Risk Analyst, Third Party Trust (Remote US Available)

Security and Risk Management San Jose, California San Francisco, California


Join us as we pursue our disruptive new vision to make machine data accessible, usable and valuable to everyone. We are a company filled with people who are passionate about our product and seek to deliver the best experience for our customers. At Splunk, we’re committed to our work, customers, having fun and most importantly to each other’s success. Learn more about Splunk careers and how you can become a part of our journey

The Role

Splunk is the leader in big data, machine learning analytics with a significant presence in the cyber security market.   We are seeking a Risk Analyst - Third Party Trust to join our Splunk Global Security (SGS) team. In this role you will be a core member representing SGS in M & A project(s). You will assess the cyber risk associated with the merger or acquisition of a company into Splunk enabling Splunk to manage the cyber risks consistent with Splunk’s risk appetite. You will support SGS stakeholders enabling them to strategize and implement appropriate security controls during M&A integration and post-integration to maintain Splunk security posture. You will also lead risk assessments associated with third-party solutions and services, and communicate the risk assessment results to our internal business stakeholders empowering them to make informed decisions in order to manage the risk in alignment with their business objectives and risk appetite.

Responsibilities:

Secure Transition on M&A targets

  • Assess the target company’s cybersecurity posture during due diligence phase of a M&A
  • Gather information needed by SGS service owners to strategize the operation of security controls and manage risk during integration phase of a M&A, and to set target for security posture post-integration
  • Ensure security control ownerships are accepted by SGS service owners. Oversee integration activities to ensure they are managed consistent with defined requirements
  • Identify security compliance, regulatory and/or customer requirements & obligations that Splunk will inherit from the target company. Prepare SGS service owners to execute their security controls delivering these requirements
  • Identify and assess cyber risk associated with the execution of the integration activities. Provide information needed by risk owners to manage the risk
  • Ensure a plan is defined and signed off by SGS service owners for how end-state SGS cyber security services will be owned and executed within a prescribed time frame from completion of integration
  • Develop playbook and standardize process that effectively manages the level of security risk for different type of M&A
  • Create tools and templates to maximize the quality and completeness of the due diligence information to support the success of the cyber security activities in M&A
  • Perform vendor security risk assessment and technical assessment as applicable of target company's third-party service providers and technology vendors. Present risks to risk owners enabling them to understand the risk under their ownership and develop risk treatment plans. Monitor the execution of risk treatment and evaluate residual risk

Vendor Risk Assessment Responsibilities

  • Lead detailed vendor risk assessments, partnering closely with key partners, to identify and evaluate risks before establishing or continuing operations with third-party vendors. Accurately determine the risk rating with qualifications based on the potential impact and likelihood.
  • Strategize and incorporate a technical evaluation of the vendor and vendor solution(s), when applicable, in the risk assessment process
  • Develop and maintain high-quality risk assessment documentation covering findings, risk statements, risk ratings, justifications and recommendations in the Splunk GRC tool and risk register
  • Present risks to stakeholders, including vendors, internal risk owners, senior leadership, and executive staff (CISO and security oversight committees)
  • Collaborate with risk owners and vendors in the development of treatment plans for the effective management of risk. Monitor the execution of risk treatment(s) and evaluate the residual risk.
  • Provide security expertise to Procurement and Legal in the contract-negotiation process. Ensure that vendor agreements incorporate appropriate security obligations that maintain Splunk's high-security posture
  • Use a risk-based approach to monitor third-party vendors’ security practices and compliance with contractual obligation
  • Drive process improvements to continuously mature the Third-Party Risk Management Program and service. Champion the program mission and value proposition throughout the organization

 

Requirements:

  • 5+ years of direct work experience in M&A cybersecurity assessment, third-party risk management and/or cyber risk management
  • In-depth knowledge of mergers and acquisitions lifecycle and processes
  • Demonstrate solid knowledge of information security risks and countermeasures and PCI, HIPAA, SOC2, ISO 27002, FedRamp and other information security and control frameworks.
  • Strong technical knowledge of Cloud infrastructure, applications and coding practices preferred
  • Work experience with security concepts including the ability to assess the security aspects of the following: network devices, firewalls, intrusion detection/prevention systems, identity services, web applications, encryption, forensic analysis, penetration/vulnerability tools, Linux/windows/macOS, virtualization, desktop/laptop and mobile devices
  • Demonstrate an understanding of business processes, internal control risk management, IT controls, and how they interact together

We value diversity at our company. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, or any other applicable legally protected characteristics in the location in which the candidate is applying.

For job positions in San Francisco, CA, and other locations where required, we will consider for employment qualified applicants with arrest and conviction records.

Join us as we pursue our disruptive new vision to make machine data accessible, usable and valuable to everyone. We are a company filled with people who are passionate about our product and seek to deliver the best experience for our customers. At Splunk, we’re committed to our work, customers, having fun and most importantly to each other’s success. Learn more about Splunk careers and how you can become a part of our journey!

Thank you for your interest in Splunk!