Senior Security Risk Specialist, Global Benefits Risk & Compliance

About The Position

Requirements

• Bachelor's degree or equivalent in Information Security, Computer Science, Risk Management, Engineering, Math, Statistics, or a related discipline, or equivalent technology experience
• 7+ years of risk management, audit, legal, compliance or related field work including engaging with external stakeholders experience
• Experience with IT compliance and risk management requirements (e.g. security, privacy, SOX, HIPAA etc.)

Nice To Haves

• CISSP, CISA, CISM or other security certification
• Advanced degree in a related area (Information Security, Risk Management, MSHR, MBA, JD)
• Deep knowledge of federal benefits regulations including ACA, COBRA, ERISA, and HIPAA, as well as state and local regulations including Massachusetts, Vermont, Hawaii, and San Francisco
• Experience influencing vendor security and compliance strategies across an organization, including negotiating remediation timelines and shaping vendor contractual obligations
• Proficiency across multiple widely adopted security compliance regimes and frameworks (SOC, PCI, NIST, ISO) with ability to apply expertise across diverse regulatory environments

Responsibilities

• Lead complex third-party vendor risk assessments across multiple benefits programs and vendor relationships, evaluating security, privacy, and compliance posture against federal, state, and local regulatory requirements
• Define and iterate on risk assessment methodologies, frameworks, and mechanisms to scale for diverse vendor requirements and evolving regulatory expectations (e.g., quantitative risk models, vendor risk questionnaires, continuous monitoring approaches)
• Identify long-term risks associated with third-party vendors and influence business strategy to proactively mitigate them before they materialize into risk events
• Make diligent, independent decisions on how to engage vendors, auditors, and regulators on third-party risk matters with minimal oversight
• Drive comprehensive benefits compliance management related to third-party service delivery, ensuring adherence to federal, state, and local regulatory requirements including HIPAA, ERISA, ACA, and COBRA
• Lead risk and control assessments of vendor-managed processes, determine state of compliance, analyze risk exposure, and author reports detailing methodology, results, and remediation plans
• Own and drive third-party risk review programs associated with benefits program launches, modifications, vendor onboarding, and transitions across the organization
• Create predictable process paths, workflows, and repeatable mechanisms (e.g., for vendor security control design, testing, implementation, and validation) that multiple teams utilize to deliver consistent risk management outcomes
• Identify opportunities to simplify approaches throughout the organization and across project boundaries; decouple dependencies and prevent duplicate or wasted effort
• Define business problems, set objectives, analyze data, drive improvements, and influence resource allocation for third-party risk initiatives
• Develop mechanisms to inspect, monitor, and improve third-party risk delivery over time; hold the team to a high standard for both solutions and practices
• Escalate when risks or blockers emerge, propose viable recommendations to resolve them, identify the correct owners, and track issues to resolution
• Develop deep understanding of the employee benefits solutions utilized by Amazon and the third-party vendors that support them; drive business requirements for vendor system implementations and enhancements
• Lead collaboration with vendors and external teams to evaluate security controls, negotiate remediation timelines, and ensure employee-centered benefits experiences are delivered securely
• Understand the builder and stakeholder experience with security compliance and proactively seek to align third-party risk processes with existing workflows
• Author written narratives to define strategy, evaluate trade-offs, anticipate risks, and recommend solutions on third-party risk that influence the organization and external partners
• Drive business and technical discussions across the organization to make decisions on how to align with diverse, potentially conflicting, third-party risk and compliance expectations
• Advise managers and directors on third-party risk matters; communicate effectively with leaders up to three levels above on risk posture, compliance gaps, and strategic recommendations
• Write, speak, and network with key internal and external stakeholders to broaden influence on third-party risk management practices
• Develop and deliver documentation such as manager and employee communications, FAQs, policy positions, standard operating procedures, and strategic narratives related to third-party risk
• Mentor and develop junior team members in third-party risk assessment methodologies, compliance frameworks, and stakeholder engagement

Benefits

• health insurance (medical, dental, vision, prescription, Basic Life & AD&D insurance and option for Supplemental life plans, EAP, Mental Health Support, Medical Advice Line, Flexible Spending Accounts, Adoption and Surrogacy Reimbursement coverage)
• 401(k) matching
• paid time off
• parental leave
• sign-on payments
• restricted stock units (RSUs)