Join us as we pursue our disruptive new vision to make machine data accessible, usable and valuable to everyone. We are a company filled with people who care deeply about our products and seek to deliver the best experience for our customers. At Splunk, we’re committed to our work, customers, having fun and most meaningfully to each other’s success. Learn more about Splunk careers and how you can become a part of our journey!
Our customers expect and demand the best of us, and we continue to invest in our security accordingly. To accomplish our mission, we are looking to add a Vendor Trust Analyst in our quest to build a premier vendor risk management program. If you are ready to play a key role in driving the implementation and delivery of this crucial evolution to Splunk, then we should talk.
- Implement security methodologies and standards to develop an overall TPRM program that focuses on the highest risk vendors to the company, e.g., those that store, process, or transmit confidential information and/or that connect to the company network
- Continuously monitor the security risk profiles of our vendors to objectively determine high risk vendors that require additional review
- Lead the remediation lifecycle for any identified issues within the vendor, e.g., make – and follow up on – remediation recommendations
- Evaluate new and existing vendors for appropriateness of new security requirements and compliance against existing contractual requirements, respectively
- Act as an authority during vendor contract negotiations and recommend alternative contract security requirements with support from other teams, e.g., Legal and Product teams
- You will develop and maintain risk identification functions including, but not limited to, formal risk assessments, vendor risk assessments, findings from compliance assessments, and policy exceptions
- Administering the vendor risk assessment tool used to evaluate vendors throughout the relationship lifecycle
- Ensure a vendor questionnaire is completed for each high-risk vendor
- Review responses and evidence provided to determine if additional follow-up, such as an onsite security review, is required
- Performing rapid, customer-service focused resolution to contract negotiations, including new requirement evaluation and risk-based contractual obligations. Review redlines and suggest alternative language to satisfy vendor and customer. Assist with contract calls as an authority.
- Monitoring ongoing vendor compliance with contractual security requirements
- Escalate non-compliance appropriately, including termination of the vendor relationship
- Acting as a SME on security policies and controls and obtain an in-depth knowledge of security controls specific to our products and service offerings
- Understanding audit processes and controls for common information security controls, security frameworks and standards
- Working collaboratively with other groups across the organization to assess risk, e.g., IT and the business units during M&A transactions
- Supporting projects that help improve the assessment process and support our overall third-party risk strategy
- Communicate with management regarding project obstacles and take ownership of their resolution to continue progress towards work and timelines
- Partnering with divisions such as various business units, sales, IT, and Information Security to ensure information provided to vendors and customers is accurate and gaps are addressed as appropriate
- Other duties as needed
- You must have 10+ years of applicable work experience, including 4-5 years working in information security and 3-4 years working in an IT audit function
- You must have a strong understanding of vendor risk management
- Bachelor’s degree required (Master’s degree preferred)
- Functional knowledge of common information security controls, security frameworks and standards (e.g., ISO 27001, ISO 27018, SOC 1 / SSAE 16 & 18, SOC 2, NIST CSF, PCI-DSS, COBIT, CSA CCM, SIG) and ability to glean significance from findings identified in these reports and various work you're doing
- Superb attention to detail, project management and organizational skills
- Strong interpersonal, written, and oral communication skills
- Ability to effectively communicate to all levels of the organization, including senior management, business partners and third parties
- Ensure that risks are promptly and clearly articulated, and escalated appropriately
- You must be team oriented, self-motivated, and able to work without supervision
- You have the ability to multitask, balance, and prioritize work in a fast-paced environment
- Travel requirements <=25%
- At least one of the following IT security certifications is required: CISSP, CRISC, CISM, CISA, CCSK, GIAC, CCNA Security, CSX, and CTPRP
- Eligible to work in the United States without company sponsorship
We value diversity at our company. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, or any other applicable legally protected characteristics in the location in which the candidate is applying.
For job positions in San Francisco, CA, and other locations where required, we will consider for employment qualified applicants with arrest and conviction records.