Lead - Cybersecurity Third-Party Risk Management

Freshworks is seeking a seasoned Third Party Risk Management (TPRM) professional to join our Cybersecurity GRC team. This is a senior individual contributor role responsible for designing and operating a robust, scalable TPRM programme that keeps pace with Freshworks' rapid growth and expanding regulatory obligations. You will own the end-to-end vendor risk lifecycle from intake and assessment to ongoing monitoring and offboarding while contributing to audit readiness, SOX IT control testing, and cross-functional GRC initiatives. You will work closely with Procurement, Legal, Privacy, and Engineering to embed vendor risk thinking directly into how Freshworks buys and manages third-party relationships.

Key Responsibilities Third-Party Risk Management

• Own and operate the full TPRM lifecycle: vendor intake, inherent risk tiering, due diligence assessments, remediation tracking, periodic re-assessments, and offboarding.
• Design, implement, and continuously improve TPRM controls, frameworks, and policies aligned to industry best practices (ISO 27001, NIST CSF, SOC 2, CIS).
• Conduct deep-dive vendor reviews, including evaluation of SOC 1, SOC 2, and SOC 3 reports assessing scope, opinion type, bridge letters, exceptions, and complementary user entity controls (CUECs).
• Review and critically assess vendor ISO 27001 and ISO 27701 certificates verifying scope, certification body accreditation, statement of applicability alignment, and surveillance/renewal status.
• Analyse Standard Information Gathering (SIG) questionnaire responses (Core SIG, SIG Lite) and other security questionnaires (CAIQ, VSAQ, custom formats) with rigour and commercial awareness.
• Administer and optimise the procurement platform for TPRM intake routing, review workflow management, and milestone tracking; collaborate on workflow configuration and UAT. GRC & Audit Support
• Support SOX IT General Controls (ITGCs) testing including access management, change management, and computer operations controls and liaise with external auditors during fieldwork.
• Assist with SOC 2 Type II audit cycles: evidence collection, control narratives, gap remediation, and bridge letter coordination for sub-service organisations.
• Maintain GRC evidence repositories in NetSuite and Graphite GRC; ensure control mapping is current and audit-ready at all times.
• Coordinate responses to customer security questionnaires and third-party due diligence requests, working with the broader GRC team. Data Security & Privacy
• Apply a thorough understanding of data security principles — least privilege, data classification, encryption at rest and in transit, DLP, and access controls — when evaluating vendor security posture.
• Incorporate data privacy requirements (GDPR, India DPDPA, CCPA/CPRA) into vendor assessments; identify sub-processor risks and escalate appropriately to the Privacy function. Stakeholder Engagement & Continuous Improvement
• Act as a trusted partner to Procurement, Finance, Legal, and Engineering on vendor risk matters; participate in vendor selection panels for high-risk or strategic suppliers.
• Develop and maintain TPRM metrics, dashboards, and executive reporting; present risk posture and programme health to senior leadership.
• Drive tooling improvements and automation across the TPRM stack