Senior Vendor Risk Analyst (Remote US Available)
Join us as we pursue our disruptive new vision to make machine data accessible, usable, and valuable to everyone. We are a company filled with people who are passionate about our product and seek to deliver the best experience for our customers. At Splunk, we’re committed to our work, customers, having fun, and most importantly to each other’s success. Learn more about Splunk careers and how you can become a part of our journey!
In today’s business climate, organizations need to engage third parties to remain competitive and optimize internal operations. All of these relationships introduce various levels of risk to an organization, which requires close management and monitoring. Splunk is looking to add a Senior Vendor Risk Analyst to grow and mature our Third-Party Risk Management Program on the Splunk Global Security (SGS) team. As a Senior Analyst, you will work with the Sr. Manager of Third-Party Trust. In this role, you will lead risk assessments associated with third-party solutions and services. You will identify and assess third-party risks working directly with the vendors. You will communicate assessment results to our internal partners - empowering them to make informed decisions in order to manage the risk in alignment with their business objectives and risk appetite. Your role will be pivotal to the continuous improvements in Splunk's overall cybersecurity risk posture.
- Lead detailed vendor risk assessments, partnering closely with key partners, to identify and evaluate risks before establishing or continuing operations with third-party vendors
- Strategize and incorporate a technical evaluation of the vendor and vendor solution(s), when applicable, in the risk assessment process
- Accurately determine the risk rating with qualifications based on the potential impact and likelihood
- Develop and maintain high-quality risk assessment documentation covering findings, risk statements, risk ratings, justifications and recommendations in the Splunk GRC tool and risk register
- Present risks to stakeholders, including vendors, internal risk owners, senior leadership, and executive staff (CISO and security oversight committees)
- Collaborate with risk owners and vendors in the development of treatment plans for the effective management of risk. Monitor the execution of risk treatment(s) and evaluate the residual risk.
- Provide security expertise to Procurement and Legal in the contract-negotiation process. Ensure that vendor agreements incorporate appropriate security obligations that maintain Splunk's high-security posture
- Use a risk-based approach to monitor third-party vendors’ security practices and compliance with contractual obligations
- Conduct risk assessment to assess cyber risks associated with M&A
- Operate Splunk vendor risk management controls in compliance with certification requirements (e.g., SOC 2, ISO 27001, PCI, FedRAMP, etc). Lead the preparation in support of security, compliance, and/or regulatory audits
- Drive process improvements to continuously mature the Third-Party Risk Management Program and service. Champion the program mission and value proposition throughout the organization
- 8+ years of direct work experience in Third-Party Risk Management and Cyber Risk Management with a Bachelor’s degree, or 6+ years with a Master's degree, or equivalent practical work experience
- 3+ years working with a GRC system, incorporating continuous system and service improvement, and automation
- In-depth knowledge of cybersecurity principles, concepts, technologies, security compliance, and risk management frameworks (e.g., ISO 27001, ISO 27018, SOC 1 / SSAE 18, SOC 2, NIST CSF, HIPAA, PCI-DSS, COBIT, CSA CCM)
- Experience with cyber risk assessment in Mergers and Acquisitions preferred
- Excellent verbal and written communication skills. Demonstrable ability to connect with all levels in the organization
- Good interpersonal, leadership, critical thinking and analytical skills
- Ability to multitask, balance, and prioritize work in a dynamic environment - ensuring SLAs are met
- Team oriented, proactive, and able to work independently
- One or more of the following certifications is preferred: CISSP, CRISC, CISM, CISA, CCSK, GIAC, CCNA Security, CSX, and CTPRP.
- You are eligible to work in the United States without company sponsorship
We value diversity at our company. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, or any other applicable legally protected characteristics in the location in which the candidate is applying.
For job positions in San Francisco, CA, and other locations where required, we will consider for employment qualified applicants with arrest and conviction records.
Thank you for your interest in Splunk!
Splunk's Hiring Practices
Splunk turns machine data into answers. Organizations use market-leading Splunk solutions with machine learning to solve their toughest IT, Internet of Things and security challenges.
Individuals seeking employment at Splunk are considered without regards to race, religion, color, national origin, ancestry, sex, gender, gender identity, gender expression, sexual orientation, marital status, age, physical or mental disability or medical condition (except where physical fitness is a valid occupational qualification), genetic information, veteran status, or any other consideration made unlawful by federal, state or local laws. Click here to review the US Department of Labor’s EEO is The Law notice. Please click here to review Splunk’s Affirmative Action Policy Statement.
Splunk does not discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. Please click here to review Splunk’s Pay Transparency Nondiscrimination Provision.
Splunk is also committed to providing access to all individuals who are seeking information from our website. Any individual using assistive technology (such as a screen reader, Braille reader, etc.) who experiences difficulty accessing information on any part of Splunk’s website should send comments to email@example.com. Please include the nature of the accessibility problem and your e-mail or contact address. If the accessibility problem involves a particular page, the message should include the URL of that page.
Splunk doesn't accept unsolicited agency resumes and won't pay fees to any third-party agency or firm that doesn't have a signed agreement with Splunk.
To check on your application click here.