Information Security Consultant - Third Party Risk (FTC)
Posted on Nov 21, 2021 by Barclay Simpson Recruitment
Information Security Third Party Risk Consultant required for UK based regulator. This role sits within the Assurance team of the Cyber and Information Resilience department which is made up of cyber security and data privacy professionals that cover our diverse and technical environment.
- Assess the cyber security risk of third-party vendors with an appropriate level of detail taking into account the emerging supplier risk landscape, using open-source intelligence frameworks in comparison to the supplier security posture.
- Understanding of Cyber Security Maturity Models to help Identify immature controls and provide a sound recommendation to address gaps and improve maturity in third party processes and vendor relationships.
- Assuring services to ensure our key systems that process and store the firm's data, supporting IT operating infrastructure, suppliers and all our business processes are compliant with our policies and are within the firm's risk appetite.
- Validate operational decisions are made in accordance with our security policies and standards and do not increase the overall risk exposure of the firm.
- Analyse compliance with the fundamental processes required to manage risk and safeguard our most important assets.
- Determine correct measures of governance and controls are in place to validate identified cyber risks and vulnerabilities are prioritised and remediated based on agreed C&IR SLAs
- Demonstrate that suppliers are complying with their contractual obligations.
What does this job involve?
- The successful candidate will be the Subject Matter Expert within the team on 3rd Party Assurance in our BAU work streams and to drive the culture of understanding and awareness of third-party cyber risk across the firm.
- Lead the development and operation of the supplier assurance framework, ensuring alignment to the C&IR strategy.
- Lead the design and integration of cyber security controls and processes to further develop and mature the existing supplier assurance framework.
- The candidate will work closely with the Cyber Assurance Lead, C&IR assurance and consultancy managers, Senior Information Risk Officer, Procurement, Legal, Relationship Managers, Product Group Owners, Product Teams SME's and Vendors on Third Party Governance strategies to mitigate identified risks and improve governance
- Drive the identification and proportionate management of risk to our suppliers to scope, review, remediate and schedule complex and moderate supplier contracts and reviews on a periodic basis in line with the firm's supplier segmentation model.
- Work with vendors to carry out supplier due diligence across the firm including maturity and intelligence assessments
- Enhance existing supplier framework, to ensure that all 600+ suppliers are segmented appropriately using the new segmentation model and tool.
- Use analytical and quantitative methods to understand, forecast, and enhance the organisation's supplier assurance process.
- Drive the implementation of automation and tooling (both tactically and strategically) that would lead to efficiencies.
- Establish and drive best practice processes, ensuring that your guided by the evolving risk and the firm's regulatory landscape.
- Management of Third-Party Risk where they fail to meet our Policies and Standards, due to insufficient controls.
- Understanding of digital data and emerging technology within vendor risk management
Skills & Experience:
- Cyber Security audit and risk management experience, preferably in third party risk/vendor risk management roles.
- Proven ability to work and effectively prioritize in a dynamic environment.
- Advanced interpersonal skills to engage and collaborate with multiple internal and external stakeholders
- Ability to carry out complex supplier due diligence assessments in line with latest concepts and approaches
- Demonstrable experience in cloud service and deployment models, IT systems and/security assurance frameworks.
- In-depth audit or assurance understanding of cyber security standards (eg, NIST, ISO27001, CIS Top 20) their application and implementation.
- Ability to clearly articulate and document technical matters to audiences who may have limited specialist knowledge.
- Confident, self-assured and challenge when appropriate.
- Good problem-solving ability with effective skills to prioritise workload.
- Cyber Security Qualifications (CISSP (Certified Information Systems Security Professional), CRISC, CISA or similar)
- Managing operational, regulatory, and legal risk in line with the firm's risk management framework including identifying, mitigation and escalating risks effectively and using the firm's Risk Register.
- Experience managing and leading a team
- Keen desire to keep up to date with online technologies and trends.
- In-depth experience using supplier assurance toolsets for risk & compliance
- Knowledge of NIST Framework and CIS Top 20 controls
- Knowledge of cloud Frameworks such as CSA (Cloud Security Alliance) and CSA star
- Knowledge of RMF NIST (Risk Management Framework)
- Knowledge of Systems Development Life Cycle
- Knowledge Third Party Life Cycle Management
- Knowledge CMMI maturity model
- Security qualifications CISMP (Certificate in Information Security Management Principles) CCSP, CISSP, CRISC.