Cybersecurity Compliance Analyst

SUMMARY:
Churchill Downs Incorporated (CDI) is seeking a motivated and detail-oriented Cybersecurity Compliance Analyst to join our Cybersecurity Risk Management team. This role will focus on maintaining and enhancing CDI’s compliance with Payment Card Industry Data Security Standards (PCI DSS), aligning organizational practices with the NIST Cybersecurity Framework (CSF), driving cybersecurity training and awareness programs, and managing the company’s governance, risk, and compliance (GRC) security framework tracking tool. The ideal candidate will combine strong analytical skills with the ability to collaborate effectively across diverse teams.

ESSENTIAL DUTIES AND RESPONSIBILITIES include the following:

• PCI DSS Compliance:
  • Collaborate with technical teams to implement and validate new controls and processes as required by PCI DSS version 4.0.
  • Conduct PCI DSS assessments and audits to ensure compliance across applicable CDI business units.
  • Work with stakeholders to remediate identified gaps and track compliance milestones.
  • Maintain documentation of processes, controls, and evidence to support PCI DSS compliance efforts.
  • Lead efforts to transition CDI’s PCI DSS compliance program to meet the new requirements introduced in PCI DSS version 4.0, including ensuring readiness for mandatory compliance for our 2025 SAQ-D.
    
    
• Cybersecurity Awareness and Training:
  • Develop, implement, and manage company-wide cybersecurity awareness and training initiatives.
  • Collaborate with internal teams to tailor training materials to various departments and roles.
  • Track and report on training participation and effectiveness metrics.
    
    
• GRC Security Framework Management:
  • Administer and maintain the organization’s governance, risk, and compliance (GRC) security framework tracking tool.
  • Ensure accurate and up-to-date tracking of compliance activities, risks, and control evaluations within the tool.
  • Generate reports and dashboards to support compliance audits, risk assessments, and management reviews.
    
    
• Risk Management Support Activities:
  • Assist in risk assessments, control evaluations, and compliance reviews for cybersecurity initiatives.
  • Provide support during internal and external audits related to cybersecurity compliance (e.g., PCI DSS, state gaming regulators, CCPA, SOX, etc.)
  • Maintain a comprehensive understanding of CDI’s cybersecurity policies and ensure they are effectively communicated and enforced.
    
    
• Metrics Reporting:
  • Develop reportable metrics (KPIs) and compliance reports.
  • Other duties as assigned.

EDUCATION and EXPERIENCE:

• Bachelor’s degree in Cybersecurity, Information Technology, Business Administration, or a related field; equivalent work experience will be considered.
• 2 years of experience in cybersecurity compliance, risk management, or related roles.
• Prior direct experience managing PCI DSS (required), and the NIST CSF or other relevant frameworks.
• Certifications – Any (Preferred): Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), PCI Professional (PCIP), Certified in Risk and Information Systems Control (CRISC).

REQUIRED SKILLS:

• Strong understanding of PCI DSS requirements and compliance processes.
• Experience with transitioning to PCI DSS version 4.0, including understanding of new requirements and timelines for mandatory compliance in 2025.
• Familiarity with the NIST Cybersecurity Framework and its application to organizational security programs.
• Experience administering or managing GRC security framework tracking tools.
• Communication Skills: Strong verbal and written communication skills, capable of conveying security concepts to both technical and non-technical audiences.
• Problem-Solving Ability: Analytical and critical thinking skills to identify and address security issues effectively.
• Organized & Collaborative: Strong organizational and time management skills with attention to detail. Collaborative mindset with the ability to work effectively across various teams and departments.

REGULATORY:

Ability to obtain racing and/or gaming licenses as required in any jurisdiction where CDI operates. The Gaming industry is highly regulated and as such demands an extensive background check to obtain a license. Must be 21 years of age or older.

PHYSICAL DEMANDS/ WORKING CONDITIONS:

• Extended periods of sitting at a desk and working on a computer.
• Regular use of a keyboard and mouse for typing and navigating software.
• Viewing a computer screen for prolonged periods.
• Ability to manipulate paperwork, including filing, sorting, and organizing.
• Moving within the office environment to attend meetings, use office equipment, or interact with colleagues.
• Occasional lifting of office supplies or paperwork (up to 20 pounds).
• Speaking and listening to colleagues and clients in person, over the phone, or via video conferencing.
• Working in a climate-controlled office environment with moderate noise levels.
• Performing repetitive tasks such as data entry or document preparation.
• Working under artificial lighting conditions typical of an office environment, which may include fluorescent or LED lighting.
• Role is onsite five days a week at the Louisville, KY CDI headquarters office.