A Third Party Technology Assurance Lead plays a critical role in safeguarding an organisations technology landscape by managing and assessing the risks associated with third-party vendors and service providers. The Lead proactively analyses, monitors, and assures the compliance, security, and operational effectiveness of external technology services upon which the organisation relies. This position is vital in a world where organisations increasingly depend on external partners for software, cloud infrastructure, and data processing, making assurance and oversight of third parties a top priority for operational resilience and regulatory compliance.
Key Responsibilities
- Third Party Risk Assessments: Conduct comprehensive risk assessments of third party technology vendors and service providers. Evaluate security postures, technical controls, and compliance with organisational and regulatory requirements before onboarding and throughout the partnership lifecycle.
- Due Diligence Activities: Lead and support due diligence efforts by gathering, reviewing, and analysing documentation such as SOC1/SOC2 reports, ISO certifications, data protection agreements, GDPR and other compliance artefacts.
- Ongoing Monitoring: Continuously monitor third party technology services for changes in risk profile, compliance status, or incidents. Maintain updated records and risk ratings, and ensure periodic re-assessment in line with organisational policies.
- Vendor Risk Scoring & Reporting: Develop and update risk scoring models for technology vendors. Produce regular management reports and dashboards highlighting risk trends, non-conformities, and remediation progress.
- Incident Management: Participate in the identification, escalation, and remediation of incidents involving third party technology services. Coordinate with internal stakeholders to ensure effective response and lessons learned.
- Contractual Control Reviews: Review and advise on contract terms with technology vendors, ensuring that security, confidentiality, and compliance clauses are embedded and enforceable.
- Policy & Framework Development: Contribute to the development, maintenance, and enhancement of third-party risk management policies, standards, and guidelines aligned with best practices (e.g., NIST, ISO 27001)
- Stakeholder Engagement: Work closely with procurement, legal, information security, compliance, and business teams to build awareness and understanding of third-party risks and controls.
- Audit Preparation & Support: Assist in the preparation for internal and external audits related to third-party technology risk. Provide evidence, documentation, and subject matter expertise as required.
- Market Intelligence: Stay current with emerging risks, regulatory changes, and best practices in third-party technology risk and assurance.
Required Skills and Qualifications
- Education: Bachelors degree in Information Technology, Cybersecurity, Computer Science, Risk Management, or related field. Professional certifications (e.g., CISA, CISM, CRISC, CISSP) are highly desirable.
- Experience: 10+ years of experience in technology risk management, third party security assessments, or audit/assurance roles, preferably within financial services, healthcare, or other regulated industries.
- Technical Knowledge: Understanding of IT infrastructure, cloud architectures, SaaS platforms, and data protection frameworks. Familiarity with common security controls and risk management methodologies.
- Regulatory Awareness: Solid knowledge of relevant regulations and standards (e.g., GDPR, HIPAA, SOX, PCI DSS, NIST, ISO 27001).
- Analytical & Problem Solving: Strong analytical skills to identify, assess, and mitigate complex technology risks. Ability to evaluate large amounts of information and make informed recommendations.
- Communication: Excellent verbal and written communication skills for preparing reports, presenting findings, and influencing stakeholders at all organisational levels.
- Organisational Skills: Demonstrated ability to manage multiple priorities, meet deadlines, and adapt in a fast-paced environment.
- Attention to Detail: High degree of accuracy and attention to detail in reviewing documentation and risk artefacts.
- Collaboration: Effective team player with a proactive approach to cross-functional projects and initiatives.
- Continuous Learning: Eagerness to stay abreast of technological advancements, threat landscapes, and evolving assurance techniques.
Desirable Skills and Competencies
- Automation and Tooling: Experience with third-party risk management platforms, GRC (Governance, Risk, and Compliance) tools, and automation of risk assessment processes.
- Project Management: Familiarity with project management methodologies and the ability to drive assurance initiatives from inception to completion.
- Innovation: Ability to recommend and implement process improvements to increase the efficiency and effectiveness of third-party risk management activities.
- Negotiation: Confidence in negotiating with vendors to achieve favourable assurance and compliance terms.
- Presentation Skills: Experience delivering risk-related findings and assurance updates to senior management, boards, or external regulators.
