Job description

Role Overview

The Information Security Risk Analyst serves as the day-to-day execution lead for MongoDB’s internal risk management program. Reporting into a broader risk structure shaped by senior leadership, this role turns incoming business signals into structured assessments, clear decisions, and trackable remediation or acceptance outcomes.

The core aim of the position is to help reduce uncertainty by giving leadership a reliable, quantified understanding of the organization’s most important risks. In practice, that means keeping the risk register accurate, active, and useful as a governance instrument rather than a static record.

This is a hands-on role that requires close partnership with Engineering, Product, Infrastructure, and other technical teams. The analyst acts as the front line for risk intake, helps guide stakeholders through the assessment process, and ensures that every item is properly scoped, evaluated, and documented before it is accepted into the program.

Risk Identification and Assessment

Carry out risk assessments with guidance from senior team members, including scoping, inherent risk scoring, control evaluation, and residual risk calculations using the approved methodology.
Handle the intake of risk requests, review submissions from Jira Service Desk and the Issue Intake Tracker, verify they meet entry requirements, assign risk identifiers, and enter validated items into the Risk Register.
Serve as the first-level reviewer for incoming risk items by distinguishing strategic risks, operational issues, and duplicates, while filtering out low-value noise.
Create risk scenarios for in-scope assets in partnership with asset owners and risk owners by identifying threat communities, threat events, and impact categories.
Prepare Risk Assessment Memos that connect the risk statement, scoring, and recommendation into a clear narrative, with the goal of eventually producing independently authored memos with little revision required.
Watch for new and emerging risk indicators, including AI-related concerns such as model integrity issues, data poisoning, shadow AI, and third-party AI dependencies, then escalate them with documented analysis for inclusion in the risk framework.

Control Identification, Mapping, and Assessment

Identify and record controls that reduce assessed risks and map them to specific risk scenarios and relevant standards such as NIST SP 800-53, ISO 27001, and SOC 2.
Evaluate whether controls are properly designed to address the associated risk and document the reasoning behind the conclusion.
Review control effectiveness over the assessment period by gathering evidence and determining whether controls operate as intended.
Capture control deficiencies and assist with remediation tracking, including missing controls, partial effectiveness, or the need for compensating controls.
Keep control-to-framework mappings current so assessment outputs can support audit and certification evidence for programs such as FedRAMP, SOC 2, ISO 27001, and PCI-DSS.

Risk Categorization and Governance

Apply the approved risk taxonomy and categorization approach consistently across all reviewed risks.
Process risk acceptance requests in Jira by checking completeness, validating supporting context, confirming stakeholder approval, ensuring time-bound conditions are documented, and escalating concerns when needed.
Maintain the Risk Register, inventory, and related trackers with strong data discipline, avoiding missing dates, unclear owners, or outdated entries.

Reporting and Stakeholder Engagement

Support collection of KRI data and dashboard inputs so executive reporting and governance materials remain accurate and timely.
Work directly with technical stakeholders during assessments, asking focused questions, collecting evidence, and recording findings clearly.
Build the technical depth needed to independently lead stakeholder discussions over time, including practical familiarity with cloud-native systems, SaaS security models, and controls such as IAM, encryption, network segmentation, and logging/monitoring.
Convert technical findings into plain, business-relevant risk language in all written outputs.

Policy, Process, and Governance Hygiene

Help draft and update risk procedures, guidance documents, and assessment templates used across the IRM program.
Maintain strong governance hygiene through careful data quality checks, tracker upkeep, workflow compliance, evidence organization, and consistent documentation.
Manage the risk assessment pipeline in Jira, including workflow setup, dashboards, and JQL-based tracking of ticket progress.

Requirements

This role calls for 3 to 5 years of experience in Information Security, GRC, or Enterprise Risk Management, along with direct exposure to risk assessments and control evaluation. Candidates should be comfortable working with established risk frameworks, have advanced spreadsheet skills, and be able to produce clear, defensible documentation. Strong cross-functional collaboration is essential, as is attention to detail and a willingness to deepen technical knowledge in cloud and AI-related risk areas.

Education and Certifications

A bachelor’s degree in Cybersecurity, Information Systems, Business Administration, or a related discipline is required. One of the following certifications must also be held: CRISC, CISM, CISSP, or CISA.

About MongoDB

MongoDB is a data platform company focused on helping customers build and adapt quickly in a fast-changing market. Its cloud-native platform supports modern software development and AI-driven innovation across major cloud providers. The company serves a large global customer base and emphasizes a culture built around its Leadership Commitment, employee support, and inclusive growth.

Additional Information

MongoDB provides reasonable accommodations for candidates and employees with disabilities during the application and interview process. Requests should be raised through the recruiter. MongoDB is an equal opportunity employer.

Reference ID: 1273425625

IRM Analyst

Where you'll work