||Advisory & Assurance Manager
• A fantastic opportunity has arisen for a Senior Security Advisor within our growing Digital Security & Resilience team.
• In this role, you'll take the lead on maturing our existing third-party security capability, performing information security risk assessments upon critical third parties at point of engagement and throughout the supplier relationship. This includes those parties that hold our and our clients data, those whom provide offsite storage facilities and those deemed critical to business owners.
• You'll work with third parties to identify and remediate risks as required, and provide clear and high quality risk reports, with guidance and recommendations, to enable senior business owners to make the most appropriate risk-based decisions relating to the use of third parties.
• You'll support contractual reviews for new and existing suppliers, and leverage industry best practices (such as ISO27001, ISF SOGP or NIST CSF) and the regulatory landscape (such as GDPR or FCA) to ensure a rounded assessment of the security risk posed is articulated.
The Senior Security Advisor role includes, but not limited, to the following responsibilities:
• Directs and drives the Third Party Security programme to ensure new or existing business relationships support and adhere to our information security standards and principles through the lifecycle of the relationship
• Partner with stakeholders across our business to ensure the Third Party Security programme is pragmatic in line with our corporate values, compliance programs, laws and regulations, and enables the business to achieve its objectives
• Build strong relationships with stakeholders across the business and 2nd Line of Defence including Vendor Management, IT GRC, IS&DP, Risk, Audit, Compliance and Legal
• Operate as a key subject matter expert on all new supplier on-boarding activities including due diligence testing and security schedule contract negotiation
• Provide escalation path for third parties and business stakeholders in relation to security issues, risks, regulatory violations, incidents and enquiries
• Ensure timely and accurate stakeholder notification and escalation of actual or potential regulatory violations involving third parties
• Support the Vendor Management framework to ensure third party’s are assessed, on-boarded, monitored and off-boarded with appropriate due diligence or security maturity identification
• Conduct security reviews of business partners and third parties using processes and standards through virtual or onsite assessments
• Report control deficiencies to the business owner and subsequently support remediation activities as required
• Provide security advice and direction to projects and business initiatives that involve third parties
• Influence and drive continuous improvement in the Third Party Security domain
• Works with business stakeholders, partners, third parties and independent security assessors to educate them about our Third Party Security requirements and assist in the interpretation and implementation of the requirements
• Monitor metrics for third party performance and validate that data for business line and risk management reporting
• Collaborate with our IT GRC team in developing, improving and implementing information security standards and requirements to guide partners and third parties in adhering to security requirements
• Educated to university degree level is desirable; A-levels or their equivalent is a minimum expectation
• CISSP or CISM of good standing
• 3+ years experience in Information Security and Information Risk Management
• Financial services experience is beneficial but not an absolute requirement
• Ability to adapt to change quickly, work comfortably with ambiguity, and manage multiple tasks successfully
• Ability to develop partnership-oriented relationships with technical and non-technical stakeholders across all levels of an organisation, especially as it relates to third party risk management
• Ability to evaluate risk implications inherent in new or changing third party relationships
• Ability to persuade and influence others on next steps
• Ability to quickly come up to speed in any area, sufficient to speak with an informed opinion and create a credible impression with stakeholders
• Excellent strategic thinking and analysis skills to drive predictive modelling and solutions that decrease the likelihood of a risk event.
• Must have strong verbal and written communication skills; interpersonal collaborative skills; and the ability to communicate security and risk-related concepts to technical and non-technical audience to stakeholders across all levels of an organisation