Join us as we pursue our disruptive new vision to make machine data accessible, usable and valuable to everyone. We are a company filled with people who are passionate about our product and seek to deliver the best experience for our customers. At Splunk, we’re committed to our work, customers, having fun and most importantly to each other’s success. Learn more about Splunk careers and how you can become a part of our journey!
Splunk is the leader in big data, machine learning analytics with a significant presence in the cyber security market. We are seeking a Risk Analyst - Third Party Trust to join Splunk’s Global Security (SGS) team. In this role you will be a core member representing SGS with Mergers and Acquisitions (M&A) project(s). You will assess the cyber risk associated, enabling the management of cyber risks consistent with Splunk’s risk appetite. You will support SGS partners enabling strategic implementation of appropriate security controls during the M&A integration and post-integration to maintain Splunk security posture. You will lead risk assessments associated with third-party solutions and services, and communicate the assessment results to our internal business partners empowering informed decision making in order to handle the risk in alignment with their business objectives and risk appetite.
Secure M&A Transition Targets:
- Assess the target company’s cybersecurity posture during due diligence phase of a M&A
- You will put together information needed by SGS service owners to strategize the operation of security controls and handle risk during integration phase, while setting up targets for security posture post-integration
- Ensure security control ownerships are accepted by SGS service owners. Oversee integration activities to ensure they are handled consistently with defined requirements
- Identify security compliance, regulatory and/or customer requirements and any obligations Splunk may inherit from the M&A. Prepare SGS service owners to execute security controls delivering these requirements
- Identify and assess cyber risk associated with the execution of the integration activities. Provide information needed by risk owners to handle the risk
- Ensure a plan is defined and approved by SGS service owners for how end-state SGS cyber security services will be owned and executed within a prescribed time frame from completion of integration
- Develop playbook and standardize process to optimally handle the level of security risk for various types of M&A
- Build tools and templates to improve the quality and completeness of the due diligence information to support the success of the cyber security activities in M&A
- Perform vendor security risk assessment and technical assessment as applicable of target company's third-party service providers and technology vendors. Present to owners enabling them to understand the risk under their ownership and develop treatment plans.
- Monitor the execution of risk treatment and evaluate residual risk
Vendor Risk Assessment Responsibilities:
- Lead detailed vendor risk assessments, partnering closely with key partners, to identify and evaluate risks before establishing or continuing operations with third-party vendors.
- Accurately resolve risk ratings with qualifications based on the potential impact
- Securing the risk assessment process; strategize and incorporate technical evaluations of the vendor and vendor solution(s)
- Develop and maintain high-quality risk assessment documentation covering findings, risk statements, risk ratings, justifications and recommendations in the Splunk GRC tool and risk register
- Present risks to partners, including vendors, internal risk owners, senior leadership, and executive staff (CISO and security oversight committees)
- Collaborate with risk owners and vendors in the development of treatment plans for the effective management of risk. Work on the execution of treatment(s) and evaluate residual risk.
- Provide security expertise to Procurement and Legal in the contract-negotiation process. Ensure vendor agreements incorporate appropriate security obligations maintaining Splunk's high-security posture
- Use a risk-based approach to monitor third-party vendors’ security practices and compliance
- Drive process improvements to continuously mature Third-Party Risk Management Program and service. Champion the program mission and value proposition throughout the organization
- In-depth knowledge of Merger and Acquisition processes
- Demonstrated knowledge of information security risks and countermeasures
- PCI, HIPAA, SOC2, ISO 27002, FedRamp and other information security and control frameworks.
- Experience with security concepts (including the ability to assess the security aspects) of the following: network devices, firewalls, intrusion detection/prevention systems, identity services, web applications, encryption, forensic analysis, penetration/vulnerability tools, Linux/windows/macOS, virtualization, desktop/laptop and mobile devices
- Demonstrate an understanding of business processes, internal control risk management, IT controls, and how they interact together
- Demonstrate effective verbal and written communication skills for the purpose of explaining technical information to internal partners, vendors, senior management and staff and ability to apply knowledge and deductive reasoning
- Certifications: CISA, CISM, CISSP, CRISC
- Proficient with Google Suite Applications
- 5+ years of direct work experience in M&A cybersecurity assessment, third-party risk management and/or cyber risk management
- Bachelor degree in Computer Science, Information Security (or similar technical field of study) or equivalent practical experience
- You are eligible to work in the United States without company sponsorship
We value diversity at our company. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, or any other applicable legally protected characteristics in the location in which the candidate is applying.
For job positions in San Francisco, CA, and other locations where required, we will consider for employment qualified applicants with arrest and conviction records.