OM Bank: Third Party Risk Analyst

Let's Write Africa's Story Together!

Old Mutual is a firm believer in the African opportunity and our diverse talent reflects this.

Job Description

The Cyber Security Third-Party Risk Analyst is responsible for evaluating and monitoring the cybersecurity posture of third-party service providers, with a particular focus on SaaS partners. This role is key to ensuring third-party compliance with the organization's cybersecurity requirements and regulatory standards.

The position sits within the Partner Management function, with a strong dotted-line reporting relationship into the Cyber Security GRC team to ensure alignment with enterprise risk and compliance objectives.

KEY RESULT AREAS

Third-Party Security Assessments

• Conduct initial and annual cybersecurity risk assessments of all critical and high-risk third-party SaaS vendors. Review responses to security questionnaires and evidence of controls (e.g., SOC 2, ISO 27001, penetration test reports).

Due Diligence & Onboarding

• Support pre-contract security due diligence for new vendors. Work closely with Legal, Procurement, and Cyber Security to identify and mitigate risks before onboarding.

Ongoing Monitoring

• Implement and manage continuous monitoring processes (e.g., security rating platforms, regulatory watchlists) to detect new risks with existing partners. Ensure follow-up on incidents or changes in risk posture.

Compliance Alignment

• Align assessments with internal standards and external frameworks such as NIST CSF, CIS Controls, and local regulatory requirements (e.g., SARB, POPIA, GDPR). Maintain evidence for audit readiness.

Engagement & Collaboration

• Act as the liaison between Partner Management and Cyber Security. Escalate high-risk findings and support remediation conversations with partners.

Reporting & Metrics

• Track third-party risk metrics and report trends and exceptions to the GRC Lead and Partner Management leadership. Maintain a centralized third-party risk register.

Process Improvement

• Contribute to maturing the third-party cyber risk management process. Identify automation or tooling opportunities (e.g., TPRM platforms). Maintain assessment templates and documentation.
• Risk Assessment Completion Rate: Complete 100% of scheduled third-party and cloud risk assessments within the designated timeframes.
• Risk Mitigation Effectiveness: Achieve a reduction in identified high-risk issues by at least 80% within six months of discovery.
• Vendor Compliance Rate: Ensure at least 95% of third-party vendors meet the organization’s security requirements.
• Incident Response Timeliness: Respond to third-party and cloud-related security incidents within the defined SLA (e.g., 4 hours for critical incidents).
• Audit Readiness: Maintain 100% readiness for internal and external audits with no major findings related to third-party or cloud security controls.
• Stakeholder Satisfaction: Achieve high satisfaction scores of in performance feedback surveys.

ROLE REQUIREMENTS

Education:

• Bachelor's degree in Information Security, Risk Management, Computer Science, or a related field.

Certifications (advantageous):

• CISA, CRISC, CCSK or similar.
• Familiarity with SOC 2 or ISO 27001 audit requirements.

Professional Experience:

• 3 years of experience in cybersecurity, IT risk management, third-party/vendor risk, or IT audit.
• Proven experience reviewing and assessing the cybersecurity posture of SaaS or cloud-based service providers.
• Experience conducting or supporting security due diligence and third-party risk assessments.

Technical Knowledge:

• Understanding of cybersecurity frameworks (e.g. NIST CSF, CIS Controls, ISO 27001).
• Familiarity with cloud security concepts and controls, especially for SaaS platforms.
• Ability to interpret technical documents such as SOC 2 reports, penetration test summaries, and ISO certifications.

Tooling (advantageous):

• Experience using third-party risk management tools
• Exposure to GRC platforms

Skills

Adaptive Thinking, Application Development, Computer Literacy, Confidentiality, Data Compilation, Data Compression, Data Controls, Data Modeling, Data Privacy, Data Recovery, Digital Literacy, Gateway Servers, IT Network Security, Probing Questions, Test Case Management

Competencies

Action Oriented Communicates Effectively Cultivates Innovation Ensures Accountability Manages Complexity Nimble Learning Optimizes Work Processes Persuades

Education

Closing Date

03 July 2025 , 23:59

The appointment will be made from the designated group in line with the Employment Equity Plan of Old Mutual South Africa and the specific business unit in question.

The Old Mutual Story!