Cybersecurity Analyst I / II | Operations

Summary

Cybersecurity Analyst I / II | Operations

As a Cybersecurity Analyst, you will help safeguard critical infrastructure and ensure compliance with evolving regulatory and cybersecurity standards. Your work will directly support the secure and reliable delivery of energy.

What your day would be like:
You are responsible for:

• Supporting the implementation and continuous improvement of cybersecurity governance, risk, and compliance programs aligned with NIST Cybersecurity Framework, NIST SP 800-53, NIST Privacy Framework NERC CIP, etc.
• Conducting control assessments, risk evaluations, and gap analyses to ensure compliance with internal policies and external regulatory requirements (e.g., NERC CIP, FERC, SOX).
• Collaborating with IT, OT, and Compliance teams to identify, document, and remediate control deficiencies across enterprise and operational technology environments.
• Maintaining risk registers, tracking mitigation plans, and preparing reports for internal stakeholders and regulatory bodies.
• Monitoring changes in cybersecurity regulations and best practices to ensure the organization remains compliant and resilient.
• Leveraging Power BI to develop dashboards and visual reports that track cybersecurity risk metrics, control effectiveness, and compliance trends across the organization.
• Utilizing ServiceNow to manage GRC workflows, analyze risk and compliance data, and generate insights that support informed decision-making and continuous improvement.

The kinds of people we want to talk to have done many of the following:

• A basic understanding or familiarity of regulatory frameworks (such as NIST CSF, SP 800-53, or the NIST Privacy Framework) or similar frameworks.
• Exposure to cybersecurity risk assessments, control evaluations, or compliance activities, either through hands-on experience or academic/professional development.
• The ability to interpret regulatory or policy requirements and contribute to practical, risk-informed solutions.
• Strong analytical thinking, attention to detail, and clear communication skills—especially when working across technical and non-technical teams.
• A growth mindset, curiosity about evolving cybersecurity and privacy standards, and a desire to contribute to a mission-driven organization.

This is an opportunity to make a real impact by protecting critical systems, building your cybersecurity career, and contributing to the safe and reliable delivery of energy.

Minimum Requirements

Cybersecurity Analyst I  | Operations

• Bachelors' degree in computer science, business administration, finance, accounting or related field
• PLUS one (1) year of prior relevant experience or equivalent combination of education and directly related experience.
• Requires basic technical subject matter knowledge within a job area or system

Cybersecurity Analyst II | Operations

• Bachelors' degree in Computer Information Systems (CIS) or related field and two (2) years of prior relevant experience or equivalent combination of education and directly related experience.
• Requires intermediate level technical subject matter knowledge within a job area or system

Preferred Special Skills, Knowledge or Qualifications

• Basic understanding of IT security controls and interest in learning how to apply frameworks such as NIST 800-53, the NIST Cybersecurity Framework, or NERC Critical Infrastructure Protection.
• Capable of evaluating cybersecurity controls to support compliance with both internal standards and external regulations
• Exposure to GRC platforms (ServiceNow GRC, Archer, MetricStream) with a desire to learn how these tools support policy management, compliance tracking, and risk assessments.
• Familiarity with data analysis tools (Excel, Power BI, Tableau) and an interest in developing skills to aggregate and interpret data from various cybersecurity sources.
• Assist in drafting and maintaining cybersecurity policies and procedures, with guidance, to support compliance with regulatory and technical standards.
• Some exposure to regulated environments or cybersecurity frameworks (e.g., NERC/CIP).
• At least one of the following certifications is desired but not required: COMPTIA (Security+, Network+); EC-COUNCIL (ECSA), SANS/GIAC (GSEC, GPPA, GISF, GISP); ISACA (CRISC)

Major Accountabilities

1) Assist in the development, review, and management of cybersecurity policies, processes, and standards.

2) Support effort to map external regulatory requirements to internal control objectives to ensure traceability and alignment.

3) Participate in control validation assessments and document findings to demonstrate control effectiveness.
4) Support the identification and management of cybersecurity risks across both IT and OT environments.
5) Contribute to the creation and improvement of processes and assessments that support control testing and validation
6) Build and maintain reports, metrics, and dashboards for internal stakeholders and executive leaders.
7) Effectively communicate cybersecurity risk and compliance status to stakeholders and executive leadership in a clear and concise manner.
8) Create and deliver training for targeted system users (in-person and virtual). 

9) Participate in APS' internal security awareness program, helping to present on topics such as phishing, ransomware, password safety, and data privacy to audiences of varying sizes.

Export Compliance / EEO Statement

This position may require access to and/or use of information subject to control under the Department of Energy's Part 810 Regulations (10 CFR Part 810), the Export Administration Regulations (EAR) (15 CFR Parts 730 through 774), or the International Traffic in Arms Regulations (ITAR) (22 CFR Chapter I, Subchapter M Part 120) (collectively, 'U.S. Export Control Laws'). Therefore, some positions may require applicants to be a U.S. person, which is defined as a U.S. Citizen, a U.S. Lawful Permanent Resident (i.e. 'Green Card Holder'), a Political Asylee, or a Refugee under the U.S. Export Control Laws. All applicants will be required to confirm their U.S. person or non-US person status. All information collected in this regard will only be used to ensure compliance with U.S. Export Control Laws, and will be used in full compliance with all applicable laws prohibiting discrimination on the basis of national origin and other factors. For positions at Palo Verde Nuclear Generating Stations (PVNGS) all openings will require applicants to be a U.S. person.

Pinnacle West Capital Corporation and its subsidiaries and affiliates ('Pinnacle West') maintain a continuing policy of nondiscrimination in employment. It is our policy to provide equal opportunity in all phases of the employment process and in compliance with applicable federal, state, and local laws and regulations. This policy of nondiscrimination shall include, but not be limited to, recruiting, hiring, promoting, compensating, reassigning, demoting, transferring, laying off, recalling, terminating employment, and training for all positions without regard to race, color, religion, disability, age, national origin, gender, gender identity, sexual orientation, marital status, protected veteran status, or any other classification or characteristic protected by law.

For more information on applicable equal employment regulations, please refer to EEO is the Law poster. Federal law requires all employers to verify the identity and employment eligibility of every person hired to work in the United States, refer to E-Verify poster. View the employee rights and responsibilities under the Family and Medical Leave Act (FMLA).
Arizona Public Service is a smoke free workplace.