IT 3rd Party Risk Manager POST NUMBER: 441523

The Opportunity

The Manager, IT Third-Party Risk is a key leadership role responsible for overseeing and enhancing our client's third-party risk management program, ensuring that vendors, suppliers, and partners comply with security, regulatory, and operational risk requirements. This role is critical in assessing and mitigating cybersecurity, compliance, and operational risks associated with third-party relationships. The ideal candidate will have hands-on experience in vendor assessments, contract security requirements, risk analysis, and compliance monitoring while being able to communicate effectively with internal and external stakeholders.

Additionally, this role will be instrumental in implementing and managing GRC (Governance, Risk, and Compliance) tooling, such as OneTrust, and will be involved in privacy-related initiatives, including privacy policy updates, Data Subject Access Requests (DSAR), and cookie consent management. The Third-Party Risk Manager will also drive automation and efficiency within the vendor risk assessment lifecycle, ensuring streamlined compliance tracking and real-time risk visibility.

What You Will Contribute

• Develop and execute the third-party risk management (TPRM) strategy, ensuring alignment with industry standards and regulatory requirements.
• Conduct third-party security risk assessments, including vendor onboarding evaluations, periodic reviews, and contract risk analysis.
• Work closely with procurement, legal, compliance, and IT teams to integrate risk-based decision-making into vendor selection and management.
• Ensure third-party compliance with NIST Cybersecurity Framework (CSF), ISO 27001, FDA, HIPAA, GxP, and other relevant industry standards.
• Monitor vendor performance, security posture, and compliance with contractual obligations, ensuring continuous risk oversight.
• Develop and maintain a third-party risk register, tracking identified risks, mitigation plans, and remediation progress.
• Manage the third-party risk assessment lifecycle, including initial due diligence, ongoing monitoring, and vendor exit strategies.
• Oversee risk scoring methodologies and implement automation to streamline vendor risk evaluation processes.
• Implement and manage GRC tooling, such as OneTrust, to automate risk assessments, compliance tracking, and vendor monitoring.
• Participate in privacy tracking and compliance efforts, including privacy policy updates, DSAR processing, and cookie consent management.
• Drive incident response preparedness for third-party security breaches, ensuring rapid containment and remediation.
• Provide executive-level reporting on third-party risk trends, key risks, and mitigation strategies to senior leadership.
• Partner with business stakeholders to assess the impact of vendor risks on commercial readiness and operational resilience.
• Establish a continuous improvement program for third-party risk, leveraging data analytics and threat intelligence to enhance decision-making.

• Bachelor’s degree in Information Security, Risk Management, Business, or a related field (or equivalent experience).
• 8 years of overall experience
• 5 years in third-party risk management, vendor risk assessment, or IT security risk management.
• Strong understanding of cybersecurity frameworks, regulatory compliance (FDA, HIPAA, GxP), and enterprise risk management methodologies.
• Experience with vendor risk management platforms (e.g., Archer, OneTrust, ServiceNow VRM, or similar tools).
• Proven experience integrating TPRM strategies into broader cybersecurity and IT risk management programs.
• Strong negotiation and communication skills to engage with vendors, legal teams, and business stakeholders.
• Ability to translate technical risk findings into business-focused recommendations for executive decision-making.
• Prior experience working in biotech, pharmaceuticals, or highly regulated industries is preferred.
• Experience with privacy-related processes such as DSAR handling, cookie consent management, and privacy policy updates is a plus.

• Certified Information Systems Auditor (CISA)
• Certified Information Security Manager (CISM)
• Certified Third Party Risk Professional (CTPRP)
• Certified Information Systems Security Professional (CISSP)
• ISO 27001 Lead Auditor or equivalent experience
• Certified in Risk and Information Systems Control (CRISC) (Preferred for risk management expertise)