Overview
How you can make a difference
HealthEquity relies on a broad ecosystem of third party partners, vendors, platforms, and service providers to support member, client, and teammate experiences while protecting trust, resilience, and compliance. The Director of 3rd Party Risk is a strategic leadership role responsible for overseeing and evolving the 3rd party (third-party) risk management program into an enterprise-wide, AI-aware risk governance capability.
In this role, you will drive a pragmatic, measurable program that defines “what good looks like” across vendor tiers, incorporates AI and agentic system risks into due diligence and lifecycle oversight, and aligns third party risk practices with enterprise strategy, regulatory expectations, resiliency objectives, and business priorities. The Director will lead a growing team and collaborate cross-functionally with Security, Procurement, Legal, Privacy, Enterprise Risk, IT, Engineering, Finance, and business owners to identify, assess, quantify, and manage third party risks across cybersecurity, resiliency, financial, operational, contractual, reputational, and AI domains.
This role is critical in establishing clear operating procedures, risk-tiered requirements, meaningful KRIs/KPIs, and board-ready reporting, ensuring third party relationships and AI-enabled vendor services align with the company’s risk appetite, strategic objectives, and obligation to protect member, client, and company data while fostering a culture of accountability and resilience.
What you’ll be doing
- Develop and execute a transformatiomal third-party risk strategy that integrates cybersecurity, privacy, resiliency, financial, operational, contractual, reputational, and AI risks into enterprise goals.
- Design policies, standards, playbooks, and scalable processes to streamline third party intake, risk assessments, issues mananagement, offboarding and continuous monitoring and automated assurance of controls while reducing duplicative or low-value work.
- Incorporate AI and agentic systems and solutions into the TPRM lifecycle, including AI-use disclosure, AI-specific due diligence, data-use restrictions, model or system documentation review, human oversight expectations, output integrity, monitoring, incident response, and residual risk acceptance.
- Partner with the AI Governance Council, Legal, Privacy, Enterprise Risk, Data Governance, Procurement, and business owners to ensure third party-sourced AI capabilities are reviewed, approved, monitored, and governed consistently with enterprise AI policies and standards.
- Establish meaningful KRIs, KPIs, dashboards, and management routines that demonstrate whether the program is buying down third-party risk, including coverage, assessment quality, remediation aging, contract control gaps, external risk posture, AI-enabled vendor coverage, and unresolved risk acceptances.
- Design and maintain tier-based operating procedures that clearly articulate what is required for tiered third party, including required risk assessments, contract safeguards, monitoring cadence, remediation expectations, and escalation triggers.
- Lead third party tiering and re-tiering efforts using objective criteria such as criticality, data sensitivity, regulatory exposure, operational dependency, resiliency impact, replaceability, AI usage, and business materiality.
- Identify and address risks proactively, engaging stakeholders to drive effective remediation efforts.
- Identify and address risks proactively, engaging stakeholders to drive effective remediation efforts and ensuring ownership is assigned across Security, Procurement, Legal, IT, Engineering, Finance, Enterprise Risk, and business teams.
- Prepare strategic updates of third-party and AI-enabled risk updates for executive leadership, auditors, regulators, and the board of directors.
- Support Legal and Procurement as an infosec SME in collboration with security relevant teams for negotiating and approving third-party contracts,
- Collaborate across teams to ensure third-party risk management practices are integrated and aligned
- into procurement, contracting, technology governance, SaaS security, identity governance, business continuity, incident response, audit, and enterprise risk processes.
- Lead creation, execution, and automation of security, privacy, resiliency, and AI-specific assessments for third-party partners.
- Validate third party security controls and AI controls to ensure compliance with organizational policies, standards, regulatory requirements, contractual commitments, and recognized frameworks.
- Track and report remediation progress overdue findings, exception trends, and unresolved residual risks, providing insights and clear accountability to stakeholders.
- Facilitate risk acceptance processes and escalate critical issues, material vendor events, AI-related risks, and control deficiencies to senior leaders as needed.
- Reassess critical third-party security and AI risks periodically, applying lessons learned, external risk signals, material changes, incidents, regulatory updates, and evolving practices.
- Support audit inquiries, regulatory exams, client due diligence, and executive requests by maintaining defensible evidence of program design, control execution, decision records, metrics, and risk treatment.
- Set team goals aligned with organizational priorities, coach team members toward strategic thought leadership, and foster continuous improvement, automation, accountability, and business-oriented risk management.
- Other third party leadership duties as assigned.
What you will need to be successful
Education and Experience:
- Bachelor’s Degree in Computer Science or Engineering, or a related technical field. Technical work experience may be substituted in lieu of educational requirements.
- 12+ years of combined experience in information security.
- Prior supervisory experience.
Specialized Knowledge, Skills, and Abilities:
- Ability to integrate with the existing team and deliver on key objectives.
- Become an integral part of a high performing team and motivate others.
- Builds constructive relationships with diverse groups of people, including internal and external stakeholders.
- Demonstrates excellent communication and listening skills.
- Drives results and champions change.
- Demonstrated ability to transform a third-party risk program from activity-based execution to measurable enterprise risk reduction, including development of operating procedures, governance routines, metrics, and executive-ready reporting.
- Knowledge of AI technologies, governance concepts, and third-party AI risks, including AI-use disclosure, data protection, system documentation, human oversight, agentic workflow controls, monitoring, and incident response.
- Ability to align TPRM practices with enterprise risk management, AI governance, privacy, legal, procurement, SaaS security, business continuity, and technology governance processes.
- Experience in reviewing technical policies and developing standard operating procedures.
- Fosters teamwork and collaboration.
- High level of credibility, a technical background, particularly in security, preferably in environments with similar complexity and regulatory profiles to HealthEquity, spanning financial services, financial technology, and healthcare.
- Operates with a commitment to customer service excellence.
- Strong passion and motivation for security.
Certifications, Licenses, Registrations:
- At least one advanced certification demonstrating enterprise security and risk leadership such as CISM, CISSP, or CRISC, required.
- CTPRP, CTPRA, or HITRUST CCSFP to demonstrate depth in third party and assurance governance, preferred.
- CIPP/US, CIPT, or CDPSE for privacy and data-protection alignment, preferred.
- CGRC or ISO 27001 Lead Implementer/Auditor to support control and compliance maturity, preferred.
- Active involvement in professional organizations such as ISACA, (ISC)², IAPP, or Shared Assessments, preferred.
#LI-Remote
This is a remote position.
Salary Range$151500.00 To $200500.00 / year
Benefits & Perks
The actual compensation offer is determined based on job-related knowledge, education, skills, experience, and work location. This position will be eligible for performance-based incentives and restricted stock units as part of the total compensation package, in addition to a full range of benefits including:
- Medical, dental, and vision
- HSA contribution and match
- Dependent care FSA match
- Uncapped paid time off
- Paid parental leave
- 401(k) match
- Personal and healthcare financial literacy programs
- Ongoing education & tuition assistance
- Gym and fitness reimbursement
- Wellness program incentives
Onboarding & Travel
This is a remote role, with an in-person onboarding training component. New team members must participate in Trailhead, HealthEquity’s immersive onboarding experience Trailhead is designed to foster meaningful connections, support your integration into the organization, and equip you with a strong understanding of our business. Trailhead participation is a key expectation of this role. Trailhead is held onsite at our headquarters once per quarter. HealthEquity covers all required travel and accommodations.
This role may begin with a virtual, self-paced onboarding experience, followed by a mandatory onsite Trailhead session at a later date.