Third Party Security Risk Analyst
Job Description
Welcome to Haleon. We’re a purpose-driven, world-class consumer company putting everyday health in the hands of millions. In just three years since our launch, we’ve grown, evolved and are now entering an exciting new chapter – one filled with bold ambitions and enormous opportunity.
Our trusted portfolio of brands – including Sensodyne®, Panadol®, Advil®, Voltaren®, Theraflu®, Otrivin®, and Centrum® – lead in resilient and growing categories. What sets us apart is our unique blend of deep human understanding and trusted science.
Now it’s time to fully realise the full potential of our business and our people. We do this through our Win as One strategy. It puts our purpose – to deliver better everyday health with humanity – at the heart of everything we do. It unites us, inspires us, and challenges us to be better every day, driven by our agile, performance-focused culture.
About the role
The Third-Party Security Risk Analyst is responsible for performing high‑quality third‑party cybersecurity risk assessments and continuous monitoring activities across the full supplier lifecycle, including Onboarding, Due Diligence, Contracting, Continuous Monitoring, and Offboarding.
The role conducts inherent risk reviews, detailed due‑diligence assessments, evaluates supplier controls, identifies security gaps, and works with suppliers and internal teams to define remediation plans. The Analyst also supports ongoing monitoring activities, including periodic reassessments, threat‑driven reviews, incident follow‑ups, and supplier offboarding validation.
The Analyst works closely with the Third-Party Security Risk Operations Lead to ensure consistent execution of methodologies, adherence to SLAs, high‑quality documentation, and accurate risk reporting.
Role Responsibilities
Execute TPSRM activities across the full lifecycle, including onboarding risk segmentation, due diligence assessments, contracting security review, continuous monitoring tasks, and supplier offboarding checks.
Perform detailed third-party cybersecurity risk assessments, analyzing supplier responses, evaluating inherent and residual risks, validating supporting evidence, and documenting findings in accordance with TPSRM methodology.
Identify security gaps and support remediation governance, including proposing remediation actions, tracking supplier commitments, validating closure evidence, and escalating overdue or high-risk items.
Support continuous monitoring, conducting periodic reassessments, reviewing supplier security alerts/events, following up on incidents, and supporting onsite visit preparation where required.
Coordinate operational interactions with suppliers, business requestors, Procurement, TPRM, Legal, and security engineering teams, ensuring that assessments and risk decisions are completed efficiently and accurately.
Maintain high quality documentation, ensuring that assessments, remediation plans, evidence, risk ratings, and decisions are accurate, complete, consistent, and audit ready.
Business Expertise
Working knowledge of cybersecurity principles, supplier security requirements, and due‑diligence processes.
Understanding of cybersecurity frameworks such as ISO 27001, SOC 2, NIST CSF, CIS Controls, and cloud/data‑protection standards.
Familiarity with supplier assurance tools, TPRM platforms, GRC systems, and standardized assessment questionnaires (e.g., SIG/CAIQ).
Knowledge of procurement processes, contracting considerations, and vendor management best practices.
Ability to analyze complex technical information, interpret evidence, and derive well‑reasoned risk conclusions.
Problem Solving:
Evaluates incomplete or inconsistent information provided by suppliers and applies judgement to determine risk impacts and required remediation.
Balances the need for timely supplier onboarding with maintaining strong cybersecurity controls and adherence to risk tolerance thresholds.
Works across multiple stakeholder groups to resolve questions, clarify requirements, and address blockers related to supplier controls or contracting constraints.
Identifies patterns or recurring weaknesses across suppliers and proposes improvements to questionnaires, workflows, templates, and guidance.
Nature & Area of Impact:
Directly influences Haleon’s third‑party cyber risk posture by assessing the security of suppliers and identifying risks that could impact data protection, business continuity, or regulatory compliance.
Supports business demand by ensuring timely and accurate delivery of assessments that enable contracting and onboarding decisions.
Ensures that remediation plans are clear and effective, reducing ongoing operational and cyber risk exposure.
Supports audit readiness through proper documentation and evidence‑based risk decisions.
Interactions / Interpersonal Skills:
Interacts frequently with suppliers to obtain evidence, clarify responses, and validate remediation progress.
Works closely with internal stakeholders including Procurement, TPRM, Legal, Security Engineering, Data Protection, and business requestors.
Requires clear, concise written and verbal communication to explain complex security issues in an understandable manner.
Must be able to collaborate effectively across global teams, often under tight timelines.
Requires strong attention to detail and the ability to communicate risk in a structured and actionable way.
Why you?
Basic Qualifications:
Bachelor’s degree in Cybersecurity, Information Systems, Technology, Engineering, or a related field.
5–7 years in security assurance, supplier assessments, technology risk, or GRC.
Experience performing cybersecurity or supplier risk assessments.
Familiarity with TPRM or TPSRM programs and supporting technologies.
Understanding of threat vectors, control requirements, and remediation planning.
Experience reviewing security evidence such as SOC 2 reports, penetration tests, and policy documentation.
Experience working with TPRM platforms, GRC tools, assessment systems, or security questionnaires.
Experience managing Third-Party Risk Management tools, such as OneTrust and UpGuard.
Preferred Qualifications:
Training or certifications in cybersecurity, risk management, cloud security, or supplier assurance.
Experience working with third‑party monitoring tools, questionnaire platforms, or security rating services.
Certifications such as ISO 27001 Foundations, Security+, CCSK, CISA, or equivalent
Job Posting End Date
2026-06-26
Equal Opportunities
Haleon are committed to mobilising our purpose in a way that represents the diverse consumers and communities who rely on our brands every day. It guides us in creating an inclusive culture, where different backgrounds and views are valued and respected – all in support of understanding and best serving the needs of our consumers and unleashing the full potential of our people. It’s important to us that Haleon is a place where all our employees feel they truly belong.
During the application process, we may ask you to share some personal information, which is entirely voluntary. This information ensures we meet certain regulatory and reporting obligations and supports the development, refinement, and execution of our inclusion and belonging programmes that are open to all Haleon employees.
The personal information you provide will be kept confidential, used only for legitimate business purposes, and will never be used in making any employment decisions, including hiring decisions.
Adjustment or Accommodations Request
If you require a reasonable adjustment or accommodation or other assistance to apply for a job at Haleon at any stage of the application process, please let your recruiter know by providing them with a description of specific adjustments you are requesting. We’ll provide all reasonable adjustments to support you throughout the recruitment process and treat all information you provide us in confidence.
Note to candidates
The Haleon recruitment team will contact you using a Haleon email account (@haleon.com). If you are not sure whether the email you received is from Haleon, please get in touch.