Key Duties & Responsibilities: -Program Leadership & Governance
- Design, implement, and mature the Third-Party Cyber Risk Management Program aligned with frameworks such as NIST CSF, ISO 27001, HIPAA, CIS Controls, and SOC2.
- Develop and maintain policies, standards, and procedures governing vendor security due diligence, onboarding, monitoring, and offboarding.
- Establish and iterate security exhibit for contracts, enforce compliance and iterate wherever needed.
- Lead governance committees or working groups to discuss vendor risk posture, key issues, and remediation progress with business, procurement, and legal teams.
- Define and track Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) for vendor risk and present them to leadership and risk committees.
Vendor Risk Assessment & Due Diligence
- Oversee end-to-end third-party risk assessments including questionnaires, evidence review, and validation of security controls.
- Evaluate vendors against recognized security frameworks (e.g., SOC 2, ISO 27001, PCI DSS, NIST CSF, HIPAA/HITRUST).
- Manage inherent and residual risk scoring models to prioritize vendors based on business impact and data sensitivity.
- Perform or oversee onsite or virtual vendor audits for high-risk vendors and ensure timely closure of identified gaps.
- Work closely with Procurement and Legal to integrate cybersecurity clauses and right-to-audit provisions in vendor contracts.
Continuous monitoring and remediation:
- Implement and manage continuous monitoring tools and processes (e.g., Security Scorecard, Recorded Future) to detect vendor security posture changes.
- Ensure that remediation plans are documented, tracked, and closed within defined SLAs.
- Coordinate periodic reassessments of critical and high-risk vendors to verify ongoing compliance.
- Manage escalation processes for non-compliant or high-risk vendors, including executive reporting and remediation oversight.
- Perform internal audits against client security requirements to proactively prepare and improve organizational security posture
Collaboration and stakeholder management
- Partner with Business Units, Procurement, Legal, Privacy, and IT Security teams to ensure security risk is addressed in all third-party engagements.
- Collaborate with Legal, Compliance to support external audits and regulatory reviews involving third-party risk.
- Provide subject matter expertise during M&A due diligence, supplier transitions, or strategic partnerships.
- Deliver training and awareness to business and procurement teams on vendor security best practices.
Reporting and metrics
- Maintain a vendor risk register and ensure accurate documentation of risk decisions, exceptions, and compensating controls.
- Prepare executive dashboards and periodic reports summarizing vendor risk trends, findings, and remediation status.
- Support board-level reporting on supply chain and vendor cyber risks.
Qualification:
Bachelors or Masters degree in Technology, Cybersecurity, Risk Management, or a related field.
Experience, Skills and Knowledge:
- 7-10 years of total experience in information security, risk, or compliance roles.
- At least 5+ years of direct experience in third-party or vendor cyber risk management.
- Strong understanding of supply chain security, cloud vendor assessments, data privacy, and regulatory compliance (HIPAA, PCI DSS, GDPR, etc.).
- Experience using GRC and vendor risk management platforms (e.g., Archer, Audit board,or similar).
- Proven track record of leading remediation governance and cross-functional collaboration across business, IT, and legal teams. Proven experience managing third-party cybersecurity risk and audit programs at scale.
- Excellent communication skills, with ability to interface with clients, vendors, operational, legal, and IT leadership.
Key competency profile:
- Certified Information Security Manager (CISM)
- Certified Information Systems Auditor (CISA)
- Certified in Risk and Information Systems Control (CRISC)
- HITRUST CCSFP or ISO 27001 Lead Implementer
