VP, IT Risk Director for Third-Party Risk Management

About The Position

Requirements

• Bachelor’s degree in Information Technology, Cybersecurity, Risk Management, or related field. Master’s degree preferred.
• Requires 10+ years of experience in IT risk management, information security, cybersecurity, or related roles, with a strong focus on third-party risk.
• Deep understanding of IT and Security frameworks, such as NIST CSF, ISO 27001, CIS Controls, SOC reporting, and secure development practices.
• Proven ability to assess inherent and residual technology risk for vendors and applications.
• Experience collaborating with IT, security, legal, procurement, and vendor risk teams.
• Strong communication and stakeholder-management skills, with the ability to translate technical risk into business impact.

Nice To Haves

• Experience in a regulated industry, preferably financial services.

Responsibilities

• Define and champion the strategic roadmap for IT risk management within the TPRM program, facilitating alignment with enterprise risk appetite and transformation initiatives.
• Mature the TPRM IT and Security Program focused on Software, Software as a Service (SaaS), Cloud providers, AI, and other technology products and services.
• Enhance the process for identifying and monitoring Fourth Party (vendors of third parties) risk and governance.
• Evaluate third parties’ entity level and product specific control environments across areas such as regulatory compliance (e.g., NY DFS, CCPA, etc.), cybersecurity posture, access management, data protection, infrastructure and application security, incident response, disaster recovery, and business continuity.
• Serve as a primary liaison to IT leadership, Information Security, Application Owners, and technology teams on third-party related risks and security considerations.
• Conduct deeper reviews for higher risk tiered third parties, validating sufficiency of controls and identifying gaps requiring remediation or compensating safeguards.
• Familiar with existing third-party solutions inventoried and provide recommendations to Third-Party Relationship Managers with pre-approved alternatives.
• Developing remediation plans with appropriate stakeholders.
• Interpret technical documentation (SOC reports, SIG questionnaires, penetration tests, vulnerability reports, architecture diagrams, etc.) to form defensible risk conclusions.
• Contribute to the overall design and execution of the enterprise TPRM strategy, focusing on continuous improvement of IT and security components.
• Enhance methodologies, scoring models, and workflows that support consistent, risk-based third-party evaluations throughout the third-party lifecycle.
• Monitor emerging technology risks (e.g., AI, cloud concentration) and integrate them into TPRM frameworks.
• Provide guidance to business units during third-party selection and renewal processes so that risk is appropriately understood and mitigated.
• Collaborate closely with Third-Party Relationship Managers to strengthen ongoing monitoring activities and overall vendor lifecycle management.
• Communicate complex technical risks in clear, actionable terms to non-technical stakeholders and senior leadership.
• Establish strong working relationships with key third parties in partnership with TPRM owners, managing accountability for required remediations, SLA adherence, and continuous control improvement.
• Monitor risk trends for critical and high-risk third parties, escalating concerns when needed and advising on appropriate risk treatments.
• Support contract reviews from a technology and security risk perspective, confirming the appropriate IT, security, and data protection requirements are embedded within contracts or statements of work and are aligned with regulatory and privacy standards.
• Conduct remote reviews of the third-party to assess operations, controls, and compliance.
• Confirm disablement/revoking of third-party access to company’s systems or data upon termination or inactivation of services.
• Prepare and deliver reports, dashboards, and briefings to senior leadership, Risk Committees, and auditors/examiners.
• Develop and maintain key performance and risk indicators to measure program effectiveness and inform senior leadership.
• Align TPRM activities with regulatory frameworks and guidelines relevant to financial institutions, such as OCC, FDIC, FFIEC, GLBA, and NIST.
• Maintain documentation, evidence, and artifacts to support audit readiness and regulatory examination expectations.
• Collaborate with the Procurement team and other stakeholders to enhance the vendor evaluation and selection criteria.