Senior Third-Party Risk Analyst
Top 3 Skills
- Third-Party Risk Management (TPRM) - hands-on vendor assessment lifecycle from intake through remediation
- Security framework fluency - SOC 2, ISO 27001, NIST CSF, FedRAMP, PCI DSS
- Risk communication - ability to translate complex findings for both technical teams and executive stakeholders
What You'll Do
- Lead end-to-end risk assessments for new and existing vendors, covering cybersecurity posture and regulatory compliance
- Review vendor-submitted security questionnaires, SOC 2 reports, ISO certifications, and audit documentation
- Coordinate directly with vendors to validate security controls and drive remediation timelines
- Classify vendors into risk tiers and maintain a live vendor risk database
- Partner with Procurement, Legal, Privacy, and InfoSec on contract reviews and supplier security standards
- Monitor ongoing supplier risk profiles and flag changes that require escalation
- Identify automation opportunities within the assessment workflow to reduce manual overhead
- Contribute to broader InfoSec risk initiatives beyond the vendor program
What We Need From You
- 6+ years in third-party risk assessment, vendor governance, or information security risk management
- Working knowledge of ISO 27001/2, SOC 2, NIST CSF, FedRAMP, and PCI DSS
- Experience managing multiple concurrent vendor assessments without dropping the ball
- Strong written and verbal communication - you can brief a CISO and a procurement manager in the same day
- Bachelor's degree in Cybersecurity, Information Security, Risk Management, Computer Science, or a related field
Bonus If You Have
- Active certifications: CISA, CISM, CISSP, or CRISC
- Exposure to ISO 27017/27018 cloud security extensions
- Experience with Coupa, OneTrust, JIRA, or Coverbase
A Few Things to Know
- You'll be expected to build cross-functional relationships across multiple internal teams
- This role sits within a dedicated TPRM function - you won't be context-switching into unrelated IT work