Senior Analyst, Third-Party Security

About The Position

Requirements

• Bachelor’s degree or related experience required
• 10+ years of progressive experience in information security, third-party risk management, IT risk, or cybersecurity assurance, with at least 3 years focused on third party risk management.
• Strong understanding of information security controls and frameworks (ISO 27001/27002, NIST CSF, CIS Controls, etc.)
• Proficient understanding of third-party security domains, including data protection, access controls, incident response and cloud security.
• Proven ability to perform third-party security risk assessments by reviewing security questionnaires, audit reports, policies and penetration test results to identify control gaps, formulate follow-up inquiries, and document remediation requirements.
• Deep knowledge of technology supplier ecosystems (software, cloud, IT labor, and infrastructure) and associated risk dynamics.
• Experience producing clear risk summaries, remediation recommendations, and executive level reporting
• Familiarity with information security and data protections requirements in third party contracts.
• Excellent communication skills: clear, structured, and persuasive with the ability to educate and inspire teams around risk and performance ownership.
• Proven ability to influence stakeholders without direct authority.
• Ability to work independently and collaboratively in a team environment
• Demonstrated ability to handle sensitive and/or confidential material and information with suitable discretion.

Nice To Haves

• Professional certifications, such as CISSP, CRISC, CISM, CISA, ISO 27001 Lead Auditor/Implementor.
• Established track record in building and executing vendor risk frameworks, risk mitigation strategies, and regulatory-compliant vendor governance programs.
• Proven ability to articulate technical security considerations to non-technical stakeholders.
• Familiarity with information security considerations for vendors leveraging AI or providing AI centric solutions.

Responsibilities

• Conduct information security due diligence including secure by design reviews, during vendor onboarding, at renewal, and periodic review cycles.
• Apply a risk-based approach to third party security assessments, including documenting compensating controls and risks acceptances where appropriate.
• Evaluate third-party architectures, including network connectivity (VPN, reverse proxy), data flows, encryption models, and access controls.
• Assess risks related to cloud environments (AWS/Azure/GCP), SaaS platforms, and API integrations.
• Analyze external risk intelligence sources (e.g., BitSight, SecurityScorecard) and correlate with internal findings.
• Review and challenge secure design, identity/access models (SSO, OAuth, SCIM), and data protection mechanisms.
• Enhance and maintain a comprehensive vendor inventory, including vendor profiling and inherent risk determination.
• Enhance and maintain a third-party risk register and track mitigation efforts for identified security risks.
• Develop and implement strategies to mitigate identified risks, working closely with third parties and internal stakeholders to address security gaps.
• Support a continuous monitoring program to assess third-party security posture and follow up on identified vulnerabilities and security risks.
• Partner with general counsel and vendor management to incorporate information security requirements into third-party contracts.
• Work with internal security teams to investigate and respond to third-party related security incidents.
• Support and enhance escalation procedures and remediation requirements related to third-party security breaches.
• Prepare and present third-party risk metrics, dashboards, trends, and highlighted risks to senior management and IT leadership.
• Contribute to the continuous improvement and scalability of the Firm’s third-party security risk management program.
• Partner with the Third Party Security Senior Manager to build and enhance strategic objectives of the program.