Third Party Risk

Job Description

Top Skills' Details

* Knowledgeable in multiple areas of technology, with hands-on experience and technical expertise across all Information Security domains

* Experienced with local, national, and international financial services and privacy regulations, such as GLBA, NYDFS, GDPR, CCPA, etc. and credit card industry standards, such as PCI-DSS.

* An agile thinker, passionate and energetic; highly collaborative, possessing strong cultural awareness

* Fantastic written and verbal communication skills

Job Description

In this role, the candidate will work closely with General Counsel Organization, Third Party Lifecycle Management, Global Procurement, and Global Business Units to ensure third parties adhere to security requirements.

The candidate will participate in and represent Information Security and IT Risk during contract negotiations relevant to third party cybersecurity oversight and will develop and maintain cybersecurity requirements for third parties.

Primary Responsibilities

* Provide Information Security subject matter expertise to General Counsel Organization, Third Party Lifecycle Management, Global Procurement, and Global Business Units organizations for the inclusion of Information Security and IT Risk requirements into third party supplier and non-supplier contracts

* Negotiate cybersecurity contractual addendums, riders, etc. directly with third party account managers, attorneys, and information security staff; effectively communicate requirements to technical and non-technical representatives of third parties

* Facilitate alignment across internal and external third party stakeholders

* Evaluate criticality of issues and advise internal stakeholders with a risk-based approach and an understanding of Business objectives

Additional Responsibilities

* Provide feedback to leadership, including regular reporting and metrics, in order to assist with the governance and overall growth of the third party security program

* Provide guidance during risk acceptance process relating to third parties

* Understand cybersecurity and regulatory issues specific to the third party landscape by connecting with peers, experts, standards organizations, and industry forums

* Provide training, including the development of training materials, to internal stakeholders

* Partner with internal stakeholders to develop, improve, and document processes

* Assist with and participate in third party cyber incident response and outreach activity as needed

Qualifications

* 7-10 years of experience, in positions of increasing responsibility, in Information Security risk assessments, cyber security operations, threat and vulnerability management, security architecture, or cyber security incident response

* Prior experience with contract negotiation

* Ability to effectively communicate and articulate Information Security risks

* Understanding of what information or assets are of value to threat actors and how organizations and data are breached, including through relationships with external third parties

* Strong familiarity with industry standards and control frameworks, risk assessment frameworks, security assurance auditing standards, best practices guidelines, such as ISO27001, NIST CSF, FAIR, SSAE16/18, CSA, CIS Top 20, OWASP Top 10, etc.

* Understanding of and experience with modern security controls, technologies, and procedures, including: vulnerability scanning, penetration testing, encryption, endpoint and anti-malware protection, network security, DLP systems, logging systems, physical security systems etc.

* Strong familiarity with cloud based services, architectures, and underlying management frameworks

* Familiar with network architectures and data exchange protocols, such as API usage, secure file transfers, etc.

* Familiar with cyber resiliency, disaster recovery, and business continuity concepts

* Basic understanding of cyber incident response, investigation, and forensic analysis

* Must have excellent verbal and written communication skills, interpersonal collaborative skills, and the ability to communicate security and risk-related concepts to technical and non-technical audiences.

* Must possess the ability to multitask, prioritize, and manage time effectively

* Must be able to pay strong attention to detail

* Bachelor's degree in Cybersecurity, Computer Science or Information Systems, or equivalent combination of education and experience preferred

* CISSP, CISM or similar certifications preferred

***NOTE: some off-hours work may be required depending on candidate time zone.