Why this role?
Do you enjoy helping organisations understand, secure, and strengthen their supply chains against modern security threats? At NCC Group, you’ll help clients manage risk beyond their own perimeter, across suppliers, partners, vendors, and critical service providers.
You’ll work at the intersection of cyber security, risk management, and operational resilience, supporting organisations as they respond to increasing regulatory scrutiny, geopolitical risk, and complex third-party ecosystems. This is high-impact consulting work that blends strategic advisory, governance, and practical security improvement across supply chains.
What you’ll do
Assess supply chain security risk: Conduct third-party and supply chain security assessments, identifying systemic risks across vendors, service providers, and technology dependencies.
Design supply chain security frameworks: Develop and implement supply chain security strategies aligned to standards such as NIST CSF, NIST 800-161, ISO 27036, ISO 28000, and emerging regulatory requirements.
Strengthen third-party risk management: Support the design and improvement of third-party risk management (TPRM) programmes, including due diligence, onboarding, assurance, and ongoing monitoring.
Advise on secure supplier engagement: Help clients embed security requirements into procurement processes, contracts, supplier assurance models, and service-level agreements.
Analyse concentration and dependency risk: Identify critical supplier dependencies, single points of failure, and cascading risk across complex supply networks.
Test and validate controls: Support scenario-based exercises, tabletop simulations, and risk walkthroughs focused on supplier compromise, service disruption, or geopolitical impact.
Engage senior stakeholders: Translate technical and operational findings into clear, business-relevant insights for executives, boards, and risk committees.
Collaborate across disciplines: Work alongside cyber security, resilience, legal, procurement, and operational teams to deliver integrated supply chain security outcomes.
Mentor and contribute: Coach junior consultants and contribute to reusable methodologies, assessment tools, and thought leadership in supply chain security.
What you’ll bring
Strong experience in supply chain security, third-party risk, or operational risk consulting, ideally in complex enterprise environments
Practical understanding of vendor risk, supplier assurance, and ecosystem-level security threats
Familiarity with relevant standards and frameworks such as:
NIST SP 800-161 (Supply Chain Risk Management)
ISO 27036 (ICT Supply Chain Security)
ISO 28000 (Supply Chain Security Management)
NIST CSF, ISO 27001 (as applied to third parties)
Ability to engage confidently with technical teams, procurement, legal, risk functions, and executive leadership
Experience conducting risk assessments, workshops, or assurance activities with third parties
Strong written and verbal communication skills, able to produce concise reports and deliver clear recommendations
Nice-to-haves (not show-stoppers)
Experience with regulatory and compliance drivers (e.g. DORA, NIS2, SOCI, critical infrastructure regulations)
Understanding of software supply chain security (e.g. SBOMs, secure development, open-source risk)
Exposure to geopolitical risk, sanctions, or operational resilience
Certifications such as:
CISSP, CISM, CRISC
ISO 27001 / 27036 Lead Implementer or Auditor
Supply chain or risk-related certifications
A week in the life (example)
Monday: Run a supply chain risk workshop with a critical infrastructure client, mapping supplier dependencies and risk concentration.
Tuesday: Perform a third-party security assessment for a strategic technology provider.
Wednesday: Design a supply chain security framework aligned to regulatory expectations and client risk appetite.
Thursday: Facilitate a tabletop exercise simulating supplier compromise and downstream business impact.
Friday: Present findings and prioritised recommendations to senior stakeholders and agree next steps.
How we work
Pragmatic > performative. We focus on achievable, sustainable resilience rather than perfection on paper.
Collaborative by default. You’ll work alongside cyber, continuity, and risk experts across NCC Group’s global network.
Curious mindset. Research time, labs, and thought leadership contributions are part of our rhythm.
Inclusive and flexible. We value diversity of thought and support hybrid working that fits your life.