Third-Party Information Security Risk Analyst
About The Position
The Third-Party Cyber Risk Analyst performs comprehensive third-party risk assessments, focusing on data security, regulatory compliance and emerging AI use risks. This includes reviewing DDQs, SOC reports, AI governance disclosures, vendor security reports, and supporting documentation from vendors and service providers. The Third-Party Cyber Risk Analyst plays a critical role in safeguarding the organization data by ensuring third-party partners have implemented sufficient data protection safeguards. Ideal candidate thinks strategically and is intellectually curious. The Third-Party Cyber Risk Analyst will be expected to help refine the risk program.
Requirements
- Strong understanding of NIST CSF, ISO 27001, SOC 2, contractual cybersecurity clauses, and regulatory expectations (e.g., SEC, FINRA, GLBA).
- Working knowledge of AI governance data security issues, and compliance risks (e.g., data governance, shadow AI).
- Experience reviewing security questionnaires, due diligence documentation, and audit reports.
- Excellent analytical, communication, and documentation skills.
- Minimum Required: Bachelor's degree in Cybersecurity, Information Technology, or related discipline, or equivalent experience.
- Minimum Required: 7+ years of experience in cybersecurity, third-party risk, or IT audit.
- Experience with third-party risk platforms e.g. Archer, OneTrust, ProcessUnity, ServiceNow TPRM, etc.
- Understanding of emerging AI risk frameworks e.g., NIST AI RMF, EU AI Act.
Nice To Haves
- Certifications: CISA, CISSP, CTPRP, or vendor risk-specific credentials preferred.
Responsibilities
- Evaluate third-party cybersecurity posture using DDQs, SOC 2 Type II reports, ISO certifications, penetration test results, and AI usage documentation.
- Assess AI models used by third parties for privacy, security, and compliance risks (e.g., data training, model outputs, governance).
- Identify gaps in vendor controls and recommend mitigations or compensating controls.
- Advise on residual risk and escalation paths for critical or high-risk vendors.
- Assist with defining third-party security standards and playbooks.
- Collaborate with legal, compliance, procurement, and enterprise risk management teams.
- Maintain and update third-party risk assessment templates to include AI and emerging technology risks.
- Track and report risk status, remediation plans, and residual risk acceptance.
- Contribute to continuous improvement of the third-party risk management (TPRM) framework.
- Create third-party cyber risk posture reports and metrics.
- Must handle highly sensitive information with discretion and objectivity.
- May be required to participate in third-party incident response after hours or on short notice.
Benefits
- comprehensive benefits package to include health, dental and vision care, 401k, wellness initiatives, life insurance, and paid time off.
Stand Out From the Crowd
Upload your resume and get instant feedback on how well it matches this job.
What This Job Offers
Job Type
Full-time
Career Level
Mid Level
Industry
Securities, Commodity Contracts, and Other Financial Investments and Related Activities
Number of Employees
5,001-10,000 employees
