Key Activities
Run the TPCISRM Process
* Operate SNCB's third-party cyber risk management process across the full supplier lifecycle (pre-contract, onboarding, operations, renewal, offboarding).
* Perform cyber risk assessments for suppliers, services, cloud providers, MSSPs, critical service providers, and NIS 2–critical vendors.
* Define and regularly update supplier security requirements (minimum cyber requirements, contractual clauses, evidence obligations).
* Maintain a complete, accurate Third-Party Cyber Risk Register.
* Ensure continuous monitoring of high-risk suppliers and active follow-up of mitigation plans.
* Integrate TPCISRM activities into procurement workflows, tender processes, and RFP evaluations.
* Coordinate with Legal to ensure cybersecurity contractual clauses reflect NIS 2 and CyberFundamentals obligations.
* Maintain traceability of risks to controls, service obligations, and responsible stakeholders.
* Ensure suppliers supporting critical systems also comply with NIS 2 "essential and important entity" obligations applicable to SNCB.
Reporting & Stakeholder Management
* Provide structured third-party risk reporting to the SNCB Risk Office as part of the ERM cycle.
* Inform CISO, procurement, and business owners of emerging and aggregated supply-chain risks.
* Maintain KRIs for supply-chain security (e.g., high-risk suppliers, overdue remediation actions, missing evidence).
* Support vendor risk acceptance processes with clear justification and documentation.
* Participate in RFP steering committees, supplier performance reviews, and contract renewal boards as cybersecurity advisor.
* Serve as the single point of contact for supplier cyber risk during audits, regulatory reviews, and NIS 2 assessments.
Improve the TPCISRM Framework
* Maintain and improve SNCB's third-party cyber risk methodology, aligned with ISO 27036, ISO 27001, ISO 27005, NIST CSF 2.0, and NIS 2.
* Develop and maintain procedures, assessment templates, scoring models, workflows, and playbooks.
* Introduce automation and continuous monitoring (threat intelligence, questionnaires, evidence management).
* Formalise supplier tiering (criticality classification) based on business impact, NIS 2 scope, and service dependency.
* Coordinate improvement initiatives with Procurement and Legal to embed cybersecurity more deeply into contracting processes.
* Monitor regulatory developments (EU CRA, DORA where relevant, data protection) and integrate them into the framework.
Knowledge Transfer & Awareness
* Train procurement, legal, business owners, and contract managers on third-party cyber risks and required controls.
* Mentor GRC and risk officers on supplier risk assessment techniques.
* Drive awareness of supply-chain dependencies, third-party obligations, and legal requirements under NIS 2.
* Provide targeted guidance for projects onboarding new critical suppliers or cloud platforms.
Scope of Responsibilities
* Third-Party Cyber & Information Security Risk Management
* Cybersecurity requirements for procurement and contracting
* Supplier security assessments and continuous monitoring
* NIS 2 supply-chain security measures & regulatory reporting
* Third-party cyber risk register and KRIs
* Supplier lifecycle security governance
* Contractual cybersecurity clauses (in collaboration with Legal & Procurement)
* Vendor classification and criticality mapping
* Risk acceptance for supplier-related risks
* 10+ years of relevant experience in cybersecurity or supplier risk management (regardless of industry) or comparable oversight roles in critical infrastructure sector (safety, sustainability, ....)
* Master's degree or equivalent professional experience
* Dutch/French C2, English C1
* 5+ years of relevant experience in Railway sector
* Third-party cybersecurity risk management (ISO 27036, ISO 27005, NIST CSF 2.0, FAIR)
* NIS 2 supply-chain security obligations (Art. 21, Art. 23, supervisory expectations)
* CyberFundamentals Essential requirements for suppliers
* Procurement and contract lifecycle processes
* Cybersecurity requirements for cloud services, managed services, integrators
* Risk management frameworks, scoring models, and supplier tiering
* Regulatory cybersecurity requirements (CRA, DORA, GDPR where relevant)
* Certifications considered a strong asset: CISSP, CISM, CRISC, ISO 27036 Specialist, ISO 27001 LA/LI, CTPRP (Certified Third-Party Risk Professional), FAIR
Our offer
Within our open corporate culture, you contribute to the digital transformation of SNCB. You will have a job with social impact and ample opportunity to make your own contribution. In addition to a good work-life balance and a competitive salary, you will receive the following benefits:
* the possibility to work remotely + flexible working hours;
* 35 days of leave;
* a company car + a public transport season ticket;
* a target bonus;
* a comprehensive insurance package (affiliation without own contribution, excl. outpatient costs for family members);
* hospitalisation and dental care for the whole family;
* outpatient costs (= medical costs separate from hospitalisation);
* group insurance: supplementary pension, work disability and death (cafeteria plan);
* accidents at work (extralegal);
* meal vouchers and eco-vouchers;
* net allowances for remote working and carwash + internet budget.