Lead - Cybersecurity Third-Party Risk Management

Freshworks is seeking a seasoned Third Party Risk Management (TPRM) professional to join our Cybersecurity GRC team. This is a senior individual contributor role responsible for designing and operating a robust, scalable TPRM programme that keeps pace with Freshworks' rapid growth and expanding regulatory obligations.

You will own the end-to-end vendor risk lifecycle from intake and assessment to ongoing monitoring and offboarding while contributing to audit readiness, SOX IT control testing, and cross-functional GRC initiatives. You will work closely with Procurement, Legal, Privacy, and Engineering to embed vendor risk thinking directly into how Freshworks buys and manages third-party relationships.

Key Responsibilities

Third-Party Risk Management

• Own and operate the full TPRM lifecycle: vendor intake, inherent risk tiering, due diligence assessments, remediation tracking, periodic re-assessments, and offboarding.
• Design, implement, and continuously improve TPRM controls, frameworks, and policies aligned to industry best practices (ISO 27001, NIST CSF, SOC 2, CIS).
• Conduct deep-dive vendor reviews, including evaluation of SOC 1, SOC 2, and SOC 3 reports assessing scope, opinion type, bridge letters, exceptions, and complementary user entity controls (CUECs).
• Review and critically assess vendor ISO 27001 and ISO 27701 certificates verifying scope, certification body accreditation, statement of applicability alignment, and surveillance/renewal status.
• Analyse Standard Information Gathering (SIG) questionnaire responses (Core SIG, SIG Lite) and other security questionnaires (CAIQ, VSAQ, custom formats) with rigour and commercial awareness.
• Administer and optimise the procurement platform for TPRM intake routing, review workflow management, and milestone tracking; collaborate on workflow configuration and UAT.

GRC & Audit Support

• Support SOX IT General Controls (ITGCs) testing including access management, change management, and computer operations controls  and liaise with external auditors during fieldwork.
• Assist with SOC 2 Type II audit cycles: evidence collection, control narratives, gap remediation, and bridge letter coordination for sub-service organisations.
• Maintain GRC evidence repositories in NetSuite and Graphite GRC; ensure control mapping is current and audit-ready at all times.
• Coordinate responses to customer security questionnaires and third-party due diligence requests, working with the broader GRC team.

Data Security & Privacy

• Apply a thorough understanding of data security principles — least privilege, data classification, encryption at rest and in transit, DLP, and access controls — when evaluating vendor security posture.
• Incorporate data privacy requirements (GDPR, India DPDPA, CCPA/CPRA) into vendor assessments; identify sub-processor risks and escalate appropriately to the Privacy function.

Stakeholder Engagement & Continuous Improvement

• Act as a trusted partner to Procurement, Finance, Legal, and Engineering on vendor risk matters; participate in vendor selection panels for high-risk or strategic suppliers.
• Develop and maintain TPRM metrics, dashboards, and executive reporting; present risk posture and programme health to senior leadership.
• Drive tooling improvements and automation across the TPRM stack

• 5–10 years of progressive experience in Third-Party Risk Management, Vendor Risk Management, or GRC within a technology, SaaS, or financial services environment.
• Demonstrated track record of designing and implementing TPRM control frameworks from concept through operationalisation.
• Proven experience performing comprehensive vendor risk assessments independently, including managing complex or high-risk supplier portfolios.
• Prior exposure to SOX ITGC testing or SOC 2 audit cycles, working directly with external auditors, is strongly preferred.

Technical Knowledge

• In-depth expertise reading and interpreting SOC 1 and SOC 2 reports opinion types, scope, exceptions, CUECs, and sub-service organisation carve-outs.
• Strong ability to assess ISO 27001 and ISO 27701 certificates, including scope boundaries, certification body credibility, and alignment with stated control objectives.
• Hands-on experience with SIG Core, SIG Lite, CAIQ, and other standardised security questionnaire frameworks.
• Working knowledge of NetSuite for GRC evidence management and control tracking; experience with Graphite GRC for control frameworks and audit workflows.
• Familiarity with ZIP as a procurement intake and workflow platform; experience configuring or testing TPRM routing rules is a plus.
• Experience using Lema (or equivalent AI-powered TPRM platforms such as Prevalent, OneTrust, or Process Unity) for risk scoring and automated assessments.
• Solid grounding in data security principles: access control models, encryption standards, network segmentation, vulnerability management, and incident response concepts.
• Working knowledge of data privacy regulations: GDPR, India DPDPA, CCPA/CPRA; ability to assess vendor compliance posture against these requirements.

 

Certifications

Preference will be given to candidates holding one or more of the following. CTPRA and CTPRP are particularly valued for this role:

CISA

CISSP

CTPRA

CTPRP

CISM

CRISC

ISO 27001 LA

CDPSE

CCSP

Candidates actively pursuing any of the above certifications will also be considered.

At Freshworks, we have fostered an environment that enables everyone to find their true potential, purpose, and passion, welcoming colleagues of all backgrounds, genders, sexual orientations, religions, and ethnicities. We are committed to providing equal opportunity and believe that diversity in the workplace creates a more vibrant, richer environment that boosts the goals of our employees, communities, and business. Fresh vision. Real impact. Come build it with us.