Senior Security Risk Analyst

The Senior Security Risk Analyst is a strategic leader and critical thinker who drives the organization’s efforts to mitigate risks associated with third-party vendors and service providers, while championing a robust security culture through the Security Awareness Program. This role ensures that external partnerships comply with stringent regulatory standards and internal policies, leveraging deep expertise in Third-Party Risk Management (TPRM) to conduct advanced risk assessments and implement proactive mitigation strategies.

The Senior Analyst actively engages in industry webinars, conferences, and professional networks to stay ahead of emerging TPRM risks and cyber threats, applying cutting-edge knowledge to enhance organizational resilience. As the leader of the Security Awareness Program, the Senior Analyst innovates and adapts strategies to counter sophisticated phishing techniques and social engineering tactics employed by bad actors, fostering a security-conscious workforce.

Reporting to the VP of Security and Risk and the CISO, this role oversees the day-to-day operations of TPRM and Security Awareness initiatives, providing strategic and operational recommendations to strengthen the organization’s security posture.

• Lead Third-Party Risk Management (TPRM): Oversee the evaluation of third-party vendors and service providers, employing critical thinking to identify, assess, and mitigate complex risks, ensuring alignment with regulatory requirements (e.g., SOC2, ISO 27001, GDPR, NIST CSF) and internal policies.

• Drive Strategic Collaboration: Partner with senior stakeholders, including the privacy team, procurement, legal, and business leaders, to integrate secure third-party services, providing expert guidance on TPRM best practices and risk mitigation strategies.

• Enhance TPRM Processes: Design and refine TPRM frameworks, facilitating the completion and critical evaluation of risk management forms by vendors, ensuring comprehensive analysis of data privacy, security controls, and contractual obligations.

• Stay Current on TPRM Trends: Actively participate in industry webinars, conferences, and professional forums to maintain up-to-date knowledge of TPRM risks, incorporating insights into organizational strategies to address evolving threats.

• Lead Security Awareness Program: Innovate and manage the Security Awareness Program, developing targeted phishing campaigns and training initiatives to educate employees on security best practices, with a focus on countering advanced phishing techniques and social engineering attacks.

• Adapt to Phishing Trends: Monitor and analyze bad actor phishing tactics, leveraging threat intelligence to dynamically adjust the Security Awareness Program, ensuring employees remain vigilant against emerging cyber threats.

• Conduct Advanced Risk Assessments: Proactively identify vulnerabilities and compliance gaps in third-party relationships, using sophisticated risk assessment methodologies to safeguard organizational assets and data.

• Develop Mitigation Strategies: Recommend and implement strategic risk mitigation plans, ensuring third-party services align with the company’s security standards and regulatory requirements.

• Ensure Compliance: Monitor and enforce third-party adherence to regulatory standards and internal policies, minimizing legal and operational risks through rigorous oversight.

• Maintain Robust Documentation: Oversee the creation and maintenance of accurate, audit-ready records of risk assessments, mitigation actions, and compliance activities to support decision-making and regulatory audits.

• Support Audit Processes: Lead SOC2 and other audit engagements, collaborating with auditors and conducting advanced IT controls testing to validate the design and operational effectiveness of security measures.

• Analyze Security Initiatives: Compile and analyze data from phishing campaigns and other security awareness activities, identifying trends, reporting on program effectiveness, and recommending strategic adjustments to senior leadership.

• Vendor Engagement: Lead interactions with vendors to ensure thorough security assessments, embedding a security-first mindset from the onset of partnerships.

• Educate Stakeholders: Provide thought leadership and training to internal stakeholders on TPRM processes and requirements, fostering a culture of risk awareness and compliance.

• Drive Continuous Improvement: Proactively identify opportunities to enhance TPRM practices, security awareness programs, and compliance processes, adapting to the evolving threat landscape and regulatory requirements.

• Strategic Recommendations: Provide actionable operational and strategic recommendations to the VP of Security and Risk and the CISO, aligning TPRM and security awareness initiatives with organizational goals.

• Other Duties: Undertake additional tasks to support the security program, demonstrating flexibility and leadership in addressing emerging needs.

Qualifications

• Bachelor’s degree in Information Security, Cybersecurity, Computer Science, Information Systems, or a related field; or equivalent experience. Advanced degrees (e.g., Master’s in Cybersecurity or MBA) are a plus.

• Professional certifications such as Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), or equivalent credentials focused on risk management, audit, and compliance are highly preferred.

• 5–7 years of progressive experience in cybersecurity, with at least 3 years focused on conducting advanced risk assessments, leading TPRM programs, and managing compliance with industry standards and regulations.

• TPRM Expertise: Demonstrated expertise in Third-Party Risk Management, with a proven track record of designing and implementing TPRM frameworks and mitigating complex vendor-related risks. Familiarity with TPRM assessment tools such as OneTrust is desired.

• Active participation in webinars, conferences, and professional networks to stay current on TPRM risks and cybersecurity trends, with the ability to translate insights into actionable strategies.

• Extensive experience leading Security Awareness Programs, including designing and executing sophisticated phishing campaigns and adapting strategies to address evolving social engineering tactics.

• In-depth understanding of auditing standards, compliance frameworks (e.g., SOC2, ISO 27001, NIST CSF, GDPR, CCPA), and risk management methodologies, with expertise in evaluating and implementing advanced risk mitigation strategies.

• Exceptional analytical and problem-solving skills, with the ability to assess complex risks, anticipate emerging threats, and develop innovative solutions.

• Proven ability to lead cross-functional teams, influence senior stakeholders, and drive strategic initiatives in TPRM and security awareness.

• Outstanding verbal and written communication skills in English, with the ability to articulate complex security concepts to diverse audiences, including vendors, executives, and global teams, while fostering collaboration across cultural backgrounds.

• Strong project management skills, with experience leading TPRM and security awareness initiatives, managing timelines, and delivering measurable outcomes.

• Flexibility to accommodate U.S. and UK business hours, ensuring effective leadership and collaboration with internal and external stakeholders across global regions.

• Ability to thrive in a dynamic environment, staying ahead of evolving cyber threats and regulatory changes while driving continuous improvement.