About This RoleIf you thrive at the intersection of risk, compliance, and strategic impact, this role offers a unique opportunity to define and lead two of the most critical programs within OutSystems' Security function. As a Lead Analyst on the Security Strategy and Assurance team, you will own our Third Party Risk Management (TPRM) program and drive enterprise risk activities that directly shape how OutSystems manages risk across its vendor ecosystem and broader business.
This is a lead role, meaning you will operate with significant autonomy, define the scope and approach for complex, cross-functional initiatives, and serve as the go-to expert in your domain. You will architect solutions to close gaps between current practices and desired outcomes, build lasting stakeholder relationships, and mentor junior colleagues on the team.
If you are someone who brings deep expertise in vendor risk and compliance, excels at breaking down ambiguous goals into actionable programs, and wants to leave a measurable imprint on an organization's security posture, we want to meet you.
What You'll DoOwn and Mature the Third Party Risk Management Program
- Define and drive OutSystems' TPRM strategy, including risk tiering methodology, assessment frameworks, and ongoing monitoring cadences for critical and high-risk vendors.
- Lead end-to-end vendor risk assessments and architect scalable processes that can grow with the business.
- Proactively identify gaps between current TPRM practices and industry standards, and build solutions to close them.
- Partner with Digital, Procurement, Legal, and Engineering to embed risk requirements into vendor selection and contracting, influencing how partner teams operate.
- Maintain the vendor risk inventory, track remediation of identified issues, and report status to leadership with clarity and consistency.
- Monitor the threat and regulatory landscape for developments that affect the third-party risk surface.
Lead Enterprise Risk Activities
- Own and evolve the enterprise risk register for the Security division, ensuring risks are consistently identified, assessed, and treated across business units.
- Design and facilitate risk workshops with functional and business leaders to surface emerging risks and validate control effectiveness.
- Develop key risk indicators (KRIs) and produce executive-level risk reporting, including dashboards and trend analyses, that connect security posture to business outcomes.
- Integrate risk management into business planning cycles and cross-functional initiatives, ensuring security considerations are embedded early.
Drive Compliance Strategy and Audit Readiness
- Serve as a senior contributor to compliance programs supporting certifications such as SOC 2, ISO 27001, PCI, HIPAA, and regional regulatory frameworks, elevating the work beyond execution to program ownership and continuous improvement.
- Act as the primary point of contact for internal and external audits related to vendor and enterprise risk controls.
- Assess the applicability of emerging regulatory requirements to OutSystems and translate them into actionable program changes.
- Identify and close structural gaps in compliance documentation, control coverage, and audit readiness processes.
Drive Operational Excellence and Process Improvement
- Proactively identify inefficiencies in existing workflows; including evidence collection, audit preparation, risk tracking, and vendor assessment processes, and architect improvements that reduce manual effort and increase throughput.
- Lead the adoption and optimization of GRC tooling and automation, ensuring the team gets maximum value from its platforms and reducing reliance on manual tracking.
- Define repeatable, scalable operating procedures for TPRM and enterprise risk activities so that program quality does not depend on individual heroics.
- Establish and track operational metrics that measure program health, team efficiency, and process maturity over time.
Mentor, Influence, and Build
- Mentor team members, helping them connect their work to the "why" behind risk and compliance objectives.
- Develop and maintain policies, standards, and procedures that govern TPRM and enterprise risk across the organization.
- Drive tooling improvements and automation opportunities within the GRC platform to improve program scalability and efficiency.
- Represent the Security team in cross-functional forums and build strong working relationships with stakeholders at the Lead level and above across Engineering, Digital, Legal, and Finance.
Qualifications & Requirements- Bachelor's degree in Computer Science, Information Security, or a related field, or equivalent experience.
- 7-10 years of experience in information security, risk management, or compliance, with at least 3-4 years focused on third-party or vendor risk.
- Demonstrated experience owning and maturing a TPRM program, including framework design, risk tiering, and remediation management.
- Strong working knowledge of enterprise risk management frameworks (e.g., NIST RMF, ISO 31000, COSO) and security control frameworks (ISO 27001, SOC 2, NIST CSF).
- Experience supporting or leading internal and external audits across certifications such as SOC 2, ISO 27001, or equivalent.
- Ability to operate with significant autonomy, define scope on complex and ambiguous projects, and drive cross-functional alignment.
- Excellent communication skills
Preferred Qualifications- Professional certifications such as CRISC, CISM, CISSP, CISA, or ISO 27001 Lead Implementer/Auditor.
- Familiarity with GRC platforms.
- Knowledge of emerging third-party risk regulations such as DORA, NIS2, or CMMC.
- Experience with PCI DSS, HIPAA, or regional compliance frameworks.
- Background in a SaaS or cloud technology company environment.
- Experience mentoring or coaching junior team members.
