Cybersecurity GRC & TPRM Analyst resume title

OLUMIDE LAWAL

GRC Analyst • Third-Party Risk Management • Cybersecurity Risk & Compliance • Information Security Analyst

347-***-**** • *******.**.*****@*****.*** • linkedin.com/in/olumide-lawal • Actively relocating to Southeast & Mid-Atlantic • US Work Authorized

PROFESSIONAL SUMMARY

Financial services cybersecurity professional with 4+ years of U.S. banking experience — including 2+ years executing GRC and third-party risk programs at an international bank. Brings a rare combination of hands-on security operations depth (Splunk, Microsoft Sentinel, CrowdStrike EDR, vulnerability management, incident response) and enterprise GRC execution, enabling me to assess risk technically and communicate it strategically. Demonstrated impact includes a 50% reduction in cyber incidents at UBA and a 25% reduction in third-party risk exposure at Kredit Bank. Seeking a GRC Analyst or TPRM Analyst role to deliver measurable risk reduction in a regulated financial environment. Currently completing CTPRP certification.

Regulatory fluency across FFIEC, GLBA, NYDFS Part 500, OCC examination standards, SOC 2, ISO 27001, NIST RMF/CSF 2.0, PCI-DSS, GDPR, DORA, and the SEC Cybersecurity Disclosure Rule. Current on 2026 industry priorities: Zero Trust architecture in banking, fourth-party and nth-party supply chain risk, ransomware and third-party breach response, and operational resilience beyond traditional BCP/DR. Conversant in AI governance frameworks — NIST AI RMF, EU AI Act — and how AI-powered GRC automation is reshaping continuous monitoring, predictive risk alerting, and vendor oversight in financial services.

Tools: OneTrust TPRM • ServiceNow GRC • Prevalent • SecurityScorecard • Dun & Bradstreet • AuditBoard • RSA Archer • CrowdStrike Falcon • Splunk • Microsoft Sentinel • Nessus / Qualys / Rapid7 • Tripwire • CSA CCM • CAIQ / SIG / SIG Lite • Power BI • Excel (Advanced)

PROFESSIONAL EXPERIENCE

Kredit Bank Cera & Verzekering • Belgian Bank, New York Branch — U.S. Operations Jun 2023 – Jan 2026

Junior GRC Analyst

•Strengthened audit readiness by managing control testing and evidence collection across 60+ SOC 2 Type II controls — validating control effectiveness, standardizing evidence templates in OneTrust GRC, and reducing manual audit prep burden each cycle, enabling the organization to present auditors with clean, centralized documentation and accelerate audit closure timelines.

•Accelerated ISO 27001 certification readiness by executing Annex A gap assessments across all control domains — translating identified deficiencies into prioritized remediation tasks in ServiceNow GRC and maintaining real-time stakeholder dashboards that kept the certification timeline on track and leadership informed at every stage.

•Reduced cloud vendor risk exposure by auditing cloud-hosted vendors against the CSA Cloud Controls Matrix (CCM) — systematically evaluating controls across data security, IAM, and infrastructure domains, identifying and documenting exceptions in SOC 2 Type I and II reports, and driving remediation follow-up that closed gaps before they became audit findings or regulatory exposure.

•Managed a risk-tiered portfolio of 30+ vendors across the full third-party risk lifecycle in OneTrust TPRM — classifying vendors as critical, high, medium, or low risk based on data sensitivity, business criticality, regulatory exposure (GDPR, PCI-DSS), and SecurityScorecard posture ratings, then calibrating the depth of due diligence, contractual requirements, and monitoring intensity to each tier, ensuring the highest-risk vendors received the most rigorous oversight.

•Shifted vendor oversight from reactive annual reviews to proactive continuous monitoring using Prevalent and SecurityScorecard — detecting real-time degradation in vendor security posture ratings, triggering escalation workflows before risk materialized, and directly contributing to a 25% reduction in third-party risk exposure across the portfolio.

•Reduced regulatory exposure by maintaining and updating the organization's information security policy library against NIST RMF and NIST CSF 2.0 in ServiceNow GRC — ensuring policies reflected the latest regulatory changes and were written in plain language accessible to business unit owners, directly supporting the organization's posture ahead of regulatory examinations.

•Strengthened contractual risk controls by reviewing vendor MSAs and contracts during due diligence — using Dun & Bradstreet to validate vendor financial stability and flag reputational risk, identifying missing security obligations, data handling requirements, and compliance commitments, and ensuring contractual gaps were remediated before vendor onboarding was approved.

•Accelerated risk closure across 10+ cross-functional initiatives by partnering with IT, Legal, and Operations — translating technical risk findings into business-relevant language, mapping mitigating controls, and driving remediation to closure through ServiceNow GRC, measurably reducing the organization's open risk item count across successive audit cycles.

•Enabled data-driven security governance by preparing risk assessment summaries, vendor risk reports, and compliance dashboards utilized directly by the CISO — translating complex GRC program metrics, open findings, and remediation progress into executive-ready formats that aligned risk posture reporting to the bank's stated risk appetite and board governance expectations.

•Eliminated manual compliance reporting lag by maintaining weekly Power BI dashboards that integrated live data from Excel, ServiceNow GRC, and OneTrust — giving leadership real-time visibility into SOC 2 control status, vendor risk scores, TPRM portfolio health, and SLA-tracked open findings, replacing ad hoc spreadsheet reporting and enabling faster, evidence-based compliance decisions.

•Applied advanced Excel techniques — VLOOKUP-based control matrices, pivot-driven audit reporting, and conditional formatting for SLA monitoring — to manage risk registers, package audit evidence, and surface overdue remediation items before they became findings.

•Strengthened the organization's operational resilience posture by participating in disaster recovery tabletop exercises and BCP planning sessions — stress-testing failure scenarios, capturing action items, tracking gap remediation to closure, and ensuring the program met regulatory BCP documentation standards and DORA operational resilience expectations.

Key Achievements

25% reduction in third-party risk exposure by leveraging Prevalent's continuous monitoring to shift from annual vendor reviews — proactively surfacing 8 high-risk vendor issues before audit discovery and preventing potential material control failures.

Compressed the SOC 2 audit preparation cycle by standardizing evidence templates and centralizing documentation in OneTrust GRC — enabling faster auditor handoffs and freeing analyst capacity for forward-looking compliance work each successive cycle.

Contributed to the organization's first NIST CSF 2.0 alignment assessment — mapping existing controls to updated framework tiers, identifying 12 prioritized gaps, and producing the remediation roadmap formally adopted by leadership for the next compliance cycle.

United Bank for Africa • U.S. Operations Sep 2021 – Jun 2023

Information Security Analyst

•Maintained a consistent regulatory examination record by executing the bank's day-to-day cybersecurity monitoring program under the Bank ISO — sustaining security posture alignment with FFIEC, GLBA, and NYDFS Part 500 requirements across every examination cycle during tenure.

•Monitored enterprise network security infrastructure — including LAN/WAN environments, firewalls, and anti-spam systems — using Splunk and Microsoft Sentinel to triage security alerts, investigate anomalous events, correlate log data, and escalate confirmed incidents, maintaining continuous perimeter visibility across the bank's network.

•Drove endpoint security modernization by actively participating in the bank's transition from legacy tools to CrowdStrike Falcon EDR — monitoring endpoint alerts on the platform, reviewing threat detections, and contributing to incident triage as the organization established its new detection baseline.

•Reduced the bank's exploitable attack surface by executing vulnerability assessments using Nessus, Qualys, Rapid7, and Tripwire — analyzing scan outputs, monitoring file integrity to detect unauthorized changes, prioritizing remediation by CVE severity and asset criticality, and maintaining patch cadence that directly contributed to a 50% reduction in cyber incidents across core banking systems.

•Enforced least-privilege access controls across enterprise applications by managing the full IAM lifecycle — provisioning and deprovisioning user accounts, coordinating with departmental coordinators, and conducting access audits that identified and remediated unauthorized access patterns before they became security or compliance incidents.

•Contained security incidents and protected regulatory standing by coordinating response workflows using McAfee/Trellix endpoint tools — triaging events, managing containment and investigation, and producing FFIEC and NYDFS Part 500-aligned documentation that met accelerated regulatory reporting SLAs and supported post-incident review.

•Measurably strengthened the bank's human-layer defenses by designing department-tailored security awareness training and phishing simulations — achieving documented improvement in staff click-through and incident reporting rates, meeting FFIEC and NYDFS Part 500 training requirements, and reducing the organization's social engineering risk profile.

Key Achievements

50% reduction in cyber incidents by leading CVE prioritization within a structured patch management program — using Nessus/Qualys scan data and McAfee endpoint findings to target critical vulnerabilities across core banking systems, materially reducing the attack surface and strengthening business continuity posture.

Delivered a successful CrowdStrike EDR transition — maintaining uninterrupted threat detection visibility during the platform migration by actively monitoring Falcon alerts, helping establish detection baselines, and bridging coverage between legacy and modern endpoint security stacks.

Built the team's digital forensics documentation standard — creating repeatable evidence collection procedures that improved audit trail quality, reduced post-incident review time, and enabled the bank to meet accelerated OCC/FFIEC regulatory reporting SLAs following security events.

CERTIFICATIONS & PROFESSIONAL DEVELOPMENT

•CompTIA Security+

•OneTrust Third-Party Risk Management Expert

•Certified Third-Party Risk Professional (CTPRP) — Expected 2026

•Foundations of AI Security — threat modeling for AI/ML systems, adversarial risk, and AI supply chain vulnerabilities

•AI Security & Governance — AI risk assessment frameworks, NIST AI RMF alignment, and EU AI Act risk classification

•RSA Archer GRC — enterprise risk management configuration, compliance program setup, and GRC reporting workflows

EDUCATION

St. Joseph's University • Bachelor of Science, General Studies

CORE COMPETENCIES

GRC Program Management

Third-Party Risk Management

SOC 2 Type I & II Audits

ISO 27001 Gap Assessments

NIST RMF / CSF 2.0

FFIEC / GLBA / NYDFS Part 500

OCC & SEC Cyber Disclosure Rule

Vendor Tiering & Risk Classification

Incident Response & BCP / DR

Cyber Risk Management & Mitigation

Cloud Risk Assessment (CSA / CCM)

Fourth-Party / Supply Chain Risk

AI Governance & NIST AI RMF

SOC Report Review & Exception Noting

Shared Assessments SIG / SIG Lite

SecurityScorecard / D&B Monitoring

Actively relocating to the Southeast & Mid-Atlantic • Available for remote, hybrid, and on-site roles • US Work Authorized

Contact this candidate