Senior Vendor Security Risk Management Analyst

About The Position

Requirements

• 5+ years of experience in cybersecurity, information security, or cyber risk, with a background in third-party risk management (TPRM), IT risk, audit, incident response, or access management.
• Experience assessing vendor security posture in cloud (SaaS/PaaS) and enterprise environments.
• Strong understanding of systems, networks, application architecture, cloud security, and secure system design across AWS, Azure, SaaS, PaaS, APIs, and enterprise integrations.
• Experience evaluating data flows, data classification, data protection, data governance, and secure data handling practices.
• Knowledge of IAM, SSO, federation, privileged access, cyber threats, vulnerabilities, and attack methodologies.
• Ability to interpret SOC 1, SOC 2, ISO certifications, and other third-party assurance artifacts to identify control gaps and residual risk.
• Ability to identify, assess, and clearly communicate complex cyber risks, trade-offs, and residual risk.
• Experience recommending practical, business-aligned risk based mitigation strategies, including compensating controls and secure design changes.
• Strong analytical judgment, attention to detail, and risk-based decision-making.
• Ability to translate technical findings into clear, business-relevant insights and recommendations.
• Strong stakeholder management and partnership across business, technology, procurement, and legal teams.
• Collaborative, solutions-focused mindset with strong influencing skills in a fast-paced assessment environment.
• High degree of professional skepticism and curiosity when evaluating vendor claims and evidence.
• Ability to manage multiple priorities independently while maintaining quality and consistency of assessments.
• Proficiency with Microsoft Office tools.
• Bachelor's degree in information security, Computer Science, Information Technology, or a related field required. An equivalent of relevant work experience will also be considered.

Nice To Haves

• Relevant certifications such as CISSP, CISA, CSA, CISM, Security+, GIAC, CEH, or similar are strongly desired.

Responsibilities

• Lead end-to-end third-party solution risk assessments and vendor security reviews across the vendor lifecycle, including due diligence, onboarding, ongoing monitoring, and reassessments.
• Evaluate vendor security programs, control effectiveness, and governance, along with deep-dive assessment of the specific product being implemented including solution architecture, data flows, and integration points.
• Identify and communicate inherent and residual cyber risks related to data protection, privacy, IAM, privileged access, system connectivity, and external attack surface exposure.
• Review and interpret security documentation, including SOC 1/SOC 2 reports, ISO 27001 certifications, audit reports, architecture diagrams, data flow diagrams, and technical configurations.
• Recommend practical risk mitigation strategies, including compensating controls, secure design changes, and contractual safeguards to support risk-informed decisions.
• Partner with business, technology, procurement, and legal teams to support risk acceptance, exception management, and third-party risk governance.
• Contribute to the evolution of FM’s third-party risk management framework, methodology, and standards in alignment with NIST, ISO 27001, NYDFS, and other applicable regulatory expectations.

Benefits

• incentive plan
• medical insurance
• dental insurance
• vision insurance
• life insurance
• disability insurance
• well-being programs
• 401(k)
• pension plan
• career development opportunities
• tuition reimbursement
• flexible work
• time off
• vacation
• sick time