BBVA is a global company with more than 160 years of history that operates in more than 25 countries where we serve more than 80 million customers. We are more than 121,000 professionals working in multidisciplinary teams with profiles as diverse as financiers, legal experts, data scientists, developers, engineers and designers.
The Cybersecurity UK & CE team is responsible for the implementation and continuous improvement of the CIB Corporate Security programme across the region, working closely with technology, risk, and business stakeholders to deliver practical and proportionate security outcomes.
About the job:
Key Responsibilities:
Third-Party Cyber & IT Risk:
Assess third-party suppliers’ capability to manage technology and cyber risk.
Support evaluation of residual risk following application of relevant control frameworks.
Coordinate and perform due diligence and third-party competency validation for Tier 1 and Tier 2 suppliers prior to contract signature.
Support contractual embedding of IT risk requirements, including risk-inclusive clauses.
Obtain and assess third-party assurance artefacts (e.g. SOC, ISAE) where required.
Track and support remediation of third-party risk findings ahead of contract renewal.
Contribute to the development of proportionate exit strategies for critical suppliers.
Cyber & Third-Party Resilience:
Support cyber-led third-party resilience activities, including dependency mapping and concentration risk assessment.
Translate supplier risks into resilience considerations for important business services.
Support development of realistic cyber and third-party disruption scenarios.
Coordinate with relevant stakeholders to ensure resilience considerations are reflected consistently across plans and artefacts.
Cyber Operational Resilience:
Support cyber operational resilience activities, including service mapping, scenario coordination, and documentation.
Assist with preparation and coordination of resilience exercises and follow-up actions.
Contribute to clear, regulator-ready narratives aligned to UK and EU expectations.
Support consistency of approach across UK & CE offices, including Milan, Paris, and Frankfurt.
What are we looking for?
Experience:
At least 5 years of experience in cyber risk, IT risk, third-party risk, or related disciplines within a regulated environment.
Exposure to supplier risk assessment, control assurance, or contractual risk considerations.
Some experience or interest in operational resilience, business continuity, or technology disruption scenarios.
Comfortable working across Cyber, IT, Risk, Procurement, and business teams.
Skills & Knowledge:
Cyber-literate, with the ability to understand technology services, dependencies, and common failure modes.
Familiarity with IT risk control concepts and third-party assurance artefacts (e.g. SOC, ISAE).
Awareness of UK Operational Resilience requirements (BoE, PRA, FCA), and relevant European regulations (EBA, DORA, GDPR).
Able to analyse, document, and explain complex supplier and service relationships.
Professional Skills:
Strong coordination and stakeholder engagement skills.
Clear, structured written communication suitable for risk and regulatory contexts.
Organised and detail-oriented, with the ability to track actions across multiple parties.
Able to operate independently, exercising sound judgement and escalating appropriately when required.
Qualifications:
Degree-level education or equivalent experience.
Relevant certifications are advantageous but not required.
English proficiency required; Spanish is a plus.
Please note that priority will be given to candidates who are elegible to work in the UK.
Skills:
Business, Control Frameworks, Cyber Risks, Due Diligence, Information Technology (IT) Risk, Legal Practices, Risk Assessments, Supplier Risk Assessment, Third Party Risk Management