Description:

The Information Security Risk Analyst is the operational engine of the internal risk program. While the Senior IRM Analyst and Risk Director define the strategic roadmap, the Analyst ensures the daily execution of that strategy. They are responsible for the "production line" of risk assessment: taking raw signals from the business, processing them through the established methodology, and outputting actionable risk decisions (Remediation or Acceptance).

The ultimate objective of this role is Reduction of Uncertainty. By managing the program effectively, the IRM Analyst ensures that MongoDB’s leadership has a clear, quantified view of the top risks facing the enterprise. They transform the Risk Register from a static spreadsheet into a dynamic governance tool that drives accountability.

The IRM Analyst must not be afraid to be in the trenches with the Engineering and Product teams. They are the primary face of the "Risk Intake Process," guiding stakeholders through the methodology. They are the gatekeeper of quality, ensuring that no risk enters the register until it has been properly scoped and quantified.

Responsibilities:

Risk Identification & Assessment

• Execute risk assessments under senior guidance - perform scoping, inherent risk scoring, control assessment, and residual risk calculation using established methodology
• Conduct risk identification intake, manage the flow of requests from Jira Service Desk and the Issue Intake Tracker, review incoming submissions against entry criteria, assign Risk IDs, and replicate validated risks into the Risk Register
• Act as the Triage Officer for incoming risk submissions, determine whether submissions represent strategic risks, operational issues, or duplicates. Filter noise to focus the team on signals
• Develop risk scenarios for in-scope assets by working with asset owners and risk owners , identify threat communities, threat events, and impact categories
• Draft Risk Assessment Memos that tell a cohesive story from risk statement to risk rating to actionable recommendation. Progressively build toward independently authored memos that require minimal review notes
• Monitor and flag emerging risk signals , including AI-related risks (model integrity, data poisoning, shadow AI, third-party AI dependencies) , and escalate with documented analysis for integration into the risk framework

Control Identification, Mapping & Assessment

• Identify and document controls that mitigate assessed risks , map controls to specific risk scenarios and applicable framework requirements (NIST SP 800-53, ISO 27001, SOC 2)
• Assess the design adequacy of controls , evaluate whether each control is appropriately designed to address the risk it is mapped to, and document findings with supporting rationale
• Assess the operating effectiveness of controls , collect and evaluate evidence to determine whether controls are functioning as designed over the assessment period, and document results
• Document control gaps and support remediation tracking , maintain clear records of where controls are missing, partially effective, or require compensating controls. Track remediation progress
• Maintain control-to-framework mappings to ensure risk assessment outputs directly support audit and certification evidence packages (FedRAMP, SOC 2, ISO 27001, PCI-DSS)

Risk Categorization & Governance

• Apply the established risk taxonomy and categorization methodology consistently across all assessed risks
• Process risk acceptance requests in Jira , validate completeness, ensure documented context and stakeholder sign-off, confirm time-bound conditions, and flag concerns to the Senior lead
• Maintain the Risk Register, risk inventory, and supporting trackers with obsessive attention to data integrity, no missing dates, undefined owners, or stale entries. A Risk Register with governance gaps is a program failure

Reporting & Stakeholder Engagement

• Contribute to KRI data collection and dashboard inputs , support accurate, timely reporting that feeds executive risk dashboards and governance forum materials
• Engage directly with technical stakeholders (engineering, product, infrastructure teams) during risk assessments , ask informed questions, gather evidence, and document findings
• Progressively build the technical fluency to lead stakeholder conversations independently , develop working proficiency in cloud-native architectures, SaaS security models, and common technical controls (IAM, encryption, network segmentation, logging/monitoring)
• Translate technical findings into clear, business-relevant risk language in all written work products

Policy, Process & Governance Hygiene

• Support drafting and maintaining risk procedures, guidelines, and assessment templates across the IRM program scope
• Execute governance hygiene , data quality, tracker maintenance, workflow adherence, evidence organization, and documentation standards
• Manage the risk assessment pipeline in Jira, create and maintain workflows, dashboards, and use JQL to track the assessment ticket lifecycle

Requirements:

Experience & Education:

• 3–5 years of experience in Information Security, Governance, Risk, and Compliance (GRC), or Enterprise Risk Management
• Experience performing risk assessments — including risk identification, inherent/residual risk scoring, and documentation of findings
• Experience identifying, documenting, and evaluating controls — including assessment of design adequacy and operating effectiveness
• Strong working knowledge of NIST CSF, NIST SP 800-30/39/53, and ISO/IEC 27005 — ability to use these frameworks as a library of controls and risk guidance
• Advanced proficiency in Excel/Google Sheets (pivot tables, VLOOKUP, complex formulas) for risk data analysis and reporting
• Jira proficiency — managing projects, creating workflows and dashboards, and using JQL
• Ability to write clear, concise, and defensible Risk Assessment Memos
• Obsessive attention to detail regarding data integrity and documentation quality
• Foundational understanding of cloud-native architectures and common technical controls (IAM, encryption, logging/monitoring, network segmentation) — with a commitment to building deeper technical fluency
• Awareness of AI risk concepts and willingness to develop expertise in emerging AI risk and regulatory landscape
• A strong track record of collaborating effectively across teams and levels
• Bachelor's degree in Cybersecurity, Information Systems, Business Administration, or a related field
• Certifications: At least, one of the following certifications is required - CRISC, CISM, CISSP, or CISA

About MongoDB

MongoDB is built for change, empowering our customers and our people to innovate at the speed of the market. We have redefined the database for the AI era, enabling innovators to create, transform, and disrupt industries with software. MongoDB’s unified database platform, the most widely available, globally distributed database on the market, helps organizations modernize legacy workloads, embrace innovation, and unleash AI. Our cloud-native platform, MongoDB Atlas, is the only globally distributed, multi-cloud database and is available across AWS, Google Cloud, and Microsoft Azure.

With offices worldwide and over 60,000 customers, including 75% of the Fortune 100 and AI-native startups, relying on MongoDB for their most important applications, we’re powering the next era of software.

Our compass at MongoDB is our Leadership Commitment, guiding how and why we make decisions, show up for each other, and win. It’s what makes us MongoDB. 

To drive the personal growth and business impact of our employees, we’re committed to developing a supportive and enriching culture for everyone. From employee affinity groups, to fertility assistance and a generous parental leave policy, we value our employees’ wellbeing and want to support them along every step of their professional and personal journeys. Learn more about what it’s like to work at MongoDB, and help us make an impact on the world!

MongoDB is committed to providing any necessary accommodations for individuals with disabilities within our application and interview process. To request an accommodation due to a disability, please inform your recruiter.

MongoDB is an equal opportunities employer.

Req ID: 1273425625

The Information Security Risk Team at MongoDB is the operational engine of the internal and third-party risk programs. Situated within the Assurance, Risk, and Compliance (ARC) organization, the team is responsible for the "Reduction of Uncertainty" across the enterprise. We view this team as the "Operational Commander" of the risk function. The team oversees the entire lifecycle of risk identification, assessment, and treatment, ensuring that MongoDB’s leadership has a clear, quantified view of the top risks facing the organization. We are not just a compliance function; we are a "Risk Intelligence" unit that empowers the business to "Think Big" while keeping our eyes wide open to the risks we accept.

As the Senior Information Risk Analyst, you will serve as the subject matter expert and primary executor of our risk function. Reporting directly to the Risk Director, you will be responsible for conducting and owning the lifecycle of internal security assessments (annual + ad-hoc), applying risk methodology, producing risk memos and working with asset/risk owners across the business that powers MongoDB’s growth. This is a pivotal moment for our Risk function as we scale operations to meet the demands of a $100B+ database market while navigating an increasingly rigorous regulatory landscape (DORA, FedRAMP, NIS2).

This role can be based out of our Dublin office or remotely in Ireland. 

Responsibilities

Program Maturity

• Risk Assessment Methodology Implementation: Lead the strategic roadmap to integrate the risk matrix into the risk framework
• Regulatory Governance: Ensure the risk program complies with global regulations, specifically DORA (EU) regarding ICT registers and FedRAMP Rev 5 supply chain controls Maintain the Supply Chain Risk Management (SCRM) plan and oversee strict boundary protections for the "Atlas for Government" environment
• Policy & Procedure Ownership: Maintain the Information Risk Management Procedure (ISQMS), ensuring that risk identification, assessment, and treatment processes are documented, updated annually, and followed consistently across the organization

Operational Execution

• Experience conducting technical security risk assessments (infrastructure, cloud, application-level). Including experience in evaluating control effectiveness through technical evidence (configurations, logs, architecture diagrams)
• Workflow Orchestration: Own the end-to-end risk assessment process
• Inherent Risk Scoring: Validate the team’s application of the Risk Scoring formula.   Apply the risk scoring formula for baseline scores based on breach history (last 12 months) and weighted impact
• Ensure the risk acceptance process has the right level of information and the appropriate stakeholders
• Ticket Hygiene: Actively manage the Jira backlog to prevent "frozen tickets”

Monitoring and Reporting

• Conduct annual enterprise security risk assessments and ad-hoc assessments as triggered by material changes, incidents, or new initiatives
• Identify risk scenarios for the in-scope assets by working with the asset and risk owners
• Assess the inherent risk and residual risk based on established risk assessment methodology and control assessments
• Synthesize the analysis into high-quality, Risk Assessment Memos. These documents must tell a cohesive story, moving from the "Risk Statement" to the "Calculation Logic" to the final "Risk Rating"
• Manage the risk acceptance process in JIRA, review for appropriateness and accuracy
• Maintain the Risk Management Dashboard and report on accurate risk metrics

Requirements

• Professional Experience: 10+ years of experience in Information Security, Governance, Risk & Compliance (GRC)
• Hands-on experience conducting enterprise-level security risk assessments end-to-end, including scoping, threat modeling, control evaluation, and executive reporting
• Evaluate control effectiveness using technical evidence (configs, logs, architecture diagrams)
• Perform threat modeling using established methodologies (STRIDE, MITRE ATT&CK)
• Deep operational understanding of risk assessment methodologies (NIST SP 800-30) and standard control frameworks (NIST CSF, NIST SP 800-53, ISO 27001, SOC 2, SIG Core/Lite, CAIQ)
• Regulatory Knowledge: Comprehensive knowledge of DORA, NIS2, FedRAMP Rev 5 (specifically Supply Chain/SCRM), GDPR, and PCI-DSS requirements
• Ability to write executive-level risk reports that translate technical flaws into business risks
• A strong track record of collaborating effectively across teams and levels to influence change
• Education: Bachelor’s degree in a relevant field (Cybersecurity, Business, Information Systems)
• Certifications: CRISC, CCSP, CISSP, CISA, relevant cloud certifications

About MongoDB

MongoDB is built for change, empowering our customers and our people to innovate at the speed of the market. We have redefined the database for the AI era, enabling innovators to create, transform, and disrupt industries with software. MongoDB’s unified database platform, the most widely available, globally distributed database on the market, helps organizations modernize legacy workloads, embrace innovation, and unleash AI. Our cloud-native platform, MongoDB Atlas, is the only globally distributed, multi-cloud database and is available across AWS, Google Cloud, and Microsoft Azure.

With offices worldwide and over 60,000 customers, including 75% of the Fortune 100 and AI-native startups, relying on MongoDB for their most important applications, we’re powering the next era of software.

Our compass at MongoDB is our Leadership Commitment, guiding how and why we make decisions, show up for each other, and win. It’s what makes us MongoDB. 

To drive the personal growth and business impact of our employees, we’re committed to developing a supportive and enriching culture for everyone. From employee affinity groups, to fertility assistance and a generous parental leave policy, we value our employees’ wellbeing and want to support them along every step of their professional and personal journeys. Learn more about what it’s like to work at MongoDB, and help us make an impact on the world!

MongoDB is committed to providing any necessary accommodations for individuals with disabilities within our application and interview process. To request an accommodation due to a disability, please inform your recruiter.

MongoDB is an equal opportunities employer.

Req ID: 1273387742

About the Role

We’re looking for a Junior Security Operations Engineer who is AI-Forward to help scale and modernize our SecOps program. This is a hands-on, builder role for someone who will design and ship the security tooling that powers our triage, investigations, and response workflows.

You’ll report to the Technical Operations Director and work alongside our GRC lead to improve our vulnerability intake, threat response, darkweb posture, and internal security tooling. A core part of this role is building AI-assisted security tooling: triage agents that pre-classify bug bounty reports, investigation copilots that pull context from logs and SIEM data, response workflows that draft remediation steps and track them to closure. You’ll spend as much time wiring up that tooling as you will reproducing vulnerabilities and working incidents.

This role suits someone who thrives in a lean, high-impact environment, has strong opinions on where humans add value versus where tooling should take over, and wants to shape how a modern security team operates.

What You’ll Do

Triage & Vulnerability Management

• Review incoming vulnerability reports from our bug bounty intake; reproduce and document valid issues for engineering teams.
• Build the tooling that improves signal-to-noise: automate duplicate detection, spam filtering, and abuse flagging so humans only touch what’s worth touching.
• Act on DAST findings: coordinate remediation, verify fixes, and re-test.
• Track remediation timelines for critical vulnerabilities and keep stakeholders honest on SLAs.

Threat Response & Monitoring

• Monitor and respond to EDR and cloud security alerts; investigate, contain, and document.
• Analyze darkweb findings and credential exposures; shape our darkweb monitoring practices and tooling over time.
• Improve detection coverage: tune noisy rules, close gaps, and enrich alerts with context so responders spend time on decisions, not data gathering.
• Help configure and tune DLP, SIEM, and AI security tooling.

Security Tooling (core to this role)

• Build AI-assisted triage tooling that pre-classifies bug bounty reports, flags duplicates, and routes real issues to the right engineering team with reproduction context attached.
• Build investigation tooling: LLM-backed copilots and Slack bots that pull alert context, correlate signals across sources, and surface what actually matters.
• Build response tooling: workflows that draft remediation steps, generate evidence artifacts, and track issues to closure across the teams that own them.
• Evaluate emerging AI security tooling and bring what’s genuinely useful into the stack; retire what isn’t.
• Apply a security-minded lens to our own AI usage: prompt injection, data exfiltration, model misuse, and the guardrails that go around them.

Compliance & Cross-Functional

• Support audit evidence collection for SOC 2, ISO 27001, and PCI DSS.
• Partner with ITOps to verify patches, endpoint coverage, and access hygiene.

You May Be a Good Fit If You Have

• Previous experience in a SecOps, Security Analyst, or Threat Response role.
• Proven ability to understand and reproduce technical vulnerabilities. You can read a bug report and tell whether it’s real.
• Experience with bug bounty triage (HackerOne, Bugcrowd, or similar).
• Hands-on exposure to SIEM, EDR, and DLP tools in production environments.
• A genuine, demonstrated interest in applying AI/LLMs to security work: side projects, internal tooling, prompt engineering, agent frameworks, anything that shows you’ve actually built with this stuff.
• Scripting and automation skills in Python, Bash, or similar. You reach for code before you reach for a checklist.
• Comfort working autonomously across time zones and asynchronously.
• Strong written communication. You can turn a messy investigation into a clear, defensible writeup.

Bonus Points For

• Experience building LLM agents, RAG pipelines, or Slack bots backed by OpenAI / Anthropic / open-source models.
• Detection engineering experience (Sigma rules, custom Falcon queries, Grafana/Loki dashboards).
• Cloud security depth in AWS or GCP (IAM, workload posture, cloud-native logging).
• Prior work in regulated environments (SOC 2, ISO 27001, PCI DSS) from the practitioner side.
• Exposure to AI/ML security concerns such as prompt injection, model evals, and data leakage through LLMs.
• Public contributions: blog posts, CVEs, open-source tools, CTF writeups.

Engagement & Logistics

• Full-time contract.
• Remote-first and async-friendly. We have hubs in San Francisco, Denver, Dublin, and Amsterdam. If you’re near one, we’d love to see you in the office regularly; if you’re elsewhere in the world, that works too.
• Potential to extend or convert based on fit.
• Reports to the Technical Operations Director; works closely with the GRC lead and IT Operations.

How We Work

We’re a lean, high-trust team. We value people who ship, who can operate independently, and who treat security as an engineering problem rather than a checklist. If you’re someone who sees a repetitive task and immediately thinks “this should be a script, or better yet, an agent,” you’ll fit in here.

To Apply

Tell us about a time you used AI, automation, or custom tooling to meaningfully change how a security workflow ran. What was manual before, what it looked like after, and what you learned. Links to code, writeups, or demos are welcome.