Senior Program Manager - IT

Key Duties & Responsibilities:-Program Leadership & Governance

• Design, implement, and mature the Third-Party Cyber Risk Management Program aligned with frameworks such as NIST CSF, ISO 27001, HIPAA, CIS Controls, and SOC2.
• Develop and maintain policies, standards, and procedures governing vendor security due diligence, onboarding, monitoring, and offboarding.
• Establish and iterate security exhibit for contracts, enforce compliance and iterate wherever needed.
• Lead governance committees or working groups to discuss vendor risk posture, key issues, and remediation progress with business, procurement, and legal teams.
• Define and track Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) for vendor risk and present them to leadership and risk committees.

Vendor Risk Assessment & Due Diligence

• Oversee end-to-end third-party risk assessments including questionnaires, evidence review, and validation of security controls.
• Evaluate vendors against recognized security frameworks (e.g., SOC 2, ISO 27001, PCI DSS, NIST CSF, HIPAA/HITRUST).
• Manage inherent and residual risk scoring models to prioritize vendors based on business impact and data sensitivity.
• Perform or oversee onsite or virtual vendor audits for high-risk vendors and ensure timely closure of identified gaps.
• Work closely with Procurement and Legal to integrate cybersecurity clauses and right-to-audit provisions in vendor contracts.

Continuous monitoring and remediation:

• Implement and manage continuous monitoring tools and processes (e.g., Security Scorecard, Recorded Future) to detect vendor security posture changes.
• Ensure that remediation plans are documented, tracked, and closed within defined SLAs.
• Coordinate periodic reassessments of critical and high-risk vendors to verify ongoing compliance.
• Manage escalation processes for non-compliant or high-risk vendors, including executive reporting and remediation oversight.
• Perform internal audits against client security requirements to proactively prepare and improve organizational security posture

Collaboration and stakeholder management

• Partner with Business Units, Procurement, Legal, Privacy, and IT Security teams to ensure security risk is addressed in all third-party engagements.
• Collaborate with Legal, Compliance to support external audits and regulatory reviews involving third-party risk.
• Provide subject matter expertise during M&A due diligence, supplier transitions, or strategic partnerships.
• Deliver training and awareness to business and procurement teams on vendor security best practices.

Reporting and metrics

• Maintain a vendor risk register and ensure accurate documentation of risk decisions, exceptions, and compensating controls.
• Prepare executive dashboards and periodic reports summarizing vendor risk trends, findings, and remediation status.
• Support board-level reporting on supply chain and vendor cyber risks.

Qualification:

Bachelors or Masters degree in Technology, Cybersecurity, Risk Management, or a related field.

Experience, Skills and Knowledge:

• 7-10 years of total experience in information security, risk, or compliance roles.
• At least 5+ years of direct experience in third-party or vendor cyber risk management.
• Strong understanding of supply chain security, cloud vendor assessments, data privacy, and regulatory compliance (HIPAA, PCI DSS, GDPR, etc.).
• Experience using GRC and vendor risk management platforms (e.g., Archer, Audit board,or similar).
• Proven track record of leading remediation governance and cross-functional collaboration across business, IT, and legal teams. Proven experience managing third-party cybersecurity risk and audit programs at scale.
• Excellent communication skills, with ability to interface with clients, vendors, operational, legal, and IT leadership.

Key competency profile:

• Certified Information Security Manager (CISM)
• Certified Information Systems Auditor (CISA)
• Certified in Risk and Information Systems Control (CRISC)
• HITRUST CCSFP or ISO 27001 Lead Implementer