Vendor Risk Assessment Risk Specialist
Rosslyn, VA

Job Description

Are you energized by helping organizations protect their data and build client trust? Do you want to work in one of the world's largest holistic internal cybersecurity organizations? If you're interested in proactively preventing, detecting, and responding to cyber attacks across a complex global footprint, then Deloitte Global could be the perfect place for you. We're looking for an analytical thinker passionate about cybersecurity to join our team.

Work you'll do:

The Vendor Risk Assessment service team is seeking a VRA Technical Specialist with experience in risk assessments and vendor risk management platforms. The VRA Technical Specialist is a new role and entails driving a large-scale vendor risk management program that is being rolled out globally.

The VRA Risk Specialist is responsible for all aspects of Vendor Risk Management policy and process as it pertains to the Deloitte Vendor Risk Assessment service. Continuous improvement of alignment between Global security requirements, Vendor Risk compliance management, and industry standards will be a primary focus of the role. This will involve working with Global teams and member firm teams in procurement, technology, security, business and leadership, to identify and manage Deloitte and client needs and requirements as they pertain to vendor risk. Based on these needs and requirements, review and revise vendor risk practices and processes to meet business and security objectives.

The VRA Risk Specialist will also have responsibility for reducing vendor risk, and for related reporting metrics, e.g. Key Risk Indicators (KRIs). The role includes understanding and conducting 3rd party risk assessments, management of the VRA framework, enhancement of the framework, and serving as the subject matter expert in assisting adoption and execution of vendor risk processes within the member firms. The VRA Risk Specialist will have experience with risk mitigation strategies including working with colleagues in procurement and legal groups to address risk in vendor agreements.

Role Specific Responsibilities

As part of the Global Cyber Risk team, the professional in this role must:

* Participate in and lead assessment of vendor risk, develop mitigation plans and partner with internal stakeholders to manage responsibility


* Ensure strong oversight of all vendors' risks and provide member firms and business partners visibility of existing and emerging risks


* Prepare and complete risk assessments and assist with policy, regulatory and accreditation audit preparation


* Help lead and support the design and implementation and deployment of a common and consistent vendor risk management (VRM) program to effectively manage vendor risk in accordance with internal policy and Federal/ State Regulatory requirements


* Conduct reporting and analysis on the data collected by the VRA platform


* Collect requirements from the member firms to determine and plan effective use of the VRA service


* Vendor risk questionnaire refinement and scoring, as well as overall VRA risk reporting, for effective program performance and optimization


* Help develop, maintain, and document workflow processes to ensure data & system controls are appropriate, meet internal baselines and optimize current processes to meet emerging risks


* Provide guidance to the business, procurement and other stakeholders to ensure requirements of VRM are fully understood and embedded in the solution


* Monitor and report on risk findings, remediate resolution including development and execution of corrective action plans


* Contribute to development of terms and security specific contract language and security clauses related to risk mitigation


* Perform data analytics & reporting activities. Provide & maintain vendor risk reporting mechanisms, and track and report outcomes from vendor management activities


* Analyze, update, and modify procedures and processes to identify and continuously implement vendor risk management process improvements


* Stay informed about the latest developments in the vendor risk management field


* Improve awareness of operational risks faced by Business from vendor failure/poor performance and work with Strategic Sourcing/Legal/Business to mitigate any losses through vendor compensation achieved through establishment of robust contracts


* Perform any other job-related instructions, as requested, with reasonable accommodation



This Deloitte Global role requires limited to no travel.

What you'll be part of-our Deloitte Global culture:

At Deloitte, we expect results. Incredible-tangible-results. And Deloitte Global professionals play a unique role in delivering those results. We reach across disciplines and borders to serve our global organization. We are the engine of Deloitte. We develop and lead global strategies and provide programs and services that unite our network.

In Deloitte Global, everyone has an opportunity to lead. We see the importance of your perspective and your ability to create value. We want you to fit in-with an inclusive culture, focus on work-life fit and well-being, and a supportive, connected environment; but we also want you to stand out-with opportunities to have a strategic impact, innovate, and take the risks necessary to make your mark.

Deloitte Global supports our talented professionals in answering the question: What impact will you make?

Who you'll work with:

The Deloitte Global Cybersecurity function is responsible for enhancing data protection, standardizing and securing critical infrastructure, and gaining cyber visibility through security operations centers. The Cybersecurity organization delivers a comprehensive set of security services to Deloitte's global network of firms around the globe.

How you'll grow:

Deloitte Global inspires leaders at every level. We believe in investing in you, helping you embrace leadership opportunities at every step of your career, and helping you identify and hone your unique strengths. We encourage you to grow by providing formal and informal development programs, coaching and mentoring, and on-the-job challenges. We want you to ask questions, take chances, and explore the possible.

Benefits you'll receive:

Deloitte's Total Rewards program reflects our continued commitment to lead from the front in everything we do - that's why we take pride in offering a comprehensive variety of programs and resources to support your health and well-being needs. We provide the benefits, competitive compensation, and recognition to help sustain your efforts in making an impact that matters.

#GLBShSecSvc

To be considered for this role, there are certain qualifications you'll have to have. And others that would be really, really nice.

Required:

Technical Skills

* Strong computer skills including Microsoft Office suite, SharePoint and other business-related software systems


* Working familiarity with risk assessments and threat models


* Skills to assess and monitor vendor risk and follow vendor risk management policy


* Working familiarity with ISO27000 standards and ISO27002 controls standards in particular


* Experience with Archer, ServiceNow or another industry standard enterprise Vendor Risk Assessment solution


* Familiarity with application, server, and network security is preferred; understanding of security architectures, network security, Active Directory, RBAC and least privilege


* Strong knowledge of and experience with information security across all domains


* Experience with ServiceNow or another industry standard service management solution


* Customer focus and direct client support experience. Relationship management, negotiation and influencing skills.



Education and experience:

* Bachelor's degree: preferably in an information technology-related field of study, or equivalent years of experience required


* Five (5) years of Information Security or IT audit experience is required


* Experience working in a large, complex and global environment


* Experience working in Cyber Risk, Business Risk Management, Operational Risk, Internal Audit, and/or Controls related function preferred


* Working familiarity with Vendor Risk Assessments and production of Risk Analysis Reports


* Experience in management of vulnerability and/or risk remediation


* Specific knowledge of and experience with applicable concepts and methodologies such as continuous quality improvement and auditing experience


* Advanced communication skills (both verbal and written)


* Communication of technology issues to both technical and leadership personnel and negotiate to a mutually beneficial conclusion


* Interactions with vendors and/or other 3rd parties



Preferred:

* Professional IT or Security management certification desire


* One or more of CISA or CRMA preferred; CISSP, CCSP, CISM, GIAC certifications beneficial

Skills/Abilities:

* Excellent written and verbal communication. Analytical/problem solving ability. Attention to detail. Considerations for user experience and productivity.


* Creative and independent thinker with the ability to translate business and technical requirements and challenges to leadership. Knowledge of configuration management practices and procedures


* Strong knowledge and working understanding of information security legal and regulatory requirements, such as Sarbanes-Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry/Data Security Standard


* Working familiarity with common information security management frameworks, such as ISO/IEC 27001, COBIT, and NIST, including 800-53 and the Cybersecurity Framework


* Working familiarity with the NIST 800-30 standard for Risk Assessment


* Excellent ability to work effectively with peers, IT management and staff, and internal/external business partners/clients


* A demonstrable passion for the field of information security


* Ability to multi-task, prioritize, work independently and manage various projects and processes to completion



All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, disability, or protected veteran status, or any other legally protected basis, in accordance with applicable law.

Disclaimer: Nothing in this job description/posting shall constitute an offer or promise of employment. If you are not reviewing this job posting on our Careers' site (jobs2.deloitte.com) or one of our approved job boards we cannot guarantee the validity of this posting. For a list of our current postings, please visit us at jobs2.deloitte.com

Requisition code: DE19GLBGTS005VE2187

*
*
*
*
*
*