Supplier Risk Manager

The Boston Consulting Group (BCG) is a global management consulting firm and the world’s leading advisor on business strategy. We partner with clients from the private, public, and not-for-profit sectors in all regions to identify their highest value opportunities, address their most critical challenges, and transform their enterprises. BCG was founded in 1963 and is a privately owned firm with more than 10,000 employees across 82 offices in 46 countries. Integrity, respect for the individual, delivering value, and making an impact on society are just some of BCG's core values. BCG's commitment to both our clients' success and our own standards is what sets BCG apart as a world-class professional services organization. Join BCG - start your career at a company that is consistently ranked as the leader in its field and is acknowledged as one of the best places to work.

BUSINESS SERVICES TEAM/ GLOBAL SERVICES

BCG’s Business Services Team (BST) is the operational heart of our business and is invaluable to our success. Within BST, functions support Local offices and regional jurisdictions. Global and centralized initiatives sit with Global Services (GS), a network of 1000 professionals in 30 countries though the majority of GS staff sit in ‘hub’ cities e.g. Boston, New Delhi, London, Munich and Madrid.
 
Global Services (GS) consists of a varied range of functions providing corporate support of BCG's business and strategic priorities for example, Finance, Legal, HR, Marketing, IT, Risk, Partner Services and more. This diverse team of experts, operators and specialists represent all levels from Partner to entry level Staff, operating across the globe in multiple countries.
Global Services rapid growth and expansion over the last few years has created a need for strong operations management, governance and leadership to better enable Global Services to support BCG’s world class Consulting & Knowledge and Analytics divisions. Global Services is in short the backbone of BCG and our ability grow apace with the other divisions and to continue to attract and develop top talent, directly impacts the entire Group.

The IT Security Manager role is a member of the Secure Supplier Risk Management (sSRM) team, within the Information Security Risk Management function and under the guidance of the Director of ISRM Strategy Governance Risk and Compliance.  The role reports directly to the sSRM manager to develop and enhance the sSRM program, and interfaces with and supports various BCG internal functions, including Information Security, Legal, Procurement, IT and Enterprise Risk teams.  The role works directly with internal BCG stakeholders and Suppliers to complete supplier risk assessments, manage and monitor information security concerns and reduce BCG’s information security risk exposure associated with supplier engagements.

JOB RESPONSIBILITIES
The role will perform the following tasks
 

• Complete Information security risk assessments on suppliers who have access to BCG’s data or assets
• Prepare and present information security assessment reports
• Periodically review and close supplier information security findings associated with supplier risk assessments
• Support legal teams to ensure appropriate compliance requirements are included in Supplier Contracts and ensuring supplier adherence of their contractual obligations
• Build, support, and manage the information security supplier assessment’s workflow using BCG’s information security supplier risk management platform (Process Unity)
• Respond to Supplier inquiries related to information security and cyber security assessments
• Assist with development and documentation of information security policies, processes, and standards for BCG’s Supplier Risk Management program
• Recommend projects, initiatives, standards, etc., based on BCG’s supplier information security and cyber risks to enhance the Secure Supplier Risk Management program
• Assist Cyber Security Incident Response Team during cyber security incidents involving BCG’s suppliers
• Track and reporting on Supplier information security and cyber security issues
• Develop dashboards and provide reports of key risk and operational metrics
• As necessary, oversee and manage a small team for completing projects and tasks
• Develop and enhance workflows in BCG’s sSRM supplier portal (Process Unity)
• Develop and manage cyclical review and continuous monitoring of suppliers using BCG’s third-party cyber intelligence platform (Security Scorecard)
• Assist closing ServiceNow tickets related to sSRM requests
• Manage individuals responsible for cyclical reviews of BCG’s medium and low risk suppliers

Maintain up-to-date knowledge of the Security industry in relation to Secure Supplier Risk Management as it relates to BCG including

• Information Security Standards, regulations, and legislation
• BCG’s Risks around Probability and Impact Factor
• Technologies and solutions to enhance BCG’s sSRM program
• Industry best practices related to third party risk management
• BCG’s client requirements and concerns as it relates to Information Security
• Solid understanding of laws and regulations impacting BCG’s supplier base, including data privacy requirements (e.g., EU GDPR and Deutsche DSGVO)
• Knowledge of industry security frameworks and certifications including ISO 27000, NIST 800-53, Cobit, CSA, Cyber Essentials, and others
• Risk management framework methodologies
• Information Security expertise and knowledge related to cloud service providers

Provide input and represent BCG’s interests in the areas of information security and cyber risk

• Information Security Policy
• Organization Security – 3rd Party Security, Outsource Security, Information Security Infrastructure
• Asset Classification and Control
• Personnel Security
• Physical and Environmental Security related to IT
• Communications and Operations Management
• Access Control
• System Development and Maintenance
• Business Continuity Management
• Compliance and Audit
• Incident Response and Investigation
• Incident response management for client security incidents
• Update externally oriented documents and propose new documents and materials to respond to requests quickly and completely
• Propose standards in accordance with Industry state-of-the-art alternatives, and requirements for share data and information with BCG’s suppliers
• Work with internal stakeholders, including IT Directors, Managers, Architects and staff to implement, monitor and maintain Confidentiality, Availability and Integrity of BCG information assets

Participate as an integral part of the Information Security Team and IT in general

• Provide input, feedback as an integral team member of IT projects
• Review and prepare monthly status reports and statistics on information security supplier risk related KPIs
• Strike an effective balance between security and business requirements based in risk management principles
• Maintain information security credentials and certifications as required to present a credible presence to internal and external audiences

Technical and functional expertise

• The successful candidate must have an advanced level of professional experience as an information security and supplier risk subject matter expert
• Knowledge and firsthand experience developing risk assessment methodologies, processes and principles relating to supplier engagements processing confidential data or assets
• Knowledge of the legal and regulatory landscape related to information security and data privacy in an international environment
• Very strong business sense with ability to communicate technical issues to non-technical business stakeholders

Problem solving, analytical skills and decision making

• Requires strong technical skills to analyze supplier Information security risk in context of business interests

• Review and analyze various metrics, which help measure and monitor BCG’s supplier risk, sSRM performance, and sSRM service quality
• Review and prepare monthly status reports and statistics aligned to strategic ISRM goals and objectives

Communication, interpersonal and teaming skills

• Outstanding verbal and written communications skills are a must because of the requirement to represent the Information security team to the broader BCG audience and suppliers
• Calm demeanor and team-oriented attitude

Leadership, impact, and change

• High level of initiative and self-motivation, resourceful, and patient with an iterative process
• Ability to gain trust and commitment of others at different levels of the organization
• Proven ability to challenge traditional way of operating and moving beyond the obvious
• Translates BCG’s broader strategic objectives and cascades these into own work plans, metrics, and teamwork plans
• Works effectively with significant ambiguity and fluctuating priorities and constraints

Work management, organization, and planning

• Ability to manage projects and direct staff to ensure projects are aligned with the risk mitigation and strategic objectives of the business

Customer and business focus

• Focuses on the most critical issues that have the highest impact on the organization and business needs
• Working mode: “enabling”, “value adding” and “expanding”

People management

• This position requires interaction with a broad list of cohorts across BCG and across our supplier base, including junior and senior level roles
• Very strong relationship skills
• Excellent Leadership and teaming skills are required

Values and ethics

• Maintains a strong sense of confidentiality and integrity with stakeholders
• Treats others with respect and generates trust
• Establish relationships based on respect, trust, and integrity.

• Bachelor’s degree (or equivalent); Master's degree preferred with extensive experience in the application of technology and cyber security to business problems
• Successfully maintaining certifications in either ISO 27001, CISSP, CISM, CRISC, or CISA
• Minimum of 10 years of business experience in third party supplier risk, with a very strong technical background
• Minimum 10 or more years of information security experience in a multinational enterprise