Vendor Security Manager

About The Position

Requirements

• 10+ years of experience in information security, with significant depth in vendor security, third-party risk, or GRC within regulated environments (financial services, healthcare, government, or enterprise SaaS).
• Proven experience making consequential risk decisions under pressure and accountability for those decisions.
• Technical fluency in cloud security, including AWS and GCP IAM, VPC architecture, encryption, logging and monitoring, and shared responsibility models, enabling assessment of vendor architecture impact on Sierra's exposure.
• Deep working knowledge of ISO 27001, NIST 800-53, SOC 2, PCI DSS, and FedRAMP as they apply to third-party oversight, understanding auditor expectations.
• Experience building automations, integrations, or detection logic using GRC tooling, APIs, or scripting to reduce manual work and accelerate risk signal detection, with a focus on scalability.
• Genuine curiosity about AI security, including model supply chains, prompt data handling, adversarial ML, and emerging AI governance frameworks.
• Ability to clearly communicate complex risks to diverse audiences, including engineers, auditors, and leadership, with technical soundness and precision.
• Comfort operating in ambiguous and fast-moving environments with novel challenges and evolving regulatory frameworks, demonstrating a capacity for on-the-job learning.

Nice To Haves

• Experience building a vendor security program from scratch.
• Experience with AI or ML vendors and a developed perspective on best practices.
• Familiarity with software supply chain security, SBOM, and dependency integrity.
• Experience building or leading the implementation of GRC, TPRM, or supply chain security tooling.
• Possession of a CISSP or CISA certification, or experience leading ISO 27001, PCI DSS, or other compliance programs.

Responsibilities

• Serve as the primary liaison between the Security team and other Sierra teams regarding vendor security, driving risk discussions and program advancement.
• Manage vendor security risk decisions and end-to-end escalation paths, including documenting risk acceptance, mitigation plans, and trade-offs.
• Develop and continuously enhance the vendor security program's methodology, tooling, risk tiering, monitoring, and response strategies, ensuring scalability as Sierra's vendor base grows.
• Assess and manage security risks across Sierra's entire third-party ecosystem, recognizing the distinct risk profiles of vendors, strategic partners, and contractors, and tailoring oversight accordingly.
• Ensure the program aligns with audit and regulatory requirements, including SOC 2, PCI DSS, FedRAMP, ISO 42001, ISO 27001, and emerging AI governance frameworks.
• Conduct thorough, evidence-based security assessments of SaaS providers, cloud and infrastructure partners, AI and model providers, and strategic suppliers, reviewing architectures, IAM configurations, access scopes, and vulnerability assessments.
• Create assessment frameworks specifically for AI and model vendors, addressing risks related to prompt data handling, training data practices, inference infrastructure access, and model supply chain integrity.
• Develop and maintain an oversight program for model providers, considering data handling commitments, inference infrastructure security, model update practices, and contractual/technical controls for data flow.
• Map and monitor Sierra's complete supply chain, including fourth parties and subprocessors, with visibility into software dependencies, open-source components, and AI model provenance.
• Analyze potential blast radius by understanding data flows, network adjacency, privilege scope, and lateral movement paths to inform technical controls and contractual requirements.
• Build automated detection logic and alerts for vendor security posture degradation (e.g., lapsed certifications, exposed services, configuration drift, new vulnerabilities) to enable proactive responses.
• Automate evidence collection and control validation across the vendor portfolio to reduce manual effort and create a robust audit trail.
• Develop integrations between vendor security tools and Sierra's internal systems, procurement workflows, and communication channels (e.g., Slack) for rapid risk signal dissemination.
• Utilize AI and tooling to analyze vendor documentation at scale, identify early risk signals, and develop dashboards for leadership visibility into vendor risk posture, remediation velocity, and findings.

Benefits

• Flexible (unlimited) paid time off
• Medical, dental, and vision benefits for you and your family
• Life insurance and disability benefits
• Retirement plan dependent on country of employment
• Parental leave
• Fertility and family building benefits through Carrot
• Lunch, snacks, and coffee
• Discretionary benefit stipend
• Free alphorn lessons