Sr. Analyst, Information Security (Third-Party Risk Management)

Your Impact
The Third-Party Risk Senior Analyst is responsible for leading the assessment, monitoring, and mitigation of risks associated with the organization's third-party relationships. This role will work cross-functionally with cybersecurity, legal, procurement, compliance, and business stakeholders to ensure vendors meet the company's security, privacy, regulatory, and operational resilience standards. The ideal candidate will leverage industry best practices, risk quantification methodologies (e.g., FAIR), AI-driven assessment tools, and threat intelligence to strengthen third-party oversight across the enterprise.
What You Will Do;

• Conduct Risk Assessments
  • Evaluate third parties (vendors, partners, suppliers) for information security and operational risks.
• Review Security Documentation
  • Analyze SOC reports, ISO certifications, SIG questionnaires, and other compliance materials.
• Monitor Risk Posture
  • Continuously monitor third-party performance and security standing using internal tools and threat intelligence platforms.
• Perform Due Diligence
  • Support onboarding and periodic reviews of third parties to ensure compliance with regulatory and company standards.
• Collaborate Across Teams
  • Work closely with procurement, legal, InfoSec, and compliance to assess and manage vendor risk throughout the lifecycle.
• Maintain Risk Inventory
  • Track and maintain an accurate inventory of third parties and associated risks.
• Support Risk Remediation
  • Identify gaps and work with internal stakeholders and vendors to remediate control deficiencies.
• Report on Risk Metrics
  • Create dashboards and reports to communicate risk findings, trends, and remediation status to leadership.
• Stay Current on Threat Landscape
  • Research emerging threats (cybersecurity, geopolitical, regulatory) that may impact third-party relationships.
• Assist in Framework Alignment
  • Ensure assessments align with risk frameworks (e.g., NIST, ISO, FAIR, SIG) and regulatory requirements (e.g., GDPR, CCPA).

Security Third-Party Risk Management Responsibilities:

• Conduct third-party risk assessments (online as well as possibly onsite) to identify and evaluate potential risks (including cyber security, regulatory compliance, and operational risks).
• Undertake due diligence on prospective vendors, including assessing their security controls, policies, and procedures, and consolidate information towards evaluating their overall cyber risk posture.
• Execute processes to continuously monitor and assess the ongoing security posture and performance of third-party vendors.
• Work with vendors to address identified risks, establish risk mitigation plans, and monitor the implementation of remediation actions till closure. Ensure accurate and up-to-date records of assessments and associated risk mitigation activities.
• Foster effective relationships with vendors, serving as a point of contact for cyber risk-related matters and facilitating ongoing communication and collaboration.
• Monitor vendor compliance with information security obligations, applicable regulations, and standards.
• Prepare reports, presentations, and other materials to communicate TPRM strategies and risks to stakeholders and provide regular reporting on vendor risk and compliance status to stakeholders and top management.
• Aid in the development of TPRM metrics and dashboard to provide visibility into the vendor's risk posture and recommend improvements.
• Develop and review TPRM strategies, policies, and standards.
• Collaborate with stakeholders to ensure a coordinated and effective approach to TPRM.

Minimum Qualifications

• 4 Years of Experience in information security or equivalent military experience.

Preferred Skills/Education

• Bachelor's Degree in Computer Science, CIS, Engineering, Business Administration, Cybersecurity, or related field (or equivalent work experience in a related field)
• IT experience in the retail industry
• Experience with Open-Source Intelligence (OSINT) tools and investigations
• Experience with information security programs, audits, controls, assessments, risk assessments, or remediation management
• Experience conducting information security risk assessments of vendors and vendor software
• Hands-on experience on GRC Applications & TPRM tools like Archer, LogicGate, SAP GRC, OneTrust, ProcessUnity, ServiceNow, BitSight, Prevalent, Black Kite, etc.
• Retail business experience, Experience with open-source Tools.
• Experience with Vulnerability Management in Public/Hybrid cloud environments.
• Understanding of Secure Software Lifecycle Development.
• Relevant information security certifications (CISSP, CISM, CISA, CRISC, CTPRP, CTPRA, Security+, etc.)

Where You'll Be;

• Associates are required to relocate to the Charlotte region to foster collaboration and facilitate improved testing and support.
• Lowe's supports a Flex Office concept where in-person work is required two days per week at the Charlotte Tech Hub
• Most business meetings are planned around the Eastern time zone.

About Lowe's
Lowe's Companies, Inc. (NYSE: LOW) is a FORTUNE® 50 home improvement company serving approximately 16 million customer transactions a week in the United States. With total fiscal year 2024 sales of more than $83 billion, Lowe's operates over 1,700 home improvement stores and employs approximately 300,000 associates. Based in Mooresville, N.C., Lowe's supports the communities it serves through programs focused on creating safe, affordable housing, improving community spaces, helping to develop the next generation of skilled trade experts, and providing disaster relief to communities in need. For more information, visit Lowes.com.
Lowe's is an equal opportunity employer and administers all personnel practices without regard to race, color, religious creed, sex, gender, age, ancestry, national origin, mental or physical disability or medical condition, sexual orientation, gender identity or expression, marital status, military or veteran status, genetic information, or any other category protected under federal, state, or local law.