Third Party Risk Management (TPRM) Specialist

Job Title: Cyber Third-Party Risk Management (TPRM) Specialist

Working Location: Pune

Work Experience: 5 to 8 Years

CTC Budget: 25 LPA

Job Level / Grade: Middle Level

POSITION SUMMARY

We are seeking an experienced and skilled Cyber TPRM Specialist to join our Cyber Security team. The successful candidate will be responsible for conducting comprehensive risk assessments of our third-party vendors and partners, focusing on their cybersecurity posture and potential risks to our organization. Additionally, this role will involve mentoring junior cyber risk analysts, fostering their professional growth, and enhancing the overall capabilities of the team. The Specialist will work closely with the TPRM Lead in Australia.

The activity will include:

• Conduct questionnaire-based assessments to evaluate vendors' cybersecurity practices.
• Perform on-site assessments of critical vendors as necessary.
• Analyze assessment results and provide detailed risk reports to stakeholders.
• Collaborate with internal teams to remediate identified risks.
• Prepare and report on key metrics to measure the effectiveness of the TPRM program.
• Develop dashboards and reports to communicate TPRM performance to senior management.
• Review variations to the standard cyber clause in contracts and facilitate necessary negotiations and approvals in collaboration with legal, procurement and risk teams.
• Stay current with industry trends, regulations, and best practices in cybersecurity and third-party risk management.
• Mentor and guide junior cyber risk analysts in their professional development.
• Provide training and support to team members on TPRM methodologies, tools, and best practices.
• Foster a culture of continuous learning and improvement within the team.
• Assist in developing and refining assessment processes and methodologies.
• Contribute to the creation of training materials and internal knowledge bases.
• Work closely with the TPRM Lead in Australia to align assessment processes and risk management strategies.

The individual must possess:

• Deep knowledge of cybersecurity frameworks, risk assessment methodologies, and industry standards, coupled with an understanding of technical systems and vulnerabilities.
• Deep knowledge of cybersecurity practices, risk assessments and compliance activities
• Ability to develop and implement long-term strategies for managing third-party cyber risks, aligning with organizational goals, and adapting to evolving threat landscapes.
• Multi-Cycle knowledge in driving compliance
• Strong stakeholders management skills
• Strong analytical, research and recommendation skills
• Good skills in preparing and presenting management reports and dashboards

•      Ability to travel for on-site assessments (up to 20% of the time)

The position will work closely with senior management and other company teams to ensure the risks are identified, tracked, and remediated.

This role requires initiative to take ownership of issues, and work with other support parties both internal and external to company.

The role requires a close working relationship with other team managers for continual improvement of processes, procedures, and services, as well as working with company counterparts for all regional security initiatives.

This role will be responsible for ensuring the successful execution of Supply Chain security risk governance program for company.

KEY RESPONSIBILITIES AND RESULTS

Key Result Areas

Required KPIs

Measurement Method

Planning

•        Review and understand the present process and improve as required.
•        Analyze TPSP data and categorize them appropriately for assessment.
•        Lead initiatives to ensure that all third-party assessments are fully compliant with evolving regulatory requirements and industry standards, advising on potential changes and their impacts.
•        Design and implement robust frameworks and methodologies for assessing third-party cyber risks, ensuring they are comprehensive and scalable.
•        Define the end-to-end plan for TPSP governance.
•        Effectiveness of the plan

Execution

•        Execute TPSP program to the plan.
•        Lead complex assessments that require in-depth analysis of third-party systems, including cloud environments, supply chains, and emerging technologies.
•        Manage vendor and TPSP issues on time to meet deadlines and cost.
•        Focus on identifying critical risks that could have a significant impact on the organization and develop strategies to mitigate these risks effective.
•        Ensure at every stage of the project the quality of the TPSP responses and our assessments are held to the highest order.
•        Manage and update documentation of artefacts and reports in existing tools/ repositories. Establish repositories where absent
•        Deliver project on time and budget

Reporting

•        Monitor and drive remediation of identified issues with stakeholders.
•        Develop and deliver detailed reports for executive leadership, providing insights into the overall risk landscape, key vulnerabilities, and recommended action.
•        Establish and monitor key performance indicators (KPIs) for third-party risk management, using these metrics to drive continuous improvement.
•        Assess, document, and communicate risks in context with business operations.
•        A well understood report for the stakeholders

Communication and Teamwork

•        Working together with other functions of Security & Risk on refining risk and security practices
•        Build relationships with key stakeholders across the business (internally and externally)
•        Customer Satisfaction measures
•        Feedback from other staff members

MAJOR CHALLENGES / TYPICAL PROBLEMS ENCOUNTERED

List the principal challenges or problems faced by the role in achieving the results of the position.

Also, describe the extent to which originality or creativity is required in solving the problems faced.

Specify unique problems associated with the position because of job complexity, economic and environmental aspects or growth potential.

For existing role, please indicate additional challenges and problems in bold.

1.

Identifying accurate Vendor information / key stakeholders in a large organization

2.

Ability to manage various procedural issues with Internal stakeholders as well as TPSP (such as scheduling issues, Vendor contractual clauses, escalations, etc.)

2.

Communicating the potential impact of a technical risk as a financial or business risk to stakeholders / management

4.

The ability to communicate technical security issues to senior management (SLT/ELT) in a clear and concise manner

5.

Stay abreast of information security issues and regulatory changes affecting the telecommunications industry.

SECTION D:       DECISION MAKING AUTHORITY

Provide key information (both from a Problem Solving and Accountability Perspective) with appropriate examples to help define the scope and impact of the job and the extent to which the job has authority to manage resources and make decisions. (To also consider the approval limits of the role, procedural decision making, authority and empowerment.)

For existing role, please indicate additional decision-making authority in bold.

Decisions made under own authority

Decisions referred to higher authority

Assessment management

Deviations

Project Management

Deviations

KEY INTERNAL / EXTERNAL CONTACTS

Contact Purpose

Reporting Manager

•      Day-to-day interaction with line manager on all assigned responsibilities, escalations, and for all administrative matter

Team peers

•      Knowledge sharing/transfer, team collaboration, problem resolution and brainstorming, solution development, ensuring team redundancy is in place for critical functions

Other company peers

•      Collaboration with other company peers to ensure effective and timely delivery of security deliverables from an information security, governance, risk, and compliance

Security Vendors / Partners

•      Work with vendor support resources where required for troubleshooting issues with tools.

•      Keep abreast of latest security trends and technologies for own professional development provided by key security vendors / partners

Markets and Customers

Target markets / segments

This activity assesses the risks in the BU through TPSPs. It helps BU manage their risks better.

Impact on customers

Significant improvement of confidence and trust in company customer facing systems.

Customer type

☐ Mainly internal   ☐ Mainly external   ☒ Both internal and external

SECTION F:       QUALIFICATIONS / EXPERIENCE / KNOWLEDGE REQUIRED

Indicate key knowledge and skills required for this role to perform the tasks to a satisfactory level. To also specify a suitable level of qualification required (i.e. basic, advanced, or professional), where applicable.

Category

Essential for this role

Good to have

Education and Qualifications

•      Bachelor's degree in Information Security, Computer Science, or related field.

•      Relevant certifications (e.g., CISSP, CISA, CRISC).

•      Understanding of local Australian Privacy laws, data protection methods and technologies

Work Experience

•      5+ years of experience in cybersecurity, risk management, or related areas.

•      Experience in Vendor Risk Management and Compliance: Proven track record in managing third-party cybersecurity risks, conducting comprehensive vendor audits, and ensuring compliance with industry standards.

•      Leadership Experience: Experience in leading cybersecurity projects, managing teams, or overseeing vendor relationships and ensuring their alignment with the organization’s security policies.

•      Experience in Cyber Risk, Business Risk Management, Operational Risk, Internal Audit, and/or controls related function preferred

Technical / Professional Skills

Please provide at least 3

•      Advanced Risk Management: Expertise in risk assessment methodologies and frameworks (e.g., PCIDSS, OWASP, NIST, ISO/IEC 27001, CIS Controls, SOC 2).