Third-PartySecurityAssessment Specialist

We're seeking someone to join our team as a Third-Party Security Assessment Specialist in Cyber to deliver security reviews of Third-Party service provides as part of the Security Design assurance process.

The Security Design (SecDesign) team is part of the Cyber Data Risk & Resilience (CDRR) organization. The mission of the SecDesign team is to provide security assessments of technology systems and processes to identify business risks and recommend remedial action based on established security standards or security best practices. The SecDesign Third-Party Security Assurance is an internal function that is working on multiple third-party security initiatives, handling risk assessments, control gap analysis of third-party services in order to remove risks from our environment.

It is an opportunity to get involved in multiple business units and technologies inherent to the mission of SecDesign. The ideal candidate works with the stakeholders and control groups (Technology, Business, risk management, Suppliers and other Stakeholders) globally to perform SecDesign Third-Party security risk posture analysis against firm security policies. The candidate will also be working with a global team of experts on modernizing the Firm's Third-Party security risk assessment processes.

• Conduct risk assessments of third parties and provide technology requirements to address risks identified. Example areas covered:
  • Authentication, Authorization, Logging, Monitoring
  • Network security
  • Data protection, Cryptography, Secure Data Transport and Storage
  • SaaS, Cloud Security
• Identify technical control gaps and review security requirements set to remediate identified risks
• Ensure that the quality of security assessments is consistent and meets expectations
• Provide architectural and implementation guidance to ensure developers/technology owners follow security best practices.
• Communicate to the IT System Owners technical details on technical control gaps and provide attack scenarios relevant to the risks identified.
• Communicate to the IT System Owner detailed remediation guidance.
• Articulate risks introduced by technical control gaps to the service's Business Owner.
• Participate in the ongoing improvement of SecDesign Third Party security risk procedures and processes.

• Build and maintain strong positive relationships with the existing cyber and information security risk community in the respective business and control groups.

• Actively seeking to understand how technology risks arise in different business contexts.

• Basic knowledge and experience in at least one of the classic security topics such as:
  • Windows/Unix Operating System security
  • Risk management
  • Data protection, data leakage prevention and secure data transfer and storage
  • Network security - WAN/LAN/DataCenter
  • Application and Web Security - validation checking, software attack methodologies, OWASP
  • Cryptography, encryption and hashing
• Previous experience in Financial Services is preferred.

• Experience working with global organizations is preferred.

• Proactive approach to identifying issues and proposing solutions

• Strong communication skills written, oral, presentation.

• Ability to influence through factual reasoning.
• Time management: ability to handle multiple concurrent requests, plan based deliverable management, strong follow up and tracking.

• Strong focus on delivery when presented with short timelines and increased involvement from senior management.
• Ability to adjust communication of technology risks vs business risks based on the audience.
• Understanding of geographic regulations and their impact on Security assessments
• Bachelor's Degree in relevant domain (technology, Cybersecurity)