Security Engineer - Third party Assurance

About The Position

Requirements

• Either advanced studies in Cybersecurity, Computer Science, Information Systems, or similar
• Excellent written and verbal communication skills, including the ability to effectively collaborate with technical and senior business staff and management.
• 5+ years of experience in GRC (Governance, Risk, and Compliance) or Information Security, with 3+ years leading a TPRM/Vendor Risk program.
• Deep practical knowledge of industry assessment standards (e.g., SOC 2, ISO 27001, SIG, CSA STAR).
• Excellent analytical and communication skills to translate technical risk into business impact for stakeholders and Cloudflare end-to-end
• Experience with GRC platforms (e.g., ServiceNow GRC, Archer) for workflow automation.
• Advanced knowledge with hands-on in Cloud Architecture, Data Encryption,Application Security and IAM Architecture
• Legal/Contractual experience relating to security clauses and Service Level Agreements (SLAs).
• Experience working in a global vendor landscape.

Nice To Haves

• Certifications: CRISC, CTPRP (Certified Third-Party Risk Professional), or CISA.

Responsibilities

• Provide input on technical security requirements for new infrastructure and engineering initiatives.
• Assist with documentation and maintenance of the corporate security architecture blueprints.
• Assess the security posture of vendors, suppliers, and external partners.
• Perform complex security due diligence, managing risk remediation plans, and ensuring contractual security clauses are enforced throughout the vendor lifecycle.
• Conduct in-depth technical security assessments of new software, hardware, and services by evaluating system architecture, data flows, and infrastructure controls.
• Review external vulnerability scans and security configuration evidence provided by vendors to identify potential exposure points prior to procurement.
• Audit SaaS-to-SaaS and API-based integrations to ensure they follow the principle of least privilege and do not utilize over-privileged scopes or insecure authentication methods.
• Establish and enforce baseline security requirements for new software installations, covering encryption standards, multi-factor authentication (MFA), automated user provisioning/deprovisioning (SCIM), and SSO integration.
• Perform periodic reviews of existing implementations to detect and remediate "configuration drift," such as unauthorized public data shares or legacy administrative accounts.
• Utilize automated discovery tools to identify unmanaged SaaS applications (Shadow IT) and evaluate their security posture against corporate standards.
• Partner with internal business owners and vendors to track identified security gaps and ensure technical remediation occurs within agreed-upon SLAs.
• Provide technical expertise during third-party security incidents, assessing the impact on internal systems and validating vendor recovery and forensic efforts.
• Evaluate vendor Business Continuity and Disaster Recovery (BCDR) plans, including the verification of recent failover test results and tabletop exercises.
• Review vendor-side network segmentation, firewall configurations, and DDoS protection strategies for all critical cloud-hosted service implementations.
• Perform rigorous technical security reviews of vendor integration configurations throughout the entire partnership lifecycle—including implementation and ongoing use—to ensure continuous compliance with security standards.
• Assess completion of vendor offboarding processes, focusing on revoking system access, auditing final data handling, and validating post-offboarding security requirements.
• Understand External Attack Surface Management (EASM) and Fourth-Party Risk
• Understand how to interpret penetration test summaries and vulnerability scan results provided by the vendor.