IT 3rd Party Risk Manager POST NUMBER: 441523
The Opportunity
The Manager, IT Third-Party Risk is a key leadership role responsible for overseeing and enhancing our client's third-party risk management program, ensuring that vendors, suppliers, and partners comply with security, regulatory, and operational risk requirements. This role is critical in assessing and mitigating cybersecurity, compliance, and operational risks associated with third-party relationships. The ideal candidate will have hands-on experience in vendor assessments, contract security requirements, risk analysis, and compliance monitoring while being able to communicate effectively with internal and external stakeholders.
Additionally, this role will be instrumental in implementing and managing GRC (Governance, Risk, and Compliance) tooling, such as OneTrust, and will be involved in privacy-related initiatives, including privacy policy updates, Data Subject Access Requests (DSAR), and cookie consent management. The Third-Party Risk Manager will also drive automation and efficiency within the vendor risk assessment lifecycle, ensuring streamlined compliance tracking and real-time risk visibility.
What You Will Contribute
- Develop and execute the third-party risk management (TPRM) strategy, ensuring alignment with industry standards and regulatory requirements.
- Conduct third-party security risk assessments, including vendor onboarding evaluations, periodic reviews, and contract risk analysis.
- Work closely with procurement, legal, compliance, and IT teams to integrate risk-based decision-making into vendor selection and management.
- Ensure third-party compliance with NIST Cybersecurity Framework (CSF), ISO 27001, FDA, HIPAA, GxP, and other relevant industry standards.
- Monitor vendor performance, security posture, and compliance with contractual obligations, ensuring continuous risk oversight.
- Develop and maintain a third-party risk register, tracking identified risks, mitigation plans, and remediation progress.
- Manage the third-party risk assessment lifecycle, including initial due diligence, ongoing monitoring, and vendor exit strategies.
- Oversee risk scoring methodologies and implement automation to streamline vendor risk evaluation processes.
- Implement and manage GRC tooling, such as OneTrust, to automate risk assessments, compliance tracking, and vendor monitoring.
- Participate in privacy tracking and compliance efforts, including privacy policy updates, DSAR processing, and cookie consent management.
- Drive incident response preparedness for third-party security breaches, ensuring rapid containment and remediation.
- Provide executive-level reporting on third-party risk trends, key risks, and mitigation strategies to senior leadership.
- Partner with business stakeholders to assess the impact of vendor risks on commercial readiness and operational resilience.
- Establish a continuous improvement program for third-party risk, leveraging data analytics and threat intelligence to enhance decision-making.
What We Seek
- Bachelor’s degree in Information Security, Risk Management, Business, or a related field (or equivalent experience).
- 8 years of overall experience
- 5 years in third-party risk management, vendor risk assessment, or IT security risk management.
- Strong understanding of cybersecurity frameworks, regulatory compliance (FDA, HIPAA, GxP), and enterprise risk management methodologies.
- Experience with vendor risk management platforms (e.g., Archer, OneTrust, ServiceNow VRM, or similar tools).
- Proven experience integrating TPRM strategies into broader cybersecurity and IT risk management programs.
- Strong negotiation and communication skills to engage with vendors, legal teams, and business stakeholders.
- Ability to translate technical risk findings into business-focused recommendations for executive decision-making.
- Prior experience working in biotech, pharmaceuticals, or highly regulated industries is preferred.
- Experience with privacy-related processes such as DSAR handling, cookie consent management, and privacy policy updates is a plus.
- Certified Information Systems Auditor (CISA)
- Certified Information Security Manager (CISM)
- Certified Third Party Risk Professional (CTPRP)
- Certified Information Systems Security Professional (CISSP)
- ISO 27001 Lead Auditor or equivalent experience
- Certified in Risk and Information Systems Control (CRISC) (Preferred for risk management expertise)
Vaco by Highspring values a diverse workplace and strongly encourages women, people of color, LGBTQ+ individuals, people with disabilities, members of ethnic minorities, foreign-born residents, and veterans to apply.
EEO Notice
Vaco by Highspring is an Equal Opportunity Employer and does not discriminate against any employee or applicant for employment because of race (including but not limited to traits historically associated with race such as hair texture and hair style), color, sex (includes pregnancy or related conditions), religion or creed, national origin, citizenship, age, disability, status as a veteran, union membership, ethnicity, gender, gender identity, gender expression, sexual orientation, marital status, political affiliation, or any other protected characteristics as required by federal, state or local law.
Vaco by Highspring and its parents, affiliates, and subsidiaries are committed to the full inclusion of all qualified individuals. As part of this commitment, Vaco by Highspring and its parents, affiliates, and subsidiaries will ensure that persons with disabilities are provided reasonable accommodations. If reasonable accommodation is needed to participate in the job application or interview process, to perform essential job functions, and/or to receive other benefits and privileges of employment, please contact HR@vaco.com .
Vaco by Highspring also wants all applicants to know their rights that workplace discrimination is illegal.
By submitting to this position, you agree that you will be giving Vaco by Highspring the exclusive right to present your as a candidate for the foregoing employment opportunity. You further agree that you have represented information about yourself accurately and have not affirmatively misrepresented your qualifications. You also agree to maintain as confidential, to the fullest extent permitted by law, any information you learn from Vaco by Highspring about the position and you will limit disclosure of information about the position only to the extent necessary to perform any obligations in furtherance of your application. In exchange, Vaco by Highspring agrees to exercise reasonable efforts to represent you through all solicitation, job screening and resume dispersal.
Privacy Notice
Vaco by Highspring and its parents, affiliates, and subsidiaries (“we,” “our,” or “Vaco by Highspring”) respects your privacy and are committed to providing transparent notice of our policies.
- California residents may access Vaco by Highspring HR Notice at Collection for California Applicants and Employees here.
- Virginia residents may access our state specific policies here.
- Residents of all other states may access our policies here.
- Canadian residents may access our policies in English here and in French here.
- Residents of countries governed by GDPR may access our policies here.
Pay Transparency Notice
Determining compensation for this role (and others) at Vaco by Highspring depends upon a wide array of factors including but not limited to:
- the individual’s skill sets, experience and training;
- licensure and certification requirements;
- office location and other geographic considerations;
- other business and organizational needs.
With that said, as required by local law, Vaco by Highspring believes that the following salary range referenced above reasonably estimates the base compensation for an individual hired into this position in geographies that require salary range disclosure. The individual may also be eligible for discretionary bonuses.