Information Security/Vendor Risk Manager

Description :

Position : Information Security & Vendor Risk Manager

Work Level : Middle Management

Industry Type : IT Services & Consulting

Location : India

Job Summary :

The Information Security & Vendor Risk Manager will operate at a middle management level, serving as a key driver of the organization's Third-Party Risk Management (TPRM) program.

This self-motivated and results-driven role requires deep technical expertise in cybersecurity frameworks, cloud security, and compliance standards (e.g., PCI-DSS, ISO

The manager will be responsible for developing the TPRM framework, conducting end-to-end technical security assessments of third parties, and leading risk mitigation advisory and reporting to senior management to ensure compliance and security assurance across all vendor engagements.

Job Description :

TPRM Program Management and Governance :

- Develop, implement, and continuously mature the organizations holistic Third-Party Risk Management (TPRM) framework, ensuring alignment with global standards, industry best practices, and internal risk appetite.

- Define and maintain technical policies, procedures, and rigorous guidelines governing the lifecycle of third-party engagements, from initial due diligence to secure offboarding.

- Drive program initiatives with a results-driven mindset, focusing on quantifiable metrics for risk reduction and operational efficiency across the TPRM function.

Risk Assessment and Technical Due Diligence :

- Conduct comprehensive, end-to-end technical security assessments and due diligence reviews of vendors throughout the entire lifecycle, evaluating system configurations, security controls, and overall operational effectiveness.

- Technically assess and recommend compensating controls across various domains, including Network, Server, and Endpoint Security controls, as well as data protection mechanisms for sensitive information like PII and Cardholder Data.

- Expertly evaluate and validate security posture across multi-cloud environments, specifically reviewing configurations and security controls within AWS, Azure, GCP, and OCI.

- Review vendor compliance against rigorous digital payments standards, including PCI-DSS, PCI-PIN, and PA-DSS, ensuring technical control validation is performed where applicable.

- Conduct technical control verification, including analyzing Vulnerability Assessment and Penetration Testing (VAPT) reports and assessing the effectiveness of Security Information and Event Management (SIEM) capabilities in vendor environments.

Continuous Monitoring and Risk Mitigation Advisory :

- Establish and operationalize robust processes for continuous monitoring and periodic technical reassessments of third-party security and compliance posture using automated tools and manual deep-dive reviews.

- Identify latent and emerging security risks in third-party engagements, translating potential vulnerabilities into actionable, business-focused mitigation strategies for internal stakeholders.

- Provide expert advisory and technical guidance on security control implementation, leveraging security-by-design principles for data protection and API security during new third-party integrations.

- Act as a technical liaison with business partners to ensure timely and effective implementation of recommended security controls and regulatory assurance in the digital payments ecosystem.

Reporting, Compliance, and Stakeholder Engagement :

- Lead audit planning and collaborate with assurance teams to analyze control effectiveness, review reports, and present clear, data-driven findings on the overall third-party risk posture to C-level executives and senior management.

- Partner with internal teams (Legal, Procurement, IT, CISO) to champion an integrated and streamlined approach to TPRM across the organization.

- Ensure all third-party engagements maintain continuous compliance with relevant local and international laws, regulations, and industry standards.

- Validate adherence to recognized international security frameworks, including ISO ISMS), SOC Reports, and the NIST Cybersecurity Framework.

Required Skills & Qualifications :

- Experience : Mandatory experience working within Information Security or GRC, with significant focus on Vendor/Third-Party Risk Management.

- Framework Expertise : Deep practical knowledge of major Cybersecurity Frameworks (e.g., NIST, ISO and regulatory compliance standards (PCI-DSS, SOC 2).

- Risk Analysis : Proven experience performing quantitative and qualitative Risk Analysis and technical due diligence assessments (e.g., control gap analysis, analyzing VAPT reports).

- Cloud Security : Strong technical understanding of security controls and architecture across at least two major cloud platforms (AWS, Azure, GCP, OCI).

- Tooling : Practical experience utilizing SIEM solutions and understanding endpoint security technologies to evaluate a vendor's defensive capabilities.

- Core Skills : Self-Motivated, result-driven, exceptional problem-solving abilities, and strong written/verbal communication for effective stakeholder engagement.

- Education : Mandatory Graduate degree.

Preferred Skills :

- Digital Payments : Direct experience with regulatory and security requirements within the digital payments ecosystem (e.g., payment gateways, tokenization, mobile wallets).

- Certifications : Industry-leading certifications such as CISSP, CISM, CRISC, or CISA are highly advantageous.

- Automation : Experience implementing or utilizing GRC/TPRM automation platforms (e.g., OneTrust, ServiceNow GRC) to streamline assessment workflows and continuous monitoring.

- API Security : Technical knowledge of best practices for securing APIs (e.g., OAuth 2.0, API Gateway configuration, rate limiting).

- Contract Review : Basic familiarity with reviewing security schedules and terms within third-party contracts and Statements of Work (SOWs).