Cyber Assurance Lead – Supplier/Vendor Risk

Cyber Assurance Lead – Supplier/Vendor Risk

Requirements

• High school diploma or equivalency certificate.
• 5+ years of experience (can be concurrent) in utilizing security relevant tools, systems, and applications in support of cyber/ information security or third-party/supplier risk management, vulnerability management, or continuous monitoring, e.g.: NESSUS, Tenable.io, Qualys, DISA STIGs, SCAP, or other vulnerability or vendor risk rating type tools.
• 5+ years of experience (can be concurrent) with control testing, security standards/policy implementation, security audits, or security risk management.

Responsibilities

• Lead, plan, prepare for, schedule, and coordinate security assessments and audits and identify where security controls deviate from acceptable configurations, policy or standards. Drive necessary corrective actions with suppliers or internal partners with urgency and efficiency.
• Gain a comprehensive understanding of our key suppliers, identify the types of data they maintain, and determine the most effective processes for driving corrective actions.
• Act as one of the key Assurance points of contacts for supply chain cybersecurity activities to assist suppliers with mitigating risk to SpaceX data.
• Continuously monitor changes in supplier risk profiles and support cross-functional investigations to address both immediate and root causes, aiming to reduce risk and enhance the security of company data.
• Support supplier incident investigations, including identifying data loss, and work with Reliability Engineers or Buyers to assess potential impact. Coordinate root cause analysis and ensure a clear implementation plan for corrective actions is established.
• Communicate assessment results, track corrective action plans to ensure progress, and escalate issues when progress stalls or is blocked.
• Develop and promote cybersecurity and information security awareness and training for internal teams and suppliers.
• Develop, maintain, monitor, and improve appropriate internal controls and policies to protect SpaceX systems and data.
• Contribute and enhance to continuous improvement of information assurance processes and systems.
• Stay informed on regulatory changes, compliance guidelines, assessment methods, and emerging tactics; assist with updates to controls, policies, and procedures accordingly.

Preferred Qualifications

• Proven experience working with internal or external organizations to prepare for, conduct, and manage audits efficiently and effectively.
• Experience working within stakeholders within the supply chain or manufacturing space.
• Ability to manage and prioritize multiple concurrent requests while setting realistic expectations with stakeholders.
• Strong understanding of security program and control frameworks, assessment methodologies, and practices e.g. NIST RMF, NIST CSF, ISO-27001, 800-53(a), 800-171(a), CMMC, CNSSI 1253, 800-137, PCI-DSS, GDPR, etc.
• Strong understanding of data controls and compliance regimens including CUI, ITAR/ EAR, PCI, PII, etc.
• Technical project and/or operations management skills.
• Experience balancing compliance requirements and data collection with the operational priorities of others, maintaining progress and strong relationships to ensure objectives are met.
• Using lessons learned to improve processes.
• CISSP, CIPT, CISM, CISA, GNSA or equivalent certification.