Third Party Cyber Risk Program Manager

We are looking for a highly skilled and dynamic professional to join our team as a Third Party Cyber RIs Assessor & program manager for Third-Party cyber risk assessment responsible for leading and conducting third-party cyber risk assessments for a global client portfolio.

In this position, you will be responsible for leading comprehensive cybersecurity risk assessments for third-party vendors, suppliers, and partners, while simultaneously managing the overall third-party risk assessment program. The ideal candidate will have both technical expertise in cyber risk management, strong program management as well as audit skills to oversee the successful execution of third-party assessments at scale.

While this position is remote, it will have a preference towards people in the Dallas area to be closer to the client stakeholder.

• Lead and conduct detailed cybersecurity risk assessments (audits) for third-party vendors, including reviewing their information security practices, policies, and controls.
• Assess third-party vendor security risks across multiple domains, including data protection, network security, identity & access management, and incident response.
• Identify, evaluate gaps and/or deficiencies in cybersecurity technical and/or policy/procedure controls.
• Perform thorough due diligence on third-party suppliers and partners, identifying potential vulnerabilities and risks that could impact the organization.
• Recommend solutions and alternatives to remediate gaps and/or deficiencies in cybersecurity technical and/or policy/procedure controls.
• Independently lead assessment meetings with clients and third parties to evaluate the implementation of cyber controls.
• Collaborate closely with global line management and regional colleagues on delivery, client management and internal and client communications.
• Master client’s proprietary security and contractual standards.
• Apply recognized cybersecurity frameworks and standards (e.g., NIST, ISO 27001, CIS Controls) in risk assessments and audits.
• Document findings, assessment processes, and recommended actions in a clear, concise, and actionable manner.
• Stay up-to-date with the latest trends, threats, and regulatory changes in cybersecurity and risk management

Program Management of Third-Party Cyber Risk Assessments:

• Execute the third-party risk assessment program to ensure comprehensive coverage across the global client portfolio.
• Evolve existing processes and methodologies for third-party assessments, ensuring consistency, quality, and efficiency.
• Oversee the day-to-day execution of the third-party risk assessment program, coordinating across global teams and managing timelines, resources, and priorities.
• Track progress, assess risks to program timelines, and ensure alignment with organizational goals and business objectives.
• Regularly report on program status, risk assessments, and findings to senior leadership and other stakeholders.
• Provide expert insights on the impact of third-party risks to the broader organization and guide executive decision-making.
• Continuously evaluate and refine third-party risk assessment processes, looking for opportunities to improve efficiency, scalability, and integration with other risk management functions.
• Lead initiatives to incorporate automation, tools, and platforms that streamline the assessment process and enhance data-driven decision-making.
• Manage a small global team of assessors or support staff, providing leadership, mentoring, and ensuring successful completion of assessments and program deliverables.
• Support hiring, training, and development of team members to build a high-performing program management team.

• Bachelor’s degree in Cybersecurity, Information Technology, Risk Management, or a related field (or equivalent experience).
• 8+ years of experience in cybersecurity, risk management, or IT auditing, with at least 3 years focused on third-party risk assessments and program management.
• Proven experience in both hands-on cyber risk assessment and program management in a global environment.
• Experience working in the Healthcare industry is required.
• Demonstrable expertise leading the delivery of assessments based on cybersecurity standards and frameworks such as NIST CSF 2.0, IS27001 and 27002, SOC2, Center for Internet Security (CIS) best practices, PCI-DSS, CSA Cloud Controls Matrix, GDPR, HIPAA, HITRUST, etc.
• Hands-on experience with tools and platforms used for third-party risk assessments, vulnerability scanning, and audit processes
• Strong understanding of information security domains such as access control, encryption, vulnerability management, network security, and incident response.
• Evidence of supporting clients overcome cybersecurity challenges in a broad array of sectors which may include, but is not limited to: Technology, Financial Services, and Retail.
• A deep understanding of governance, standards, and compliance as they pertain to cyber security. 
• Ability to analyze complex security data and translate findings into industry specific recommendations.
• Strong communication skills with the ability to effectively present risk findings and recommendations to senior leadership and non-technical stakeholders.

Preferred Qualifications

• Certifications: CISSP, CISM, CRISC, CISA, SCP, CCNP, ISO 27001 Lead Auditor  or other relevant security or risk management certifications.

• Experience working in a global organization and understanding of the challenges involved in managing risks across multiple jurisdictions.
• Experience managing global programs and understanding of the complexities associated with vendor relationships in diverse geographical regions.

• Control Risks offers a competitively positioned compensation and benefits package that is transparent and summarized in the full job offer.
• We operate a discretionary bonus scheme that incentivizes, and rewards individuals based on company and individual performance.
• Control Risks supports hybrid working arrangements, wherever possible, that emphasize the value of in-person time together - in the office and with our clients - while continuing to support flexible and remote working.

Control Risks is committed to a diverse environment and is proud to be an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, gender, gender identity or expression, sexual orientation, national origin, genetics, disability, age or veteran status. If you require any reasonable adjustments to be made in order to participate fully in the interview process, please let us know and we will be happy to accommodate your needs.

Control Risks participates in the E-Verify program to confirm employment authorization of all newly hired employees. The E-Verify process is completed during new hire onboarding and completion of the Form I-9, Employment Eligibility Verification, at the start of employment. E-Verify is not used as a tool to pre-screen candidates. For more information on E-Verify, please visit www.uscis.gov.