Cybersecurity Risk & Controls Associate

PwC Canada is a global leader in Cybersecurity and AI Security Assurance, dedicated to securing major organizations against complex threats. The Cybersecurity Risk & Controls Associate will work directly with high-level executives to assess cybersecurity capabilities, manage risks, and ensure secure cloud transformations while developing expertise across various cybersecurity domains. Responsibilities - Support cybersecurity assessments: Evaluate client capabilities against leading industry frameworks: NIST CSF, NIST 800-53, ISO 27001, COBIT, CIS Controls, SOC 2; to identify control gaps, assess risk maturity, and architect actionable remediation roadmaps with prioritization clearly linked to business impact and regulatory exposure - Enable secure cloud transformations: Support on risk identification and security control integration as part of large-scale cloud migrations and transformations. Apply knowledge of cloud security principles, shared responsibility models, governance frameworks, and security architecture across Azure, AWS, and GCP; including cloud-native security services, container and Kubernetes security, infrastructure-as-code (IaC) review, and CSPM tooling - Apply AI security fundamentals: Support the safe adoption of artificial intelligence across client organizations using leading risk management frameworks: NIST AI RMF, ISO 42001, OWASP Top 10 for LLMs, MITRE ATLAS, and Canada's Artificial Intelligence and Data Act (AIDA). Assess GenAI risks including prompt injection, data poisoning, model inversion, adversarial attacks, and supply chain vulnerabilities in AI/ML pipelines. Help clients develop AI-specific governance controls and usage policies - Manage IT and business process controls: Perform and support audits, risk management, and assurance reviews over large technology transformation initiatives, IT general controls (ITGCs), application controls, data privacy programs, and regulatory compliance mandates (OSFI B-13, PIPEDA, SOX IT, PCI DSS). Document control testing evidence, findings, and management action plans with the rigour expected by external regulators and audit committees - Conduct vulnerability and threat assessments: Support vulnerability assessments, threat modelling exercises (STRIDE, PASTA, MITRE ATT&CK), attack surface analyses, and control gap assessments. Translate technical threat intelligence into risk-ranked remediation plans aligned to client risk appetite and sector-specific threat profiles - Drive executive conversations and stakeholder management: Translate complex technical security vulnerabilities into clear, quantifiable business impacts. Facilitate risk workshops, manage project governance, gather technical requirements, and confidently present viable security solutions to diverse client stakeholder groups, from security architects and engineers to C-suite executives and board-level audiences - Optimize with automation and AI: Leverage AI tools, scripting, and automation to streamline security assessments, control mapping, evidence collection, and continuous risk monitoring. Develop reusable templates, accelerators, and tools that improve team efficiency and ensure consistent engagement quality - Support business development and thought leadership: Contribute to proposals, RFP responses, client presentations, and PwC's proprietary methodology development. Participate in the creation of market-facing thought leadership in cybersecurity and AI security that positions PwC as Canada's leading cyber advisor - Stay ahead of the curve: Continuously research the shifting regulatory and threat landscape; monitoring emerging risks such as GenAI-enabled cyberattacks, quantum cryptography threats, OT/ICS vulnerabilities, and evolving privacy regulation across Canada and globally. Apply relentless curiosity to learn new capabilities and actively share insights across the team and client base - Deliver high performance: Demonstrate clear vision, open communication, collaboration, and accountability to deliver exceptional quality to clients and a rewarding experience for peers Skills - Hands-on experience in cybersecurity, IT risk, technology assurance, or digital risk management, gained in a consulting, professional services, or in-house cybersecurity environment - Deep understanding and hands-on experience in at least three of the following cybersecurity domains: Threat Management & Threat Intelligence, Risk Assessment & Cyber Risk Quantification (FAIR methodology is a plus), Data Security & Privacy (PIPEDA, GDPR, CCPA, provincial privacy legislation), Network & Infrastructure Security, Application Security & Secure SDLC, Vulnerability Management & Penetration Testing, Cloud Security (AWS, Azure, GCP), Identity & Access Management (IAM / PAM / Zero Trust Architecture), Security Governance, Risk & Compliance (GRC), OT/ICS or Critical Infrastructure Security - Working knowledge and hands-on application of leading cybersecurity and AI security frameworks: NIST CSF, NIST 800-53, ISO 27001, ISO 42001, NIST AI RMF, SOC 2, CIS Controls v8, COBIT 2019, PCI DSS v4.0, and MITRE ATT&CK - Cybersecurity & Risk Credentials: Foundational (CompTIA Security+, CySA+, ISC2 CC); Audit & Assurance (ISACA CISA, Associate/In Progress, CRISC, CISM); Cloud Security (AWS Security Specialty, Microsoft AZ‑500/SC‑200/SC‑300, Google PCSE, ISC2 CCSP, CompTIA Cloud+); AI Security & Governance (ISACA AAIA, ISO 42001 Lead Implementer/Auditor, IAPP AIGP) - Demonstrated curiosity and growing knowledge of AI security; including generative AI risks, LLM vulnerabilities (OWASP LLM Top 10), model governance, AI ethics frameworks, and Canada's AIDA regulatory landscape - Proven ability to map technical controls to security frameworks and compliance standards, and to translate those findings into business-impact language for executive and board-level audiences - Hands-on technical experience in cloud or on-premises security, cloud security audits, or cloud infrastructure design (Azure, AWS, GCP) is a strong asset - Experience using security tools in one or more categories: SIEM platforms (Splunk, Microsoft Sentinel), vulnerability scanners (Tenable, Qualys), GRC tools, EDR/XDR solutions, or cloud security posture management (CSPM) platforms - Strong presentation, communication, and stakeholder management skills, you are comfortable and confident stepping into a room to articulate complex technical risks to both technical engineers and non-technical business leaders - Analytical mindset: ability to structure ambiguous problems, synthesize large volumes of information, and develop clear, evidence-based recommendations under time pressure and in complex, multi-stakeholder environments Benefits - Competitive compensation package - Inclusive benefits - Flexibility programs Company Overview - PwC Canada helps organizations and individuals create the value they're looking for by inspiring people & bringing perspectives together. It was founded in 1998, and is headquartered in Toronto, Ontario, CAN, with a workforce of 5001-10000 employees. Its website is https://www.pwc.com/ca/en/.