Senior Vendor Security Risk Management Analyst
FM · Johnston, RI · 1 wk ago
RemoteRemoteFinance$106k–$152k/yrFull-time
Key Responsibilities
- Lead end-to-end third-party solution risk assessments and vendor security reviews across the vendor lifecycle, including due diligence, onboarding, ongoing monitoring, and reassessments.
- Evaluate vendor security programs, control effectiveness, and governance, along with deep-dive assessment of the specific product being implemented including solution architecture, data flows, and integration points.
- Identify and communicate inherent and residual cyber risks related to data protection, privacy, IAM, privileged access, system connectivity, and external attack surface exposure.
- Review and interpret security documentation, including SOC 1/SOC 2 reports, ISO 27001 certifications, audit reports, architecture diagrams, data flow diagrams, and technical configurations.
- Recommend practical risk mitigation strategies, including compensating controls, secure design changes, and contractual safeguards to support risk-informed decisions.
- Partner with business, technology, procurement, and legal teams to support risk acceptance, exception management, and third-party risk governance.
- Contribute to the evolution of FM’s third-party risk management framework, methodology, and standards in alignment with NIST, ISO 27001, NYDFS, and other applicable regulatory expectations.
Qualifications
- 5+ years of experience in cybersecurity, information security, or cyber risk, with a background in third-party risk management (TPRM), IT risk, audit, incident response, or access management.
- Experience assessing vendor security posture in cloud (SaaS/PaaS) and enterprise environments.
- Strong understanding of systems, networks, application architecture, cloud security, and secure system design across AWS, Azure, SaaS, PaaS, APIs, and enterprise integrations.
- Experience evaluating data flows, data classification, data protection, data governance, and secure data handling practices.
- Knowledge of IAM, SSO, federation, privileged access, cyber threats, vulnerabilities, and attack methodologies.
- Ability to interpret SOC 1, SOC 2, ISO certifications, and other third-party assurance artifacts to identify control gaps and residual risk.
- Risk & Analysis: Ability to identify, assess, and clearly communicate complex cyber risks, trade-offs, and residual risk. Experience recommending practical, business-aligned risk based mitigation strategies, including compensating controls and secure design changes. Strong analytical judgment, attention to detail, and risk-based decision-making.
- Collaboration & Communication: Ability to translate technical findings into clear, business-relevant insights and recommendations. Strong stakeholder management and partnership across business, technology, procurement, and legal teams. Collaborative, solutions-focused mindset with strong influencing skills in a fast-paced assessment environment. High degree of professional skepticism and curiosity when evaluating vendor claims and evidence.
- Tools & Certifications: Proficiency with Microsoft Office tools. Relevant certifications such as CISSP, CISA, CSA, CISM, Security+, GIAC, CEH, or similar are strongly desired.