Analyst- Information Security

We back you with benefits that support your holistic well-being so you can be and deliver your best. This means caring for you and your loved ones physical financial and mental health as well as providing the flexibility you need to thrive personally and professionally:

• Competitive base salaries
• Bonus incentives
• Support for financial-well-being and retirement
• Comprehensive medical dental vision life insurance and disability benefits (depending on location)
• Flexible working model with hybrid onsite or virtual arrangements depending on role and business need
• Generous paid parental leave policies (depending on your location)
• Free access to global on-site wellness centers staffed with nurses and doctors (depending on location)
• Free and confidential counseling support through our Healthy Minds program
• Career development and training opportunities

Offer of employment with American Express is conditioned upon the successful completion of a background verification check subject to applicable laws and regulations.

At American Express our culture is built on a 175-year history of innovation shared values and Leadership Behaviors and an unwavering commitment to back our customers communities and colleagues. From delivering differentiated products to providing world-class customer service we operate with a strong risk mindset ensuring we continue to uphold our brandpromise of trust security and service.
As part of Team Amex youll experience our powerful backing with comprehensive support for your holistic well-being and many opportunities to learn new skills develop as a leader and grow your career. Here your voice and ideas matter your work makes an impact and together you will help us define the future of American Express.

International Card Services (ICS) Governance & Control is responsible for supporting our international Issuing businesses across 28 international markets excluding the USA. Colleagues operate across a variety of geographies and disciplines ensuring a robust ICS first line of defence and in playing an active role in supporting the ICS Business and our International Legal Entities meet its growth objectives whilst demonstrating an effective control framework.

The organization partners closely with Third Party Lifecycle Management (TLM) Technology Risk and Information Security Control Management Risk Pillar owners and Business stakeholders to ensure robust risk management across our third-party ecosystem.

How will you make an impact in this role

The Third Party Risk Analyst will report to the Third Party Information Security Manager and will play a key role in supporting effective third-party risk management across ICS.

This role will primarily focus on Third-Party Information Security risk assessments control evaluation and advisory support to ICS business stakeholders. The Analyst will help ensure that third parties meet American Express Information Security standards application lifecycle management requirements and Third Party Lifecycle Management (TLM) expectations.

In addition this role is designed to be flexible and may support broader Third Party Risk Management activities beyond Information Security including due diligence reviews reporting issue follow-up governance activities and other third-party risk initiatives based on business priorities.

Key Responsibilities

• Support Third-Party Information Security risk assessments ensuring identified control gaps are clearly documented risk-assessed and tracked through remediation to closure. Partner with business stakeholders to collect required evidence and provide practical guidance on compensating controls and risk mitigation strategies where applicable.
• Partner with Technology teams Third Party Relationship Managers and business stakeholders to drive compliance of application lifecycle management across third-party supported applications.
• Provide clear practical and risk-based guidance to business stakeholders on information security technology governance and third-party risk requirements translating technical risks into business-impact terms and identifying alternative or compensating controls where appropriate.
• Support preparation of third-party risk reporting dashboards and leadership updates leveraging data analysis and visual storytelling to highlight key risk themes trends and emerging issues.
• Raise awareness and educate stakeholders on third-party information security expectations and technology risk management practices.
• Identify opportunities to strengthen internal controls enhance compliance posture and improve the overall third-party risk management and governance framework.
• Support regional or market-specific third-party risk activities including regulatory outsourcing or compliance-related requirements where applicable.
• Contribute to broader Third-Party Risk Management activities as needed including due diligence reviews ongoing monitoring governance support regulatory & audit response coordination reporting and ad hoc risk initiatives in line with business priorities.

Minimum Qualifications

• Demonstrated understanding of Third-Party Risk Management Information Security fundamentals and technology risk principles.
• Relevant experience in Information Security Technology Risk Third-Party Risk Management Operational Risk or related disciplines including support of risk assessments control reviews or vendor due diligence activities.
• Strong analytical skills with the ability to assess control design and effectiveness identify gaps and interpret risk data from multiple sources.
• Ability to exercise sound judgment constructively challenge where appropriate and escalate risks in a clear and timely manner while maintaining effective stakeholder relationships.
• Excellent verbal and written communication skills with the ability to translate technical security and lifecycle management concepts into clear business-focused language.
• Experience preparing senior management reports dashboards and presentations using data-driven insights.
• Strong proficiency in Microsoft Excel (data analysis) PowerPoint (executive-ready presentations) and Word (structured documentation).

Preferred Qualifications

• Foundational knowledge across multiple Information Security domains (ex. network security data protection identity and access management secure development cloud security) with an understanding of Third-Party Security Risk Management principles.
• Familiarity with industry-recognized security frameworks and standards such as ISO 27001 PCI DSS NIST or comparable regulatory and control frameworks.
• Relevant professional certifications (or actively working toward certification) such as CISA CISM CRISC Security or similar risk and security credentials are a plus.
• Experience supporting third-party due diligence vendor risk assessments or technology risk reviews preferably within financial services or other regulated industries.
• Exposure to international markets and multi-jurisdictional regulatory environments with the ability to interpret and apply security and outsourcing requirements in a practical business context.

Employment eligibility to work with American Express in Spain is required as the company will not pursue visa sponsorship for these positions.