Lead Analyst, Security Strategy & Assurance

About The Position

Requirements

• Bachelor’s degree in Computer Science, Information Security, or a related field, or equivalent experience.
• 7–10 years of experience in information security, risk management, or compliance, with at least 3–4 years focused on third-party or vendor risk.
• Demonstrated experience owning and maturing a TPRM program, including framework design, risk tiering, and remediation management.
• Strong working knowledge of enterprise risk management frameworks (e.g., NIST RMF, ISO 31000, COSO) and security control frameworks (ISO 27001, SOC 2, NIST CSF).
• Experience supporting or leading internal and external audits across certifications such as SOC 2, ISO 27001, or equivalent.
• Ability to operate with significant autonomy, define scope on complex and ambiguous projects, and drive cross-functional alignment.
• Excellent communication skills

Nice To Haves

• Professional certifications such as CRISC, CISM, CISSP, CISA, or ISO 27001 Lead Implementer/Auditor.
• Familiarity with GRC platforms.
• Knowledge of emerging third-party risk regulations such as DORA, NIS2, or CMMC.
• Experience with PCI DSS, HIPAA, or regional compliance frameworks.
• Background in a SaaS or cloud technology company environment.
• Experience mentoring or coaching junior team members.

Responsibilities

• Own and Mature the Third Party Risk Management Program: Define and drive OutSystems’ TPRM strategy, including risk tiering methodology, assessment frameworks, and ongoing monitoring cadences for critical and high-risk vendors.
• Lead end-to-end vendor risk assessments and architect scalable processes that can grow with the business.
• Proactively identify gaps between current TPRM practices and industry standards, and build solutions to close them.
• Partner with Digital, Procurement, Legal, and Engineering to embed risk requirements into vendor selection and contracting, influencing how partner teams operate.
• Maintain the vendor risk inventory, track remediation of identified issues, and report status to leadership with clarity and consistency.
• Monitor the threat and regulatory landscape for developments that affect the third-party risk surface.
• Lead Enterprise Risk Activities: Own and evolve the enterprise risk register for the Security division, ensuring risks are consistently identified, assessed, and treated across business units.
• Design and facilitate risk workshops with functional and business leaders to surface emerging risks and validate control effectiveness.
• Develop key risk indicators (KRIs) and produce executive-level risk reporting, including dashboards and trend analyses, that connect security posture to business outcomes.
• Integrate risk management into business planning cycles and cross-functional initiatives, ensuring security considerations are embedded early.
• Drive Compliance Strategy and Audit Readiness: Serve as a senior contributor to compliance programs supporting certifications such as SOC 2, ISO 27001, PCI, HIPAA, and regional regulatory frameworks, elevating the work beyond execution to program ownership and continuous improvement.
• Act as the primary point of contact for internal and external audits related to vendor and enterprise risk controls.
• Assess the applicability of emerging regulatory requirements to OutSystems and translate them into actionable program changes.
• Identify and close structural gaps in compliance documentation, control coverage, and audit readiness processes.
• Drive Operational Excellence and Process Improvement: Proactively identify inefficiencies in existing workflows; including evidence collection, audit preparation, risk tracking, and vendor assessment processes, and architect improvements that reduce manual effort and increase throughput.
• Lead the adoption and optimization of GRC tooling and automation, ensuring the team gets maximum value from its platforms and reducing reliance on manual tracking.
• Define repeatable, scalable operating procedures for TPRM and enterprise risk activities so that program quality does not depend on individual heroics.
• Establish and track operational metrics that measure program health, team efficiency, and process maturity over time.
• Mentor, Influence, and Build: Mentor team members, helping them connect their work to the “why” behind risk and compliance objectives.
• Develop and maintain policies, standards, and procedures that govern TPRM and enterprise risk across the organization.
• Drive tooling improvements and automation opportunities within the GRC platform to improve program scalability and efficiency.
• Represent the Security team in cross-functional forums and build strong working relationships with stakeholders at the Lead level and above across Engineering, Digital, Legal, and Finance.

Benefits

• Real growth opportunities. We don't just talk about development; we invest in it through structured programs designed to scale your expertise.
• Whether you are aiming for vertical progression, exploring lateral moves into new domains, or mastering specialized AI skills through our Professional Development Fund and Internal Mobility Program, we provide the resources to get you there.
• A global collective of world-class talent, where you’ll collaborate with enterprise software legends and sought-after thought leaders.
• At OutSystems, our industry experts aren't just visionaries—they are accessible, approachable mentors who are deeply invested in your growth as we architect the agentic future together.
• OutSystems nurtures an inclusive culture where talented individuals from all backgrounds are empowered to learn, experiment and make an impact.
• We believe that driving our next phase of growth requires the radical creativity that only comes from diverse perspectives.
• We are committed to building a team as global and diverse as the organizations we serve, ensuring every individual can perform to their full potential.
• As an equal opportunity employer, all qualified applicants receive equal consideration regardless of race, origin, religion, sex, sexual orientation, gender identity, disability, veteran status, or any other protected status.