Sr. Analyst, Information Security (Third-Party Risk Management)

Your Impact

The Third-Party Risk Senior Analyst is responsible for leading the assessment, monitoring, and mitigation of risks associated with the organization's third-party relationships. This role will work cross-functionally with cybersecurity, legal, procurement, compliance, and business stakeholders to ensure vendors meet the company's security, privacy, regulatory, and operational resilience standards. The ideal candidate will leverage industry best practices, risk quantification methodologies (e.g., FAIR), AI-driven assessment tools, and threat intelligence to strengthen third-party oversight across the enterprise.

What You Will Do;

• Conduct Risk Assessments
  • Evaluate third parties (vendors, partners, suppliers) for information security and operational risks.
• Review Security Documentation

• Analyze SOC reports, ISO certifications, SIG questionnaires, and other compliance materials.

• Conduct third-party risk assessments (online as well as possibly onsite) to identify and evaluate potential risks (including cyber security, regulatory compliance, and operational risks).
• Undertake due diligence on prospective vendors, including assessing their security controls, policies, and procedures, and consolidate information towards evaluating their overall cyber risk posture.
• Execute processes to continuously monitor and assess the ongoing security posture and performance of third-party vendors.
• Work with vendors to address identified risks, establish risk mitigation plans, and monitor the implementation of remediation actions till closure. Ensure accurate and up-to-date records of assessments and associated risk mitigation activities.
• Foster effective relationships with vendors, serving as a point of contact for cyber risk-related matters and facilitating ongoing communication and collaboration.
• Monitor vendor compliance with information security obligations, applicable regulations, and standards.
• Prepare reports, presentations, and other materials to communicate TPRM strategies and risks to stakeholders and provide regular reporting on vendor risk and compliance status to stakeholders and top management.
• Aid in the development of TPRM metrics and dashboard to provide visibility into the vendor's risk posture and recommend improvements.
• Develop and review TPRM strategies, policies, and standards.
• Collaborate with stakeholders to ensure a coordinated and effective approach to TPRM.

• 4 Years of Experience in information security or equivalent military experience.

• Bachelor's Degree in Computer Science, CIS, Engineering, Business Administration, Cybersecurity, or related field (or equivalent work experience in a related field)
• IT experience in the retail industry
• Experience with Open-Source Intelligence (OSINT) tools and investigations
• Experience with information security programs, audits, controls, assessments, risk assessments, or remediation management
• Experience conducting information security risk assessments of vendors and vendor software
• Hands-on experience on GRC Applications & TPRM tools like Archer, LogicGate, SAP GRC, OneTrust, ProcessUnity, ServiceNow, BitSight, Prevalent, Black Kite, etc.
• Retail business experience, Experience with open-source Tools.
• Experience with Vulnerability Management in Public/Hybrid cloud environments.
• Understanding of Secure Software Lifecycle Development.
• Relevant information security certifications (CISSP, CISM, CISA, CRISC, CTPRP, CTPRA, Security+, etc.)

• Associates are required to relocate to the Charlotte region to foster collaboration and facilitate improved testing and support.
• Lowe's supports a Flex Office concept where in-person work is required two days per week at the Charlotte Tech Hub
• Most business meetings are planned around the Eastern time zone.