At Asana, security is foundational to our mission of helping teams work together effortlessly. Our security team protects Asana’s employees, users, and customers by proactively addressing threats, ensuring compliance with legal and regulatory requirements, and fostering a culture of security throughout our product and operations. We are a team of security engineers and risk and compliance practitioners who build innovative safeguards and collaborate across the organization to build and maintain trust at scale.
As the Third Party Risk Management Lead, you will be responsible for building and running Asana’s Third Party Risk Management (TPRM) program. You will own the end-to-end lifecycle of vendor security risk — from initial due diligence and risk tiering through ongoing monitoring and remediation. You will work closely with Procurement, Legal, Privacy, and Engineering teams to ensure that our third-party relationships are effectively assessed, tracked, and managed.
This role is based in our Warsaw office with an office-centric hybrid schedule. The standard in-office days are Monday, Tuesday, and Thursday. Most Asanas have the option to work from home on Wednesdays. Working from home on Fridays depends on the type of work you do, and your recruiter can share more about the in-office requirements.
Our employees in Poland are employed under a contract of employment.
What you’ll achieve
- Own and scale Asana’s TPRM program: Design, implement, and continuously improve a risk-based framework for assessing and managing third-party vendors and service providers. Establish risk tiering criteria, assessment workflows, and governance processes that scale with business growth.
- Lead vendor security assessments: Conduct and oversee security due diligence for new and existing vendors, including reviewing SOC 2 reports, ISO 27001 certifications, security questionnaires (SIG, CAIQ), and other relevant documentation. Identify gaps and work with vendors to remediate findings.
- Drive remediation and risk acceptance: Track and manage open findings from vendor assessments, work with internal stakeholders to prioritize remediation, and facilitate formal risk acceptance processes where appropriate. Ensure findings are documented and resolved in a timely manner.
- Manage ongoing third-party monitoring: Develop and execute a continuous monitoring strategy for critical and high-risk vendors, including periodic reassessments, breach notifications, and security posture updates. Maintain an accurate and up-to-date vendor risk inventory.
- Review security provisions in vendor contracts: Collaborate with Legal and Privacy teams to assess and negotiate security-related clauses in vendor agreements, data processing addenda, and subprocessor agreements, ensuring alignment with Asana’s policies and obligations.
- Report on TPRM program health: Develop metrics and reporting to communicate the state of third-party risk to senior leadership and relevant stakeholders. Support audit and compliance activities by providing evidence of TPRM program effectiveness, including for SOC 2, ISO 27001, and customer audits.
- Operate globally: Work with a global team to ensure appropriate coverage and coordination across timezones, supporting vendor assessments and risk decisions that span multiple regions.
About you
- 5+ years of experience in third-party risk management, vendor risk assessment, or a related information security discipline.
- Strong knowledge of TPRM frameworks and standards, including SIG, CAIQ, NIST SP 800-161, ISO 27001, and SOC 2.
- Experience conducting vendor security assessments and reviewing third-party security documentation (audit reports, certifications, penetration test summ…