Cybersecurity Risk Analyst

About CITGO Petroleum Corporation

CITGO Petroleum Corporation is a major player in the refining sector and operates under the CITGO name. The company runs three refineries in Lake Charles, Louisiana; Lemont, Illinois; and Corpus Christi, Texas, and also owns or co-owns 38 active terminals, six pipelines, and three lubricants blending and packaging facilities. With about 3,300 employees and a combined crude processing capacity of roughly 807,000 barrels per day, CITGO is recognized as one of the industry’s leading branded suppliers.

The company emphasizes a workplace culture built around Safety, Integrity, Respect, Accountability, and Care.

Role overview

The Cybersecurity Risk Analyst will help protect both IT and OT environments by identifying, evaluating, and managing cyber risk across the enterprise. The position includes running detailed risk assessments, driving vulnerability management, supporting compliance with relevant frameworks and regulations, and working with cross-functional partners to reduce exposure. The role also contributes to third-party risk reviews, incident response, post-incident analysis, and ongoing monitoring of security performance through metrics and reporting.

Key responsibilities

• Carry out recurring risk reviews across IT and OT assets such as networks, cloud platforms, IoT devices, data centers, and software applications, using frameworks like NIST and CIS Controls.
• Help ensure alignment with security and privacy regulations, including GDPR, CCPA, and PCI DSS, while also assessing third-party risk.
• Coordinate vulnerability scans, penetration tests, and threat modeling exercises.
• Review findings, rank vulnerabilities by urgency, support patch prioritization, and adapt mitigation plans as new threats emerge.
• Prepare and present risk summaries for stakeholders, translating technical issues into business impact.
• Use approaches such as FAIR to estimate and prioritize risk, and provide status updates on incidents, remediation, and mitigation progress.
• Work with governance and IT teams to design and implement risk treatment plans that support both security and business goals.
• Serve as a contributor to incident response activities during security events.
• Take part in post-incident reviews, root-cause analysis, and exercises or simulations that improve readiness.
• Support the development and refinement of cybersecurity policies, standards, and procedures linked to risk management.
• Contribute to technical security standards that reinforce risk objectives.
• Assist with cybersecurity audits by supplying evidence, documentation, reports, and remediation records.
• Track KPIs to measure how effective vulnerability and risk management programs are.
• Use dashboards, automation, and metrics to report security posture and provide timely visibility.
• Assess the security implications of emerging technologies such as AI and blockchain, and help shape secure adoption strategies for digital transformation.
• Handle other related duties as assigned; the listed responsibilities may not be exhaustive and can vary by site.

Qualifications and experience

• Bachelor’s degree is required.
• At least 8 years of directly related work experience is required.
• Strong working knowledge of cybersecurity frameworks such as NIST, ISO 27001, and FAIR.
• Comfort working across IT and OT settings, including cloud, IoT, data center, and software environments.
• Hands-on experience with vulnerability management, penetration testing, and threat modeling.
• Understanding of risks associated with emerging technologies.
• Strong analytical and problem-solving ability for evaluating and ranking risk.
• Clear communication and presentation skills to explain technical risk in business terms.
• Ability to produce detailed documentation such as risk reports, policies, and compliance evidence.
• CISSP, CRISC, or similar security certifications are preferred.

Benefits and incentives

• Remote work may be available for eligible roles.
• Availability of certain benefits depends on department and/or location.
• 9/80 work schedule option where applicable.
• Annual vacation incentive with 40 to 120 hours of extra pay for eligible employees.
• Paid vacation time.
• Company-paid holidays.
• Caregiver leave.
• Strong 401(k) matching.
• Pension plan.
• Company-paid sick leave and long-term disability coverage.
• Medical, dental, and vision coverage, plus FSA and HSA options.
• Company-paid life insurance for active employees.
• Healthy rewards program.
• Service awards program.
• Educational assistance plan.
• Scholarships for dependent children.
• Gym membership reimbursement.
• Employee discount programs.
• On-site health clinic at select locations.
• On-site cafeteria at select locations.
• On-site credit union and ATM at the corporate office only.
• On-site fitness center at select locations.
• Not every role qualifies for every benefit.

Equal opportunity notice

All qualified applicants are considered without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, or disability.

Reference information

Requisition ID: 1129.