Security Analyst [T500-23794]

About lululemon:

lululemon is an innovative performance apparel company for yoga, running, training, and other athletic pursuits. Setting the bar in technical fabrics and functional design, we create transformational products and experiences that support people in moving, growing, connecting, and being well. We owe our success to our innovative products, commitment to our people, and the incredible connections we make in every community we're in. As a company, we focus on creating positive change to build a healthier, thriving future. In particular, that includes creating an equitable, inclusive and growth-focused environment for our people. As we continue to elevate our shopping experience, our India Tech Hub plays a key role in expanding our technology capabilities in Product Systems, Merchandising and Planning, Digital Presence, distribution and logistics, and corporate systems. Our team in India works as an extension of the global team on projects of strategic importance.

Who We Are:

lululemon is a yoga-inspired technical apparel company up to big things. The practice and philosophy of yoga inform our overall purpose: to elevate the world through the power of practice.

We are proud to be a growing global company with locations all around the world from Vancouver to Shanghai and places in between. We owe our success to our innovative products, our emphasis on our stores, our commitment to our people, and the incredible connections we make in every community we serve.

About This Team:

The Cybersecurity GRC team consists of cybersecurity experts, problem solvers, insight and solution generators, and trusted compliance advisors to the business.

We leverage our expertise in risk, information security, and controls to support risk management, cybersecurity, regulatory compliance, and continuous process improvements that drive efficiency and cost savings. We partner with various business functions (Brand, Product, Technology, Finance, and more) and foster open dialogue to unlock creativity and deliver innovative solutions.

A Day in the Life

• Support a strong culture of risk management, enhancing risk and control visibility with measurable risk reduction and effective governance/reporting.
• Partner with the Lead to establish a Technology Risk Management methodology by adopting frameworks such as:
• NIST RMF (SP 800-37)
• CIS v8 Top 18
• COBIT 2019
• CSA CCM / CSA STAR Registry
• ISO 31000:2018
• Perform Technology Risk Assessments for new projects and technology implementations.
• Determine information security risk profiles for systems, assets, and data based on company policies, frameworks, standards, and industry best practices.
• Develop, update, and establish risk management policies and standards.
• Conduct system characterization, threat and vulnerability identification, control deficiency analysis, likelihood determination, impact analysis, risk rating, and compensating control recommendations, along with thorough documentation.
• Support and conduct context establishment, risk identification, risk analysis, evaluation, treatment, documentation, communication, and periodic monitoring/reviews.
• Escalate security risk exceptions, threats, vulnerabilities, quality issues, performance gaps, change control, and delivery concerns as required.
• Lead stakeholder management, risk communication, risk reviews, risk acceptance, and risk treatment activities.
• Execute automation initiatives within GRC workflows, track risk lifecycles, engage stakeholders, and monitor/report risks.
• Collaborate with members of the Policy, Technology Security & Risk Assessment teams on complex matters.
• Identify opportunities and implement continuous improvement initiatives within the department.

Qualifications:

• Bachelors degree (preferably in Management Information Systems).
• At least one of the following certifications: CISA, CRISC, or ISO 27001 Lead Auditor.
• 46 years of Technology Risk Management experience, or a combination of Cybersecurity GRC and Information Security experience.
• Knowledge and experience with data security and privacy regulations such as NIST CSF, ISO 27001, PCI DSS, and GDPR.
• Strong communication and relationship-building skills, with the ability to work in ambiguity, analyze situations, and solve problems effectively.

Must-Haves:

• Acknowledges the presence of choice in every moment and takes personal responsibility.
• Demonstrates an entrepreneurial spirit and continuously innovates to achieve strong results.
• Communicates with honesty and kindness, creating space for others to do the same.
• Leads with courage, embracing the possibility of greatness beyond fear of failure.
• Fosters connection by putting people first and building trusting relationships.
• Integrates fun and joy into work while delivering excellence