Senior Vendor Risk Analyst (Remote US Available)

Security and Risk Management San Jose, California McLean, Virginia

Join us as we pursue our disruptive new vision to make machine data accessible, usable, and valuable to everyone. We are a company filled with people who are passionate about our product and seek to deliver the best experience for our customers. At Splunk, we’re committed to our work, customers, having fun, and most importantly to each other’s success. Learn more about Splunk careers and how you can become a part of our journey!


In today’s business climate, organizations need to engage third parties to remain competitive and optimize internal operations. All of these relationships introduce various levels of risk to an organization, which requires close management and monitoring. Splunk is looking to add a Senior Vendor Risk Analyst to grow and mature our Third-Party Risk Management Program on the Splunk Global Security (SGS) team. As a Senior Analyst, you will work with the Sr. Manager of Third-Party Trust. In this role, you will lead risk assessments associated with third-party solutions and services. You will identify and assess third-party risks working directly with the vendors. You will communicate assessment results to our internal partners - empowering them to make informed decisions in order to manage the risk in alignment with their business objectives and risk appetite. Your role will be pivotal to the continuous improvements in Splunk's overall cybersecurity risk posture.


  • Lead detailed vendor risk assessments, partnering closely with key partners, to identify and evaluate risks before establishing or continuing operations with third-party vendors
  • Strategize and incorporate a technical evaluation of the vendor and vendor solution(s), when applicable, in the risk assessment process
  • Accurately determine the risk rating with qualifications based on the potential impact and likelihood
  • Develop and maintain high-quality risk assessment documentation covering findings, risk statements, risk ratings, justifications and recommendations in the Splunk GRC tool and risk register
  • Present risks to stakeholders, including vendors, internal risk owners, senior leadership, and executive staff (CISO and security oversight committees)
  • Collaborate with risk owners and vendors in the development of treatment plans for the effective management of risk. Monitor the execution of risk treatment(s) and evaluate the residual risk.
  • Provide security expertise to Procurement and Legal in the contract-negotiation process. Ensure that vendor agreements incorporate appropriate security obligations that maintain Splunk's high-security posture
  • Use a risk-based approach to monitor third-party vendors’ security practices and compliance with contractual obligations
  • Conduct risk assessment to assess cyber risks associated with M&A
  • Operate Splunk vendor risk management controls in compliance with certification requirements (e.g., SOC 2, ISO 27001, PCI, FedRAMP, etc). Lead the preparation in support of security, compliance, and/or regulatory audits
  • Drive process improvements to continuously mature the Third-Party Risk Management Program and service. Champion the program mission and value proposition throughout the organization


  • 8+ years of direct work experience in Third-Party Risk Management and Cyber Risk Management with a Bachelor’s degree, or 6+ years with a Master's degree, or equivalent practical work experience
  • 3+ years working with a GRC system, incorporating continuous system and service improvement, and automation
  • In-depth knowledge of cybersecurity principles, concepts, technologies, security compliance, and risk management frameworks (e.g., ISO 27001, ISO 27018, SOC 1 / SSAE 18, SOC 2, NIST CSF, HIPAA, PCI-DSS, COBIT, CSA CCM)
  • Experience with cyber risk assessment in Mergers and Acquisitions preferred
  • Excellent verbal and written communication skills. Demonstrable ability to connect with all levels in the organization
  • Good interpersonal, leadership, critical thinking and analytical skills
  • Ability to multitask, balance, and prioritize work in a dynamic environment - ensuring SLAs are met
  • Team oriented, proactive, and able to work independently
  • One or more of the following certifications is preferred: CISSP, CRISC, CISM, CISA, CCSK, GIAC, CCNA Security, CSX, and CTPRP.
  • You are eligible to work in the United States without company sponsorship

We value diversity at our company. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, or any other applicable legally protected characteristics in the location in which the candidate is applying.

For job positions in San Francisco, CA, and other locations where required, we will consider for employment qualified applicants with arrest and conviction records.

Thank you for your interest in Splunk!