Sr. Manager of Cybersecurity, Third Party Risk

Job Description
Position Summary

The Sr. Manager of Cybersecurity Third-Party Risk Management leads the enterprise program responsible for identifying, assessing, monitoring, reporting, and reducing cybersecurity risks introduced by suppliers, vendors, service providers, contractors, technology partners, SaaS platforms, cloud providers, managed service providers, and other third parties.

This role exists to establish and mature a risk-based third-party cybersecurity risk management program aligned to enterprise risk appetite and business priorities, ensure cybersecurity due diligence is performed before onboarding, renewal, material change, or expansion of third-party services, provide executive visibility into third-party cyber risk exposure, remediation status, systemic supplier risk, and program maturity, to reduce cyber, regulatory, operational, privacy, resiliency, and reputational risk associated with third-party relationships.

This position is a hybrid work model (4 days in office, 1 day work from home) based in our corporate headquarters in Raleigh, NC.

Key Responsibilities
Program Governance and Strategy

• Lead the enterprise Cybersecurity Third-Party Risk Management program, including strategy, operating model, governance, policies, standards, procedures, assessment methodology, and reporting.
• Develop and maintain risk-based third-party cybersecurity requirements aligned to NIST CSF 2.0, NIST 800-161, SOC 2, PCI DSS, privacy obligations, and enterprise security standards.
• Define and maintain the third-party cyber risk lifecycle, including intake, inherent risk scoring, due diligence, control assessment, remediation, risk acceptance, ongoing monitoring, renewal review, material change review, and offboarding.
• Establish governance forums and escalation paths for high-risk vendors, overdue remediation, policy exceptions, and material cyber risk decisions.
• Continuously improve program maturity, automation, workflow efficiency, stakeholder experience, and audit readiness.

Vendor Cybersecurity Risk Assessments

• Oversee cybersecurity risk assessments for new and existing vendors.
• Evaluate vendor controls across identity and access management, network security, cloud security, application security, data protection, encryption, vulnerability management, endpoint protection, logging and monitoring, incident response, disaster recovery, secure SDLC, privacy, and governance.
• Review evidence such as SOC 2 Type II reports, ISO 27001 certificates, bridge letters, penetration test summaries, vulnerability scan results, SIG/CAIQ questionnaires, security policies, architecture diagrams, audit reports, and remediation plans.
• Determine residual risk and provide recommendations for approval, conditional approval, remediation, escalation, risk acceptance, or vendor rejection.

Contractual Cybersecurity Requirements

• Partner with Legal, Procurement, Privacy, Compliance, and business teams to ensure cybersecurity requirements are embedded in vendor contracts and statements of work.
• Review and advise on contractual clauses related to security controls, breach notification, incident cooperation, right to audit, data protection, encryption, access control, regulatory compliance, cyber insurance, subcontractors, business continuity, data retention, and secure data destruction.
• Track deviations from standard cybersecurity terms, document risk implications, and route exceptions for appropriate approval.

Ongoing Monitoring and Remediation

• Operate ongoing monitoring for high-risk and critical vendors, including security ratings, public breach intelligence, certification expiration, control failures, vulnerability exposure, service disruptions, and material business changes.
• Maintain a centralized view of open vendor cyber findings, remediation commitments, accepted risks, compensating controls, and exceptions.
• Drive remediation of vendor control gaps from identification through validation and closure.
• Escalate overdue or unacceptable vendor risks through cybersecurity governance, procurement governance, enterprise risk forums, or executive leadership as appropriate.
• Partner with business owners to ensure vendor risk decisions are understood, documented, and aligned to enterprise risk appetite.

Fourth-Party and Supply Chain Risk

• Assess cybersecurity risks associated with subcontractors, subprocessors, hosting providers, offshore delivery models, managed service delivery chains, and other fourth-party dependencies.
• Identify concentration risk related to common technology platforms, critical suppliers, geographic dependencies, cloud service providers, and systemic service providers.
• Require transparency into material subcontractors and downstream access to company data or systems.
• Partner with business continuity, resilience, procurement, and enterprise risk teams to evaluate critical supplier resilience and recovery capabilities.

Metrics, Reporting, and Executive Communication

• Develop executive-level metrics, dashboards, and risk narratives showing third-party cyber risk posture, critical vendor coverage, assessment volume, remediation aging, risk acceptance trends, contractual coverage, and program maturity.
• Report third-party cyber risk trends to cybersecurity leadership, enterprise risk committees, , audit stakeholders, and executive leadership.
• Translate technical findings into business risk language that enables informed decisions by senior leaders and business owners.
• Prepare materials for audit, regulatory inquiries, board reporting, and internal governance reviews as needed.

Required Qualifications

• Bachelor's degree in Cybersecurity, Information Technology, Information Systems, Risk Management, Business, or a related field, or equivalent experience.
• 8+ years of experience in cybersecurity, third-party risk management, vendor risk management, technology risk, IT audit, governance/risk/compliance, or related disciplines.
• 3+ years of leadership experience managing people, programs, or cross-functional risk initiatives.
• Demonstrated experience operating cybersecurity risk management processes in a large enterprise, publicly traded, highly regulated, or Fortune 500 environment.
• Strong understanding of cybersecurity control domains, including identity, cloud, network, endpoint, application security, data protection, vulnerability management, logging/monitoring, incident response, and resilience.
• Experience reviewing vendor security evidence, including SOC 2, ISO 27001, SIG/CAIQ, penetration test summaries, vulnerability reports, audit reports, and remediation plans.
• Experience partnering with Procurement and Legal on cybersecurity terms and vendor contract negotiations.
• Ability to communicate cyber risk clearly to technical teams, business stakeholders, executives, legal partners, auditors, and risk committees.
• Strong judgment, prioritization, program management, issue management, and stakeholder influence skills.

Preferred Qualifications

• Experience with ServiceNow GRC/IRM, Archer, OneTrust, ProcessUnity, Coupa, Ariba, Prevalent, BitSight, SecurityScorecard, UpGuard, or similar third-party risk platforms.
• Knowledge of NIST CSF 2.0, NIST SP 800-161, ISO 27001, SOC 2 Trust Services Criteria, PCI DSS, SOX, GDPR/CCPA, and SEC cybersecurity disclosure expectations.
• Professional certification such as CISSP, CISM, CRISC, CISA, CCSP, CCSK, CDPSE, ISO 27001 Lead Auditor/Implementer, or third-party risk management certification.
• Experience with critical suppliers, cloud service providers, managed service providers, offshore support models, payment processors, data processors, and operationally critical vendors.
• Experience supporting board, audit committee, enterprise risk committee, or executive-level cybersecurity reporting.
• Experience transforming or scaling a third-party cyber risk program across a complex supplier ecosystem.

We are an Equal Opportunity Employer and do not discriminate against any employee or applicant for employment because of race, color, sex, age national origin, religion, sexual orientation, gender identity, status as a veteran and basis of disability or any other federal, state or local protected class. We comply with all applicable federal, state, and local laws.

California Residents click below for Privacy Notice: