Outsourcing Security Assessment Analyst

Facebook's mission is to give people the power to build community and bring the world closer together. Through our family of apps and services, we're building a different kind of company that connects billions of people around the world, gives them ways to share what matters most to them, and helps bring people closer together. Whether we're creating new products or helping a small business expand its reach, people at Facebook are builders at heart. Our global teams are constantly iterating, solving problems, and working together to empower people around the world to build community and connect in meaningful ways. Together, we can help people build stronger communities â€" we're just getting started.

Facebook is seeking an experienced Outsourcing Vendor Security Assessment Analyst to join the Information Security team. This position will be responsible for conducting security risk assessments against outsourcing vendors, making reasonable and defensible recommendations, and tracking progress on remediation until closure. An ideal candidate is someone that has technical knowledge of the broad aspects of information security, particularly in the realm of Cloud Computing solutions (SaaS, PaaS and IaaS), and be able to identify security deficiencies not based on any frameworks or guidelines, but based on the actual risk posed to Facebook and its billions of users. This role also requires a broad mix of technical and business acumen coupled with polished communication and a strong desire to learn. Domestic and international travels up to 30% will be required.


  • Independently perform risk-based security reviews of outsourcing and third-party vendors including but not limited to outsourcing vendors, SaaS, IaaS, PaaS providers, and supply chain, etc.
  • Articulate security findings to internal and external stakeholders
  • Provide defensible recommendations on technical, physical and administrative control implementations based on assessment findings while balancing the cost versus benefits
  • Negotiate acceptance of remediation plans and timelines based on criticality of each finding
  • Participate in the development and oversight of corrective actions relating to security issues with vendors
  • Compile and report out security risk and operational metrics
  • Participate in cross-functional, team, and status review meetings
  • Recommend process improvement and strategic initiatives as related to security assessment
  • Experience in assessing security deficiencies in third party systems risks and recommending mitigating controls
  • In-depth knowledge of security assessment lifecycle
  • Knowledge of evaluating systems architectural designs, data-flow diagrams and technical security implementations, particularly for systems hosted on the cloud platforms, for security deficiencies
  • Knowledge of security technologies, devices and countermeasures as well as the the threats they are designed to counter
  • Good understanding of the various hacking techniques, the kill chain, and the defensive countermeasures
  • 3+ years of proven experience working on Information Security teams or conducting Information Security consulting engagements
  • Good understanding of IP networking, fundamental software development, cloud platforms (IaaS, PaaS, SaaS) and the current IT trends in the industry
  • Experience with developing security reporting and recommendations that are meaningful, defensible and actionable for a variety of audiences
  • Knowledge and understanding of security controls across all security domains such as access management, encryptions, vulnerability management, authentication and authorization, network security (IPS/IDS/DLP/Gen-2 firewalls/2FA, etc.), physical security, etc.
  • Strong communication skills - both written and verbal, interpersonal skills, and ability to work cross-functionally with various teams
  • Knowledge of Risk management frameworks and techniques
  • Knowledge of Threat modeling techniques
  • Software development experience
  • CISSP, CEH certifications
  • Good grasp of NIST, PCI, ISO, and SOC security guidances and documents
  • Bachelor's Degree and/or advanced degree with a concentration in one of the followings: Computer Science, Management Information Systems, or Cyber Security
  • 2+ years performing information security risk assessments and management activities
  • Program and project management skills
  • Ability to manage competing priorities and simultaneous projects in a fast paced environment with little supervision
  • Good understanding of the threat landscape as related to vendors
  • Strong analytical and problem-solving skills, including a basic understanding of data analysis techniques

Back to top