Principal – Third Party Cyber Risk Assessment

About The Position

Requirements

• A bachelor’s degree in Computer Science, Engineering or Information Security/Cybersecurity or equivalent degree is required.
• 5+ years of direct third-party cybersecurity risk assessment experience, including application of third-party risk assessment concepts and internal controls.
• 5+ years using ServiceNow GRC tool to support security risk objectives.
• Proficiency in conducting and leading third-party risk assessments, including data classification, risk scoring, and mitigation planning.
• Ability to translate technical findings into business impact for key partners.
• Strong analytical and problem-solving skills.
• Strong interpersonal skills to build and maintain relationships with internal partners.

Nice To Haves

• Security certifications such as CISSP, CCSP, CISA, CRISC etc. are preferred.
• An advanced degree is preferred.
• Foundational knowledge of regulatory requirements (e.g., SOX404, Privacy, HIPAA, GxP, cyber regulations).
• Experience assessing third-party risk in a large, dynamic, multinational organization.
• Experience in identifying key security risks, security controls, and providing consulting services to customers throughout the third-party vendor lifecycle.
• Experience with security standards and control frameworks (e.g. FAIR, HITRUST, ISO27001, NIST, SOC 2, etc.).
• Demonstrable record of effectively collaborating with virtual, global teams, including diverse groups of people with varied backgrounds and cultural experiences.

Responsibilities

• Perform and lead third-party risk assessments, risk rankings, and collaboration on remediation strategies as needed.
• Perform deep technical reviews of third-party security controls, evidence artifacts, attestations, and independent reports to assess control design, implementation, and operating effectiveness.
• Evaluate complex risk scenarios involving sensitive data types, regulatory obligations, complex architectures, and cross-border data flows.
• Identify, document, and risk-rate third-party cyber issues, ensuring consistent severity determination and alignment to ISRM standards.
• Drive automation and process improvements as identified and through relevant projects and/or operations.
• Communicate cybersecurity third-party risk assessment results to senior leaders and provide input on remediation plans.
• Enhance third-party cyber risk assessment processes by defining and implementing process improvements.
• Offer consulting support to the larger cybersecurity team on third-party risk assessment understanding and remediation.
• Lead and mentor junior members of the team, ensure ongoing learning, and support special projects as needed.

Benefits

• medical, dental, vision, life insurance, short- and long-term disability, business accident insurance, and group legal insurance.
• consolidated retirement plan (pension) and savings plan (401(k)).
• Vacation –120 hours per calendar year
• Sick time - 40 hours per calendar year; for employees who reside in the State of Washington –56 hours per calendar year
• Holiday pay, including Floating Holidays –13 days per calendar year
• Work, Personal and Family Time - up to 40 hours per calendar year
• Parental Leave – 480 hours within one year of the birth/adoption/foster care of a child
• Condolence Leave – 30 days for an immediate family member: 5 days for an extended family member
• Caregiver Leave – 10 days
• Volunteer Leave – 4 days
• Military Spouse Time-Off – 80 hours