Info Security Specialist

**Overview**

The main purpose of the role is to lead, manage, and own the activities necessary to perform information security risk assessments on the third parties with which PepsiCo enters a business relationship for services around the world of varying levels of criticality and complexity. The third-party information security risk assessor will act as a trusted liaison providing guidance, counsel, direction, and support to Business Teams and other stakeholders at various levels (including executive leadership) around the globe to better manage PepsiCo risks by performing third-party information security risk assessment activities. This role will also advocate awareness and execution of other critical third-party related security assessment activities such as ensuring contracts include the required Global Information Security Requirements (GISR) and completion of Payment Card Industry Data Security Standards (PCI-DSS) assessments. The third-party information security risk assessor will drive various process improvement initiatives and efforts to further enhance the TPSRM assessment process and other PepsiCo initiatives globally.

**Responsibilities**
- Lead, manage, and own the activities necessary to perform information security risk assessments on the global third parties with which PepsiCo enters a business relationship for services of varying criticality and complexity. At the conclusion of the assessment process, this position will make a determination of whether the third party exposes PepsiCo to security risks or not, and make a decision on the remediation actions to pursue. Failure to do so properly can expose PepsiCo to significant risks.
- Act as a trusted liaison providing direction, guidance, and counsel to Business Teams and other stakeholders at various levels (including executives) around the globe in support of third-party information security risk assessment activities. This requires a great level of technical and client relationship expertise to properly provide accurate advice. Not doing so could lead Business Teams in the wrong direction and potential prolong or severely impact the success of initiatives.
- Advocate and be an ambassador of other critical third-party related security assessment activities such as ensuring contracts include the required Global Information Security Requirements (GISR) and completion of Payment Card Industry Data Security Standards (PCI-DSS) assessments. The Assessor is commonly a critical link to identify when GISR and/or PCI actions are needed. Therefore, this role will have a material impact on educating Business Teams and providing direction to further those initiatives.
- Partner with stakeholders to drive various process improvement initiatives and efforts to further enhance the TPSRM assessment process (such as introduction of CyberGRX capabilities) and other PepsiCo initiatives. In this capacity the position will set the direction of key initiatives and their implementation with Business Teams around the globe. This role will work to obtain buy in from Business Teams and then further their adherence through training and follow-up.
- Develop innovate mechanisms to allow critical documentation to be securely stored and readily available for analysis and reporting purposes. The data captured and archived is critical to ensure historical references, manage day-to-day third-party risks, review trends and work management initiatives, and provide as evidence of adherence to regulatory, compliance, and policy requirements.

**Qualifications**

Mandatory Technical Skills:

- Strong third-party information (cyber) security risk assessment skills to evaluate functional and technical capabilities of third parties.
- In depth technical experience and knowledge of infrastructure technologies, network, web, computing, cloud services, manufacturing equipment, mobile devices, DevSecOps principles, threat modeling, and information (cyber) security, allowing this role to provide technical leadership and coaching to other members of the organization.
- Thorough understanding of Confidentiality, Integrity, and Availability controls, Privacy laws, as well as PCI-DSS compliance assessment (SAQ, ISA, QSA) principles.
- Comprehensive technical and functional understanding of various information security solutions, technologies, and industry-leading practices, allowing this role to provide recommendations, support key decisions, and contribute to industry forums.
- Technical and business expertise and savviness to drive information security requirements/ clauses in third-party contracts, together with people skills to negotiate requirements with third-party representatives.
- Strong understanding of business needs and commitment to delivering high-quality, prompt, and efficient service to the business, allowing them to meet their strategic objectives.
- Bachelor’s degree, master’s degree preferable.
- 7-10 years of experience in third-party information security risk co