Third Party Cyber Risk Program Manager

Summary

Join Control Risks as a Third Party Cyber Risk Assessor & Program Manager, leading and conducting third-party cyber risk assessments for a global client portfolio. You will be responsible for comprehensive cybersecurity risk assessments of vendors, suppliers, and partners, managing the overall third-party risk assessment program. The ideal candidate possesses technical expertise in cyber risk management, strong program management, and audit skills. This remote position prefers candidates in the Dallas area for client proximity. You will lead assessments, identify vulnerabilities, recommend remediation, collaborate with global teams, and master client security standards. Program management responsibilities include executing the assessment program, evolving processes, overseeing daily execution, tracking progress, reporting to leadership, and refining processes for efficiency and scalability.

Requirements

• Bachelor’s degree in Cybersecurity, Information Technology, Risk Management, or a related field (or equivalent experience)
• 8+ years of experience in cybersecurity, risk management, or IT auditing, with at least 3 years focused on third-party risk assessments and program management
• Proven experience in both hands-on cyber risk assessment and program management in a global environment
• Experience working in the Healthcare industry is required
• Demonstrable expertise leading the delivery of assessments based on cybersecurity standards and frameworks such as NIST CSF 2.0, IS27001 and 27002, SOC2, Center for Internet Security (CIS) best practices, PCI-DSS, CSA Cloud Controls Matrix, GDPR, HIPAA, HITRUST, etc
• Hands-on experience with tools and platforms used for third-party risk assessments, vulnerability scanning, and audit processes
• Strong understanding of information security domains such as access control, encryption, vulnerability management, network security, and incident response
• Evidence of supporting clients overcome cybersecurity challenges in a broad array of sectors which may include, but is not limited to: Technology, Financial Services, and Retail
• A deep understanding of governance, standards, and compliance as they pertain to cyber security
• Ability to analyze complex security data and translate findings into industry specific recommendations
• Strong communication skills with the ability to effectively present risk findings and recommendations to senior leadership and non-technical stakeholders

Responsibilities

• Lead and conduct detailed cybersecurity risk assessments (audits) for third-party vendors, including reviewing their information security practices, policies, and controls
• Assess third-party vendor security risks across multiple domains, including data protection, network security, identity & access management, and incident response
• Identify, evaluate gaps and/or deficiencies in cybersecurity technical and/or policy/procedure controls
• Perform thorough due diligence on third-party suppliers and partners, identifying potential vulnerabilities and risks that could impact the organization
• Recommend solutions and alternatives to remediate gaps and/or deficiencies in cybersecurity technical and/or policy/procedure controls
• Independently lead assessment meetings with clients and third parties to evaluate the implementation of cyber controls
• Collaborate closely with global line management and regional colleagues on delivery, client management and internal and client communications
• Master client’s proprietary security and contractual standards
• Apply recognized cybersecurity frameworks and standards (e.g., NIST, ISO 27001, CIS Controls) in risk assessments and audits
• Document findings, assessment processes, and recommended actions in a clear, concise, and actionable manner
• Stay up-to-date with the latest trends, threats, and regulatory changes in cybersecurity and risk management
• Execute the third-party risk assessment program to ensure comprehensive coverage across the global client portfolio
• Evolve existing processes and methodologies for third-party assessments, ensuring consistency, quality, and efficiency
• Oversee the day-to-day execution of the third-party risk assessment program, coordinating across global teams and managing timelines, resources, and priorities
• Track progress, assess risks to program timelines, and ensure alignment with organizational goals and business objectives
• Regularly report on program status, risk assessments, and findings to senior leadership and other stakeholders
• Provide expert insights on the impact of third-party risks to the broader organization and guide executive decision-making
• Continuously evaluate and refine third-party risk assessment processes, looking for opportunities to improve efficiency, scalability, and integration with other risk management functions
• Lead initiatives to incorporate automation, tools, and platforms that streamline the assessment process and enhance data-driven decision-making
• Manage a small global team of assessors or support staff, providing leadership, mentoring, and ensuring successful completion of assessments and program deliverables
• Support hiring, training, and development of team members to build a high-performing program management team

Preferred Qualifications

• Certifications: CISSP, CISM, CRISC, CISA, SCP, CCNP, ISO 27001 Lead Auditor or other relevant security or risk management certifications
• Experience working in a global organization and understanding of the challenges involved in managing risks across multiple jurisdictions
• Experience managing global programs and understanding of the complexities associated with vendor relationships in diverse geographical regions

Benefits

• Control Risks offers a competitively positioned compensation and benefits package that is transparent and summarized in the full job offer
• We operate a discretionary bonus scheme that incentivizes, and rewards individuals based on company and individual performance
• Control Risks supports hybrid working arrangements, wherever possible, that emphasize the value of in-person time together - in the office and with our clients - while continuing to support flexible and remote working