Cybersecurity Risk & Controls Associate

The Opportunity:  

As a Senior Associate, unlock your potential and embrace the chance to drive meaningful outcomes that’ll elevate your career. Your role will include, but isn’t limited to: 

• Lead cybersecurity assurance engagements: Own the day-to-day delivery of cybersecurity assessments, security architecture reviews, and control gap analyses against leading cybersecurity frameworks such NIST CSF, NIST 800-53, ISO 27001 and more. Develop technically strong findings and remediation roadmaps tied clearly to business impact and regulatory exposure, and present conclusions to senior client stakeholders with confidence and clarity. 

• Drive AI security engagements: Lead both technical security reviews and governance assessments of AI implementations and deployments. Conduct hands-on testing of AI/ML systems including overall AI architecture reviews, prompt injection testing, input/output validation, API security review, data pipeline integrity, and infrastructure hardening for AI workloads. Apply NIST AI RMF, ISO 42001, OWASP Top 10 for LLMs, MITRE ATLAS, and Canada’s Regulatory frameworks (AIDA, OSFI E-23) to help clients govern AI responsibly and securely. Develop AI-specific control frameworks and board-level risk reporting for organizations deploying GenAI at scale. 

• Hands-on cloud security experience: ability to assess cloud security architecture, misconfiguration risk, identity controls, data protection, and compliance posture across AWS, Azure, or GCP. Experience with cloud-native security services, IaC security review, container security, and CSPM tooling is strongly preferred. 

• Hands-on IAM security experience: ability to assess identity and access management programs including role-based access control, privileged access management (PAM), federation and SSO, and zero trust network access (ZTNA). Experience identifying entitlement risks, toxic access combinations, and least-privilege gaps in enterprise environments is a strong asset. Familiarity with IAM controls specific to AI environments, including service account governance, model access controls, API key management, and least-privilege enforcement for AI workloads and data pipelines is a differentiator. 

• Hands-on data security experience: ability to assess and advise on data classification, data loss prevention (DLP), encryption controls, data residency requirements, and secure data lifecycle management. Experience with privacy-enhancing technologies, data access governance, and regulatory compliance programs (PIPEDA, GDPR, provincial privacy legislation) is strongly preferred. Familiarity with data security controls in AI and cloud environments, including training data protection, sensitive data handling in ML pipelines, and data minimization practices for GenAI systems, is a strong asset. 

• Lead cybersecurity strategy development: Design and deliver strategy engagements including security operating model design, zero trust architecture roadmaps, cyber risk quantification programs, board-level risk reporting frameworks, and third-party risk programs. Translate strategic recommendations into implementation-ready plans with clear ownership, timelines, and success metrics. 

• Execute and oversee threat and vulnerability programs: Lead vulnerability assessments, threat modelling exercises (STRIDE, PASTA, MITRE ATT&CK), penetration test scoping and management, and attack surface analyses. Translate technical outputs into business-language risk narratives and prioritized remediation roadmaps calibrated to client sector and risk appetite. 

• Own client relationships and stakeholder management: Serve as the day-to-day point of contact for client stakeholders. Facilitate executive workshops, manage project governance and scope, and navigate difficult conversations with confidence and professionalism. Build enduring client relationships that generate trust, repeat business, and expanded mandates, and proactively look for opportunities to deepen PwC's presence within each account while contributing to a positive and collaborative team culture throughout. 

• Mentor and develop team members: Take active responsibility for the growth of Associates on your engagements. Review deliverables for quality, provide direct and constructive feedback, and coach on both technical and consulting skills to create an environment where junior team members are stretched, supported, and set up to succeed. 

• Optimize with automation and AI: Champion the use of AI tools, scripting, and automation within engagements to accelerate evidence collection, control mapping, continuous monitoring, and reporting. Develop reusable templates and accelerators that improve team efficiency and ensure consistent, high-quality delivery across engagements. 

• Contribute to practice growth and business development: Identify scope expansion opportunities within active client accounts and contribute to proposals, RFP responses, and pitch presentations with a clear point of view on solution approach and differentiation. Develop reusable methodologies and engagement accelerators that sharpen PwC's competitive edge in the market.

• Stay ahead of the curve: Monitor and synthesize emerging threat intelligence, regulatory developments (OSFI B-13, PIPEDA, NIST, EU AI Act), and AI security innovations. Bring fresh, relevant insight to every client conversation, share findings across the team, and continuously sharpen PwC's methodologies and service offerings. 

• Deliver high performance: Demonstrate clear vision, open communication, collaboration, and accountability to deliver exceptional quality to clients and a rewarding experience for peers. Actively contributes to PwC's culture of inclusion, continuous learning, and professional excellence. 

What You'll Bring: 
Your skills, knowledge, and experiences are what set you apart. Here's what we look for: 

• Progressive, hands-on experience in cybersecurity consulting, cyber assurance, IT risk, or technology audit, with a demonstrated track record of leading engagements and managing client relationships, gained at a Big 4 firm, leading cybersecurity consultancy, or in a senior in-house cybersecurity role.

• Proven ability to independently lead client-facing engagements end-to-end: scoping, planning, execution, quality review, and final presentation across complex, multi-stakeholder environments. 

• Deep understanding and hands-on experience in at least three of the following cybersecurity domains: 

• Cybersecurity Strategy & Operating Model Design 

• Cyber Risk Management & Quantification (FAIR methodology preferred) 

• Cloud Security Architecture & Assurance (AWS, Azure, GCP) 

• AI Security, AI Governance & Responsible AI 

• Identity & Access Management / Privileged Access / Zero Trust 

• Threat Intelligence, Threat Modelling & Red Team Oversight 

• Vulnerability Management & Penetration Testing Program Management

• OT/ICS & Critical Infrastructure Security 

• Third-Party & Supply Chain Risk Management (TPRM) 

• Data Security, Privacy & Regulatory Compliance 

• Security Governance, Risk & Compliance (GRC) Program Management 

• Expert-level command of cybersecurity and AI security frameworks: NIST CSF, NIST 800-53, ISO 27001, ISO 42001, NIST AI RMF, SOC 1/2, CIS Controls v8, COBIT 2019, PCI DSS v4.0, MITRE ATT&CK, Zero Trust architecture principles, and Canada-specific regulatory frameworks (OSFI B-13, PIPEDA, AIDA). 

• Cybersecurity & Risk Credentials: Audit & Assurance (ISACA CISA, CRISC, or CISM — one strongly preferred at this level); Security Management (ISC2 CISSP or CCSP); Cloud Security (AWS Security Specialty, Microsoft SC-100/AZ-500, Google PCSE); AI Security & Governance (ISACA CAIA, ISACA AAISM, ISO 42001 Lead Implementer/Auditor); Offensive Security (OSCP, GIAC GPEN, GWAPT, CEH); Privacy (IAPP CIPP/C, CIPM). 

• Substantive AI security expertise: deep familiarity with LLM vulnerabilities (OWASP LLM Top 10), adversarial machine learning, AI model governance, and GenAI risk management. You have led or played a significant role in at least one AI security or AI governance engagement. 

• Demonstrated ability to present complex findings and strategic recommendations to C-suite executives, board members, and regulatory audiences in writing and in person, with the polish and authority those audiences expect from a trusted advisor. 

• Strong project management discipline: ability to manage multiple concurrent workstreams, track milestones, manage scope, escalate risks proactively, and consistently deliver on time and within budget. 

• Experience mentoring and developing junior professionals, with concrete examples of how you have improved someone else's technical knowledge, consulting craft, or client delivery capabilities. 

• Hands-on experience with security tools across multiple categories: SIEM platforms (Splunk, Microsoft Sentinel), vulnerability scanners (Tenable, Qualys), EDR/XDR solutions, GRC platforms, or CSPM tools (Wiz, Prisma Cloud, Defender for Cloud). 

• PwC Canada is committed to cultivating an inclusive, hybrid work environment. Exact expectations for your team can be discussed with your interviewer.