/679 (General Data Protection Regulation) as necessary for the purposes of the legitimate interests pursued by AIR, which are the solicitation, evaluation, and selection of applicants for employment.

Your personal data will be shared with Greenhouse Software, Inc., a cloud services provider located in the United States of America and engaged by AIR to help manage its recruitment and hiring process on AIR’s behalf. Accordingly, if you are located outside of the United States, your personal data will be transferred to the United States once you submit it through this site.

Your personal data will be retained by AIR as long as AIR determines it is necessary to evaluate your application for employment and to meet the legal requirements with respect to AIR’s hiring processes. Under the GDPR, you have the right to request access to your personal data, to request that your personal data be rectified or erased, and to request that processing of your personal data be restricted. You also have the right to data portability. In addition, you may lodge a complaint with an EU supervisory authority.

Select...
Select...
Select...
Select...
Select...
Select...
Select...

Voluntary Self-Identification

For government reporting purposes, we ask candidates to respond to the below self-identification survey. Completion of the form is entirely voluntary. Whatever your decision, it will not be considered in the hiring process or thereafter. Any information that you do provide will be recorded and maintained in a confidential file.

As set forth in American Institutes for Research’s Equal Employment Opportunity policy, we do not discriminate on the basis of any protected group status under any applicable law.

Select...
Select...
Race & Ethnicity Definitions

If you believe you belong to any of the categories of protected veterans listed below, please indicate by making the appropriate selection. As a government contractor subject to the Vietnam Era Veterans Readjustment Assistance Act (VEVRAA), we request this information in order to measure the effectiveness of the outreach and positive recruitment efforts we undertake pursuant to VEVRAA. Classification of protected categories is as follows:

A "disabled veteran" is one of the following: a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or a person who was discharged or released from active duty because of a service-connected disability.

A "recently separated veteran" means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service.

An "active duty wartime or campaign badge veteran" means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.

An "Armed forces service medal veteran" means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.

Select...

Voluntary Self-Identification of Disability

Form CC-305
Page 1 of 1
OMB Control Number 1250-0005
Expires 04/30/2026

Why are you being asked to complete this form?

We are a federal contractor or subcontractor. The law requires us to provide equal employment opportunity to qualified people with disabilities. We have a goal of having at least 7% of our workers as people with disabilities. The law says we must measure our progress towards this goal. To do this, we must ask applicants and employees if they have a disability or have ever had one. People can become disabled, so we need to ask this question at least every five years.

Completing this form is voluntary, and we hope that you will choose to do so. Your answer is confidential. No one who makes hiring decisions will see it. Your decision to complete the form and your answer will not harm you in any way. If you want to learn more about the law or this form, visit the U.S. Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

How do you know if you have a disability?

A disability is a condition that substantially limits one or more of your “major life activities.” If you have or have ever had such a condition, you are a person with a disability. Disabilities include, but are not limited to:

  • Alcohol or other substance use disorder (not currently using drugs illegally)
  • Autoimmune disorder, for example, lupus, fibromyalgia, rheumatoid arthritis, HIV/AIDS
  • Blind or low vision
  • Cancer (past or present)
  • Cardiovascular or heart disease
  • Celiac disease
  • Cerebral palsy
  • Deaf or serious difficulty hearing
  • Diabetes
  • Disfigurement, for example, disfigurement caused by burns, wounds, accidents, or congenital disorders
  • Epilepsy or other seizure disorder
  • Gastrointestinal disorders, for example, Crohn's Disease, irritable bowel syndrome
  • Intellectual or developmental disability
  • Mental health conditions, for example, depression, bipolar disorder, anxiety disorder, schizophrenia, PTSD
  • Missing limbs or partially missing limbs
  • Mobility impairment, benefiting from the use of a wheelchair, scooter, walker, leg brace(s) and/or other supports
  • Nervous system condition, for example, migraine headaches, Parkinson’s disease, multiple sclerosis (MS)
  • Neurodivergence, for example, attention-deficit/hyperactivity disorder (ADHD), autism spectrum disorder, dyslexia, dyspraxia, other learning disabilities
  • Partial or complete paralysis (any cause)
  • Pulmonary or respiratory conditions, for example, tuberculosis, asthma, emphysema
  • Short stature (dwarfism)
  • Traumatic brain injury
Select...

PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete.