Supplier Cyber Risk & Assurance Analyst

Support the Supplier Cyber Risk and Assurance processes for all business units and support functions across GSK, to ensure cyber security risks that may be introduced by third-parties are understood, managed or mitigated

Key Responsibilities

• Conduct comprehensive supplier cybersecurity assessments and generate detailed reports, ensuring alignment with up-to-date departmental procedures and industry best practices.

• Continuously develop and enhance the third-party risk management process framework for security risk, incorporating the latest standards, procedures, emerging technologies, and AI-driven insights.

• Review and analyse supplier security practices through questionnaires, audits, scans and assessments to ensure compliance with company cyber security standards.

• Coordinate and respond to security incidents involving suppliers, including investigation, mitigation, and reporting.

• Examine supplier contracts to ensure they include necessary security clauses and negotiate terms to address identified risks.

• Provide clear and effective support to internal third-party relationship owners and external third-party representatives, facilitating accurate responses to the security risk assessment questionnaire.

• Collaborate closely with Legal, Procurement teams to ensure the inclusion of robust security and privacy clauses in third-party contracts, in line with current regulatory and industry requirements.

• Accurately interpret third-party responses to assessment questionnaires, using AI and automation tools to translate them into concise and actionable risk exposure reports for internal stakeholders.

• Work with internal third-party relationship owners and external third-party representatives to recommend and implement effective cyber security controls to mitigate risks to GSK.

• Ensure robust tracking and remediation of third-party security and privacy risk exposures identified through assessment processes

• Deliver ongoing training and awareness programs related to the supplier cyber risk and assurance process, keeping pace with the latest industry trends and threats.

• Aggregate and distribute periodic program metrics and dashboards, leveraging advanced analytics and reporting tools.

• Provide expert consultancy and subject matter expertise (SME) support in conducting security posture assessments, as part of continuous monitoring or post-breach scenarios, ensuring that suppliers maintain robust and up-to-date security controls with the assistance of AI and automation technologies.

• Ability to Perform detailed assessments of AI-enabled tools to identify potential risks related to compliance, security, bias, and ethical considerations.
• Ability to evaluate the service specific AI risks, brainstorming of the changing landscape of the AI like Gen AI & Agentic AI to provide assessment questionnaires inputs.
• Develop and implement strategies to mitigate identified risks in AI tools.
• Evaluate tools for vulnerabilities, including data privacy, algorithmic transparency, and unintended consequences.

General

• Experience and knowledge across different frameworks and standards such as ISO 27001, NIST, CIS etc.
• Demonstrated experience and understanding of cyber security principles, IT security controls, and related technologies and products
• Security Certification: Preferred Security Certifications: CISSP, CISM, CISA, CTPRA, CTPRP, CRISC, ISO27001: 2022 LA & LI, ISO42001 AI. Understanding of relevant regulations and compliance standards GDPR, HIPAA, PCI-DSS etc
• Practical experience with third-party risk management tools such as Archer, OneTrust, Certa, CyberGRX, UpGuard, and ServiceNow is highly preferred.
• Sound knowledge in Power BI, Tableau, Excel advanced features.
• Prior experience in conducting cyber-Security risk assessments and 3rd party security and data privacy assessments. Ensuring 3rd parties adhere to data protection laws and best practices for safeguarding sensitive information.
• Strong analytical skills to identify, evaluate, and prioritize potential cyber risks from suppliers.
• Understanding of cybersecurity principles, tools, and technologies used to protect against threats.
• Proficiency in documenting cyber security findings, creating reports, and presenting recommendations to management.
• Preparedness to coordinate and respond to cyber security incidents involving suppliers.
• Expertise in reviewing and negotiating supplier contracts to ensure they include necessary security clauses.
• Stakeholder/ internal business management experience
• Strong verbal/written communication in English, with the ability to effectively interact with professionals at all levels of responsibility and authority
• Ability to prioritize, delegate, and foster the development of high-performance teams to lead/support an environment driven by customer service and teamwork
• Extensive experience in designing and developing security policies, processes, standards, and contracts.
• Strong understanding of inherent and residual risks, as well as expertise in risk assessment methodologies.
• Work with virtual teams located in different countries around the world, aligning and adapting different work, culture and communication styles.
• Exposure to any GRC technologies to conduct cyber risk management
• Strong understanding of AI systems, machine learning, and data analytics.
• Knowledge of relevant regulations, standards, and ethical frameworks related to AI.
• Good theoretical knowledge of Application programming and security, Machine Learning OWASP, Big Data, AI Production Environment like Kubernetes.
  Knowledge of DevSecOps will be a plus.

Technical/Functional (Line) Expertise

• Experience in evaluating third parties for the presence of fundamental information security controls.
• Experience conducting risk assessments and applying concepts of inherent and residual risk in order to draw appropriate conclusions and articulate the same to non-technical audiences.
• Ability to effectively negotiate appropriate remediation of security gaps with third party representatives to ensure protection of GSK information.

Leadership

• Influencing action across various business lines and geographies to achieve program objectives.
• Ability to effectively manage conflicting priorities in alignment with overall business and departmental strategies.
• Developing strong relationships with leaders of complementary programs (e.g. Procurement, Legal, Ethics & Compliance) to ensure harmonization.

Decision-making and Autonomy

• Operates autonomously in the execution of the third-party security risk program framework.
• Serves as central point-of-contact for evaluating security risks associated with all third-party engagements.
• Recommends and agrees with Line Manager the need for shifts in program strategy.

Interaction

• Excellent project management skills to effectively balance unexpected and conflicting priorities as they arise
• Experience operating effectively across matrixed organizations
• Intercultural sensitivity

Innovation

• Understand innovations and evolving best practices amongst industry practitioners of third-party security risk management to continually mature GSK’s program.
• Ability to apply innovative approaches to balancing business constraints with program goals to identify win-win solutions.

Complexity

• Global SME role, but with coordination to the global third-party program.
• Operate across geographies and across business lines.
• Collaborate effectively with relevant third parties and managed service provider.

Skills

Why GSK?

Uniting science, technology and talent to get ahead of disease together.

GSK is a global biopharma company with a special purpose – to unite science, technology and talent to get ahead of disease together – so we can positively impact the health of billions of people and deliver stronger, more sustainable shareholder returns – as an organisation where people can thrive. We prevent and treat disease with vaccines, specialty and general medicines. We focus on the science of the immune system and the use of new platform and data technologies, investing in four core therapeutic areas (infectious diseases, HIV, respiratory/ immunology and oncology).

Our success absolutely depends on our people. While getting ahead of disease together is about our ambition for patients and shareholders, it’s also about making GSK a place where people can thrive. We want GSK to be a place where people feel inspired, encouraged and challenged to be the best they can be. A place where they can be themselves – feeling welcome, valued, and included. Where they can keep growing and look after their wellbeing. So, if you share our ambition, join us at this exciting moment in our journey to get Ahead Together.

Important notice to Employment businesses/ Agencies

GSK does not accept referrals from employment businesses and/or employment agencies in respect of the vacancies posted on this site. All employment businesses/agencies are required to contact GSK's commercial and general procurement/human resources department to obtain prior written authorization before referring any candidates to GSK. The obtaining of prior written authorization is a condition precedent to any agreement (verbal or written) between the employment business/ agency and GSK. In the absence of such written authorization being obtained any actions undertaken by the employment business/agency shall be deemed to have been performed without the consent or contractual agreement of GSK. GSK shall therefore not be liable for any fees arising from such actions or any fees arising from any referrals by employment businesses/agencies in respect of the vacancies posted on this site.

It has come to our attention that the names of GlaxoSmithKline or GSK or our group companies are being used in connection with bogus job advertisements or through unsolicited emails asking candidates to make some payments for recruitment opportunities and interview. Please be advised that such advertisements and emails are not connected with the GlaxoSmithKline group in any way.

GlaxoSmithKline does not charge any fee whatsoever for recruitment process. Please do not make payments to any individuals / entities in connection with recruitment with any GlaxoSmithKline (or GSK) group company at any worldwide location. Even if they claim that the money is refundable.

If you come across unsolicited email from email addresses not ending in gsk.com or job advertisements which state that you should contact an email address that does not end in “gsk.com”, you should disregard the same and inform us by emailing askus@gsk.com, so that we can confirm to you if the job is genuine.