Risk & Compliance Sr Specialist

Overview

Our Information Security Group at PepsiCo is looking for a cyber security
thought leader, influencer, security advocate, and driver of change, to join
our very exciting journey to manage cyber security risks for PepsiCo and all
our partners around the world. The Third-Party Information Security Senior
Specialist will be responsible for supporting and influencing the information
security efforts and team that determine functional and technical risks
related to the use, processing, storage and transmission of information to and
from those third-party entities engaged by PepsiCo globally.

As a Third-Party Information Security Risk Management senior specialist, you
will work with a global team to evolve and implement a full life-cycle
governance risk and compliance framework related to PepsiCo 's global third
parties. This includes tasks such as providing strategic oversight and
direction of the third-party security assessment program to adapt it to the
changing threat landscape and always keep it relevant, continuously advocating
for the success of our business by partnering with multiple organizations,
influencing a team of global assessors responsible for executing risk-based
information security risk assessments of PepsiCo's third parties,
collaborating with global procurement and legal teams to facilitate the
inclusion of Information Security Requirements in third-party contracts,
developing and tracking key performance indicators and operational/ executive
metrics, communicating third-party assessment issue and results to both IT and
Business executives, and advocating for the importance of third-party
information security risk management as it pertains to the various services
provided by third parties to PepsiCo.

Responsibilities

Responsibilities for this position include:

• Work with and influence third-party information security risk assessors around the world (team-lead) responsible for executing risk-based information security assessments of the thousands of PepsiCo's global third parties. Day-to-day people management and leadership.


• Provide thought-leadership and consultation to the organization related to the information (cyber) security posture of third parties through the assessed functional and technical risks related to the use, processing, storage and transmission of information to and from those third-party entities that impact PepsiCo globally (both in our corporate and manufacturing environments).


• Support Global Procurement (IT and non-IT), Legal, and business procurement teams by translating technical information into practical business considerations when reviewing changes to the standard PepsiCo Information Security Requirements in third-party contracts, and participating in the negotiation of requirements with third-party representatives.


• Participate in industry forums and influence the strategic direction of third-party information security risk management program at both PepsiCo and our key partners to keep the program relevant to the threat landscape while being cost effective.


• Coordinate and track critical initiatives focused on increasing the maturity and capabilities of the third-party information security risk management program in line with multiyear roadmap and maturity model.


• Develop rapport with global technical and management leaders responsible for third-party relationships to ensure effective cooperation throughout the assessment lifecycle and ownership of assessment results.


• Improve information security risk assessments to ensure each is technically sound and provides value-added results on the risks and vulnerabilities of third parties (in both corporate and manufacturing environments), including recommendations to mitigate the risks identified in the assessments.


• Apply technical and architectural expertise and leadership to coach and mentor team members on how to drill deep down into a wide variety of technologies/architectures utilized by third parties to understand impacts/risks to PepsiCo, evaluating the criticality of the issues and escalating to senior leadership and technical leadership as appropriate.


• Evaluate and recommend information security requirements and leading practices for new technical/functional areas of assessments.


• Create and present executive level presentations in English that inform and influence leadership


• Present findings (functional/technical) to various stakeholders and levels throughout the organization in English, applying technical and business knowledge to support business objectives.


• Partner with third-party executives and cybersecurity staff members to suggest/recommend potential mitigation solutions for risk areas, leveraging a broad view of the strategic direction of the business.


• Facilitate alignment across diverse third parties and business units, and lead key strategic initiatives, to reduce third-party risks to PepsiCo globally.


• Lead third-party onsite assessments by setting the collaborative and strategic tone with the third parties and representing PepsiCo's business interest in the upmost professional manner.


• Envision, coordinate, lead, and coach assigned assessors to ensure proper metrics are tracked, that they reflect meeting SLAs and expectations of the assigned team, and that they are relevant to the overall business objectives and company's strategy.

Qualifications

Preferred Skills:
Candidates will be evaluated based on their ability to perform the duties
listed above while demonstrating the functional and technical skills and
competencies necessary to be highly-effective in the role. These skills and
competencies include:
* Strong third-party information security risk assessment skills to evaluate functional and technical capabilities across all information security domains.
* Technical and business expertise to drive information security requirements/clauses in third-party contracts, together with people skills to negotiate requirements with third-party representatives.
* Strong understanding of business needs and commitment to delivering high-quality, prompt, and efficient service to the business, allowing them to meet their strategic objectives.
* In depth technical experience and knowledge of infrastructure technologies, network, web, computing, cloud services, manufacturing equipment, mobile devices, and information (cyber) security, allowing this role to provide technical leadership and coaching to other members of the organization.
* Comprehensive technical and functional understanding of various information security solutions, technologies and industry-leading practices, allowing this role to provide recommendations and support key decisions.
* Strong and very articulate verbal and written communication skills in English that positively impact relationships with key businesses' and third parties' stakeholders, and proactively influence the actions taken by these stakeholders.
* Excellent prioritization capabilities, with an aptitude for breaking down complex work into manageable parts, effectively assessing the priority and time required to complete each part.
* An ability to work on several tasks simultaneously across multiple organizations.
* Strong decision-making capabilities, with a proven ability and common-sense to weigh the relative costs and benefits of potential actions, identify the most appropriate one, and influence other teams to adopt recommendation and guidance.
* Strong ability to effectively influence others (including executives and peers) around the world to modify their opinions, plans, or behaviors, with an emphasis on collaborating across multiple teams and ensuring program needs are satisfied through interpersonal and trusted communication.
* Effective ability to identify and assess the severity and potential impact of risks and communicate risk assessment findings to risk owners outside Information Security. Communication should consistently drive objectives, relying on fact-based decisions about risk that optimize the trade-off between risk mitigation and business performance.
* Strong presentation creation and presentation delivery skills in English
* Strong ability to be a team-lead supporting global functions

Minimum Requirements:
* Bachelor degree or higher.
* ‎10+ years of experience in third-party information security risk/ compliance/ governance, IT audit, and/or Enterprise Risk Management.
* ‎10+ years of technical or project management experience across various technologies and architectures including web, networks, infrastructure, applications, and/or information security.

Desired Qualifications:
* One certification of the following highly desirable: Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), Certified in the Governance of Enterprise IT (CGEIT), Certified Information Security Manager (CISM).
* ‎5+ years of experience with regulatory compliance and information security management frameworks (e.g., IS0 ‎27000/‎27001, COBIT, NIST ‎800, NISCT CSF, etc.).
* ‎2+ years direct technical experience with one or more security-related regulatory or industry standards (HIPAA/HITECH, SOX, PCI-DSS, GDPR, CCPA, etc.).
* ServiceNow Vendor Risk Management (VRM) and Governance Risk and Compliance (GRC) experience
* Strong Microsoft Excel and PowerPoint skills to analyze metrics and create executive-level presentations