Security Compliance Strategist

As a Security Compliance Strategist, you are an individual contributor within the Cyber Security - Cyber Assurance function to assess cyber risks for third party engagements responsible for assessing, monitoring, and mitigating risks associated with third-party engagements across the lifecycle of the vendor.

You will be working with multiple stakeholders internal & external to assess cyber security requirements specifically on South East Asia Cyber Regulatory requirements & industry standards for all third parties. You will play a critical role in the delivery of a wide range of initiatives – from small, quick wins, to lengthy and complex risk and compliance initiatives within 3rd party risk management programs. The ideal candidate should have good understanding on fundamentals of cloud environment (e.g. Azure, AWS)

Key Responsibilities:

• Collaborate with other Cyber Security teams such as Product Security and Application Security teams within Grab to enforce and enhance our third party security compliance framework and processes
• Collaborate with internal stakeholders such as the Data Protection Office (DPO), Group Compliance and Risk, Procurement, Legal, Finance, and other Information Security teams to gather needs/ requirements for identifying and assessing third party vendors
• Collaborate on initiatives between Cyber Assurance and Procurement, Outsourcing Governance, and Data Privacy Office functions to harmonize security standards in third-party partnerships, aiming for improved adherence to Grab’s privacy regulatory commitments, procurement guidelines, and outsourcing criteria.
• Document and track third-party risk assessments, remediation activities and processes
• Review contractual agreements to ensure alignment with company standards and risk tolerance.
• Utilize risk management tools and frameworks to track and report on key risk indicators associated with third-party engagements.
• Analyze results to determine ongoing monitoring and remediation requirements and monitoring to ensure remediation of information security gaps in a timely manner
• Provide risk-based guidance to third-party business stakeholders to ensure transparency, comprehension, and acceptance of the risks involved in doing business with each third-party throughout the third-party lifecycle
• Incorporate lessons learned to ensure continuous process enhancements and data analytics
• Conduct security design & architecture review to identify potential security flaws.

Requirements

• 3 - 8 years of experience in a Third Party Cyber Risk management, Cyber Supply Chain Risk Management, Cyber Compliance or Audit role
• Degree in Computer Science or a technology-related field
• Professional Information Security certification such as CISSP/CISM/CISA/CRISC/ ISO 27001
• Solid knowledge of various Cyber Security frameworks (e.g. SOX 404, SOC 1/2/3, NIST 800-53, ISO27001)
• Solid knowledge of various information security and auditing frameworks
• Fundamental understanding of security practices in cloud environments
• Ability to perform system architecture review, code review, and penetration testing
• Basic knowledge or understanding to code/script in at least one programming language like Python, Java, C++.
• Good understanding of pen-testing tools and procedures for Web/Mobile and good knowledge on application security vulnerabilities (OWASP top 10, SANS 20, etc)
• Solid knowledge in cloud technologies (e.g. AWS & Azure)
• Solid knowledge in third party security risk management
• Excellent problem-solving and analytical skills
• Excellent stakeholder management skills
• Excellent project management skills
• Strong influencing soft skill to gain support with stakeholders