Security Specialist V – Senior Security Metrics and KRI Design Analyst

ROLE SNAPSHOT
Job Title: CAN – IT – Security Specialist V
Duration: 8 Months
Location: 310–320 Front Street West Corporate, Toronto, Ontario
Work Model: Hybrid – 2 Days Onsite (Potential for 4 Days Onsite)

ROLE SUMMARY
The Senior Security Metrics and KRI Design Analyst is responsible for defining, governing, and driving adoption of enterprise security performance metrics, including KRIs, KPIs, and operational security metrics.
This role partners with cyber domain leaders (IAM, SOC, Vulnerability Management, GRC, Cloud Security, AppSec, Third Party Risk, etc.) to translate security strategy and risk appetite into measurable outcomes.
Accountable for full lifecycle delivery:
Strategy ? Design ? Stakeholder Alignment ? Implementation ? Data Quality ? Reporting ? Continuous Improvement

TYPICAL DAY-TO-DAY

• 25% of time spent in meetings
• Interaction with internal partners only
• No access to customer data

KEY RESPONSIBILITIES
1. Metrics Strategy, Design & Standardization

• Lead design and evolution of security metric taxonomy
• Build and maintain security metrics library (definitions, formulas, thresholds, escalation logic)
• Align metrics to risk appetite, strategy, and regulatory expectations

2. Stakeholder Engagement & Socialization

• Facilitate alignment sessions with security leaders
• Translate technical metrics into executive-ready language
• Partner with ERM, Audit, Compliance, and Technology leaders

3. Implementation Leadership

• Drive implementation into reporting workflows and tooling (Power BI/Tableau, Archer, ServiceNow, Splunk, Jira, CMDB, EDR)
• Partner with data engineering teams to automate feeds
• Define data requirements and mapping
• Build repeatable refresh and governance procedures

4. Reporting, Insights & Executive Readouts

• Develop executive-ready reporting packages
• Provide trend analysis and leading vs lagging indicators
• Prepare talking points and narrative summaries

5. Data Quality, Controls & Governance

• Establish controls for accuracy, completeness, and traceability
• Implement QA checkpoints and periodic metric reviews
• Reduce metric sprawl and enforce governance

SUCCESS CRITERIA (First 6–12 Months)

• Published Security Metrics Library with approved KRIs/KPIs
• Automated reporting feeds for priority domains
• Executive dashboards with consistent definitions and thresholds
• Operationalized monthly and quarterly review cadence
• Reduced manual reporting and improved trust in metrics

MUST-HAVE SKILLS

• 8+ years in cybersecurity metrics, cyber risk reporting, cyber operations, GRC, or BI supporting InfoSec/IT
• Understanding of multiple security domains (SOC, vulnerability management, IAM/PAM, cloud, AppSec, third-party risk)
• Advanced Excel
• Executive-level PowerPoint
• At least one BI tool (Power BI / Tableau / Qlik)
• Experience building KPI/KRI governance or measurement programs

SOFT SKILLS

• Strong written and verbal communication
• Comfortable presenting to executives
• Ability to meet tight deadlines and hold stakeholders accountable

NICE-TO-HAVE
Frameworks

• NIST CSF
• NIST 800-53
• ISO 27001
• CIS Controls

Metric Automation Tools

• Splunk
• Sentinel
• CrowdStrike
• Qualys / Tenable
• ServiceNow (IRM/GRC/SecOps)
• Archer

Certifications

• CISSP
• CISM
• CRISC
• Security+
• ITIL Foundation

Industry Experience

• Prior banking or financial institution experience