For over 80 years, GfK has been a reliable and trusted insight partner for the world’s biggest companies and leading brands who make a difference in every consumer’s life - and we will continue to build on this. We connect data, science and innovative digital research solutions to provide answers for key business questions around consumers, markets, brands and media. With our headquarters in Germany and a presence in around 60 countries worldwide, you benefit from our global company with a diverse community of ~9,000 employees.
Harnessing the power of our workforce, the greatest asset we have is our people. As part of GfK, you can take your future into your own hands. We value talent, skills and responsibility and support your development within our international teams. We are proud of our heritage and our future: Currently we are in the latter stages of a transformational journey from a traditional market research company to a trusted provider of prescriptive data analytics powered by innovative technology. This is only possible with extraordinary people and this is why we are looking for YOU to help create our future. For our employees as well as for our clients we pursue one goal: Growth from Knowledge!
This role will join a forward-thinking and transformational GRC Team within a wider Information Security function, using information security knowledge and best practice, along with pragmatic thinking and strong communication skills to build relationships and support the organisation in its challenge to maximise productivity while reducing risk and improving its security posture.
Areas of responsibility within the GRC Team include:
Information Security Governance and Strategy;
Information Security Risk Management;
Information Security Assurance;
Information Security Culture and Awareness;
Secure Design and Solution Security Architecture;
Customer Security Assurance;
Third Party Risk Management.
Reporting to the “Information Security Manager – GRC”, with wider working relationships across the Security Operations Centre, Enterprise Security and Product Security Teams, the role will initially be responsible for the leadership, operational management, development and improvement of the Customer Assurance and Third Party Risk Management role areas, but will be expected to work across all areas of the GRC Team remit and support the entire team in meeting its objectives through both Operational and Transformation work.
Within the Customer Assurance and Third Party Risk Management role areas, key responsibilities include but are not limited to:
Working alongside business/operational teams and the Secure Design function to build solution security architecture and define customer-facing documentation that demonstrates the Technical and Organisational Measures used by GfK to protect its assets both globally and by service offering;
Responding to security assurance questionnaires and audits requested by GfK’s key customers, assisting therefore with both securing business through contract negotiation and providing assurance of continued compliance with client and regulatory expectations;
Conducting vendor security and risk management assessments, advising both the business and vendors on emerging risks and the required control measures throughout the due diligence and contract processes;
Managing the negotiation of Vendor Security Agreements and maintaining continued assurance of existing vendors; and
Assistance with internal audits, providing security expertise to regional and organisational security assessments through the use of the ISF Standards of Good Practice.
Other areas of expected responsibility in support of the GRC Team or in future role changes may include:
Technical Risk Assessment and Risk Governance;
Policy and Standard Document Compilation;
Security Assessments of business areas in line with the ISF Standards of Good Practice;
Solution Design Security Assessment and Control Recommendation; and
Training and Awareness Activities.
Proven experience of applying Information Security methodologies across the breadth of an organisation, preferably with in-house Information Security experience and preferably within a global organisation providing technical solutions to clients;
Experience in prioritising and aligning information security objectives with business objectives;
Experience with Risk Management Frameworks or best practice Risk Methodology such as IRAM2 or ISO27005;
Experience with best-practice and framework security assessment and remediation;
Experience with business continuity and resilience definition, planning and testing;
Experience with external customer facing security assurance processes and customer contract negotiations;
Experience with vendor due diligence and risk management processes;
Experience of problem solving, solution design and transformation delivery for the improvement of business processes;
Knowledge of Penetration Testing methodologies and Vulnerability Management, with the ability (experience preferred) to scope Penetration Tests and escalate results or vulnerability reports to remediation plans or information security risks;
Excellent verbal communication skills with the ability to translate technical information into business-relevant information, and develop and maintain close working relationships, presenting the need for security to all personnel from senior leaders to specialist roles in a manner that encourages positive engagement and demonstrates the benefits of security in improving performance and profitability;
Excellent written communication skills with the ability to articulate risks in both a technical and business-relevant format, develop training and awareness campaigns in a clear and concise manner, and write policies and procedures in an understandable and unambiguous style;
Foundational Security Certification such as CISMP or Security+.
Hands-on experience with the ISF Standards of Best Practice;
Experience in Incident Escalation and Management in any capacity, with knowledge of best-practice Security Incident Management practices;
Developed theoretical knowledge of OWASP required, with experience reviewing architecture to identify risks and ensure adherence to secure design principles desirable;
Any area of technical security expertise is not required but is welcome and will be strongly considered, including: Hands-On Network Security and Configuration, Penetration Testing, Hands-On Cloud Security Architecture, Intrusion Analysis or Computer Forensics, and Security Engineering, Secure Code Analysis or DevSecOps;
Any recognised certification relating to the above areas of technical security expertise;
Senior Security Management Certification not required but is welcome and will be strongly considered, including: CISM, CISSP, CASP or similar.
We are an ethical and honest company that is wholly committed to its clients and employees. We are proud to be an inclusive workplace for all and are committed to equal opportunity in employment which focuses on all of our employees reaching their full potential. At GfK we work collaboratively with our colleagues but offer a flexible working approach, including dividing our time between office & remote working as well as the opportunity to flex our working hours around team core hours.
We offer an exciting work environment that brings people together. We encourage an entrepreneurial and innovative spirit. We make use of the latest digital technologies. We are looking for self-starters, who accept challenges and create solutions.
Can there be a better place to take center stage in the digital revolution? We are excited to get to know you!