Info Security Specialist

Overview

The main purpose of the role is to lead, manage, and own the activities necessary to perform information security risk assessments on the third parties with which PepsiCo enters a business relationship for services around the world of varying levels of criticality and complexity. The third-party information security risk assessor will act as a trusted liaison providing guidance, counsel, direction, and support to Business Teams and other stakeholders at various levels (including executive leadership) around the globe to better manage PepsiCo risks by performing third-party information security risk assessment activities. This role will also advocate awareness and execution of other critical third-party related security assessment activities such as ensuring contracts include the required Global Information Security Requirements (GISR) and completion of Payment Card Industry Data Security Standards (PCI-DSS) assessments. The third-party information security risk assessor will drive various process improvement initiatives and efforts to further enhance the TPSRM assessment process and other PepsiCo initiatives globally.

Responsibilities

• Lead, manage, and own the activities necessary to perform information security risk assessments on the global third parties with which PepsiCo enters a business relationship for services of varying criticality and complexity. At the conclusion of the assessment process, this position will make a determination of whether the third party exposes PepsiCo to security risks or not, and make a decision on the remediation actions to pursue. Failure to do so properly can expose PepsiCo to significant risks.

• Act as a trusted liaison providing direction, guidance, and counsel to Business Teams and other stakeholders at various levels (including executives) around the globe in support of third-party information security risk assessment activities. This requires a great level of technical and client relationship expertise to properly provide accurate advice. Not doing so could lead Business Teams in the wrong direction and potential prolong or severely impact the success of initiatives.

• Advocate and be an ambassador of other critical third-party related security assessment activities such as ensuring contracts include the required Global Information Security Requirements (GISR) and completion of Payment Card Industry Data Security Standards (PCI-DSS) assessments. The Assessor is commonly a critical link to identify when GISR and/or PCI actions are needed. Therefore, this role will have a material impact on educating Business Teams and providing direction to further those initiatives.

• Partner with stakeholders to drive various process improvement initiatives and efforts to further enhance the TPSRM assessment process (such as introduction of CyberGRX capabilities) and other PepsiCo initiatives. In this capacity the position will set the direction of key initiatives and their implementation with Business Teams around the globe. This role will work to obtain buy in from Business Teams and then further their adherence through training and follow-up.

• Develop innovate mechanisms to allow critical documentation to be securely stored and readily available for analysis and reporting purposes. The data captured and archived is critical to ensure historical references, manage day-to-day third-party risks, review trends and work management initiatives, and provide as evidence of adherence to regulatory, compliance, and policy requirements.

Qualifications

Mandatory Technical Skills:

• Strong third-party information (cyber) security risk assessment skills to evaluate functional and technical capabilities of third parties.

• In depth technical experience and knowledge of infrastructure technologies, network, web, computing, cloud services, manufacturing equipment, mobile devices, DevSecOps principles, threat modeling, and information (cyber) security, allowing this role to provide technical leadership and coaching to other members of the organization.

• Thorough understanding of Confidentiality, Integrity, and Availability controls, Privacy laws, as well as PCI-DSS compliance assessment (SAQ, ISA, QSA) principles.

• Comprehensive technical and functional understanding of various information security solutions, technologies, and industry-leading practices, allowing this role to provide recommendations, support key decisions, and contribute to industry forums.

• Technical and business expertise and savviness to drive information security requirements/ clauses in third-party contracts, together with people skills to negotiate requirements with third-party representatives.

• Strong understanding of business needs and commitment to delivering high-quality, prompt, and efficient service to the business, allowing them to meet their strategic objectives.

• Bachelor's degree, master's degree preferable.

• 7-10 years of experience in third-party information security risk compliance and/or governance.

• 7-10 years of technical experience across various information security related areas including web technology, networking concepts, systems infrastructure, cloud services, manufacturing equipment, mobility, computer applications, and information security.

• Proficient in Microsoft Excel, Word, and PowerPoint skills to develop ad hoc reports to convey results, influence executive leadership, manage expectations, and improve metrics.

Mandatory Non-Technical Skills:

• Independent thinker and strong self-motivator, with the ability to collaborate with virtual teams in other timezones and influence decision making.
• Strong verbal and written communication skills in English that positively impact relationships with key businesses' and third-parties' stakeholders, and proactively influence the actions taken by these stakeholders.
• Excellent prioritization capabilities, with an aptitude for breaking down complex work into manageable parts, effectively assessing the priority and time required to complete each part.
• Outstanding ability to work on several important tasks simultaneously.
• Strong decision-making capabilities, with a proven ability and common sense to weigh the relative costs and benefits of potential actions and identify the most appropriate one.
• Robust ability to effectively influence others and lead peers and superiors to modify their opinions, plans, or behaviors, with an emphasis on collaborating across multiple teams and ensuring program needs are satisfied through interpersonal and trusted communication.
• Effective ability to identify and assess the severity and potential impact of risks and communicate risk assessment findings in English to risk owners outside Information Security. Communication should consistently drive objectives, relying on fact-based decisions about risk that optimize the trade-off between risk mitigation and business performance.