Senior Third-Party Risk Analyst

About The Position

Requirements

• Bachelor’s degree in a related field with 5+ years (7-10 years preferred) of information security experience, including hands-on ownership of third-party or supplier risk assessments.
• Proven experience running or significantly contributing to a third-party or vendor risk management program end to end.
• Familiarity with NIST, ISO, and PCI-DSS standards.
• Strong analytical and critical-thinking skills with the ability to reason through ambiguity and make sound, defensible risk decisions.
• Experience with cybersecurity and privacy principles and the controls used to manage risk across data use, processing, storage, and transmission.
• Demonstrated experience recommending security safeguards, including contract and SLA language.
• Working knowledge of risk management best practices and frameworks.
• Excellent written and verbal communication skills with the ability to influence stakeholders and clearly articulate risk to leadership.
• Equivalent relevant experience performing the essential functions of this job may substitute for education degree requirements. Generally, equivalent relevant experience is defined as 1 year of experience for 1 year of education and is the discretion of the hiring manager.
• Active industry certification such as CISSP, CISM, CRISC, CISA, or a closely equivalent credential.

Nice To Haves

• 7 to 10 years of information security experience, including hands-on ownership of third-party or supplier risk assessments.
• Experience identifying and implementing AI-driven efficiencies within a risk management or TPRM program.
• Experience working in regulated environments, including FERPA, GLBA, or FTC regulatory contexts.

Responsibilities

• Serve as the subject matter expert for third-party and supplier risk management, owning and continuously maturing WGU’s TPRM methodology.
• Lead end-to-end third-party risk assessments across the full lifecycle, including intake, due diligence, contracting, ongoing monitoring, and offboarding.
• Analyze complex technical and non-technical evidence to determine likelihood, impact, root cause, and defensible risk ratings.
• Review assurance artifacts such as SOC 2 Type II reports, penetration test results, and security questionnaires to identify gaps, exceptions, and compensating controls.
• Assess fourth-party and downstream risk, including concentration risk within critical supply chains.
• Partner with procurement, legal, and privacy teams to review contracts, data protection addendums, and security clauses and recommend risk-reducing language.
• Mentor junior analysts, provide quality review of assessments, and act as an escalation point for high-risk or complex engagements.
• Lead exception-to-policy analysis, document residual risk, and guide risk acceptance, transfer, or mitigation decisions with appropriate stakeholder sign-off.
• Work with engineers, architects, and security professionals to understand the risk of a system, project, third-party, supplier, or application and recommend controls to mitigate identified risks.
• Provide guidance and assistance to operational teams and third parties to remediate security deficiencies and track remediation through to closure.
• Identify, develop, and recommend AI-driven efficiencies in the TPRM program and broader risk management practice.
• Maintain working knowledge of NIST, ISO, and PCI-DSS standards as well as FERPA, GLBA, and FTC regulations, and ensure assessments account for applicable obligations.
• Act as an advocate for Information Security, helping the business understand third-party risk, security standards, and best practices.

Benefits

• medical, dental, vision, telehealth and mental healthcare
• health savings account and flexible spending account
• basic and voluntary life insurance
• disability coverage
• accident, critical illness and hospital indemnity supplemental coverages
• legal and identity theft coverage
• retirement savings plan
• wellbeing program
• discounted WGU tuition
• flexible paid time off for rest and relaxation with no need for accrual
• flexible paid sick time with no need for accrual
• 11 paid holidays
• other paid leaves, including up to 12 weeks of parental leave