Vendor Risk Manager

DFO Referrals

$175K — $260K *
Finance & Insurance
5 - 7 years of experience
Job Overview by Ladders

Qualifications

  • Bachelor's degree in Information Security, Risk Management, Computer Science, Cybersecurity, or a related discipline.
  • 7+ years of experience in vendor risk management, cybersecurity architecture, security engineering, or related fields.
  • Experience managing the full third-party risk lifecycle with at least 2 years overseeing an end-to-end TPRM program.
  • Strong knowledge of cybersecurity frameworks including NIST, ISO 27001/27002, OWASP, and MITRE ATT&CK.
  • Hands-on experience with evaluating security controls and assessing third-party risks across complex environments.
  • Ability to convey complex technical concepts to executive stakeholders.

Responsibilities

  • Own the VRM program's strategy, policy, procedures, and executive reporting.
  • Lead comprehensive vendor risk assessments across various domains including cybersecurity and financial.
  • Document residual risks and coordinate with IT, Legal, and Compliance for accountability.
  • Evaluate vendor security controls based on operational importance and industry frameworks.
  • Conduct structured threat models for high-risk vendors and document findings as artifacts.
  • Translate threat model outputs into actionable control requirements based on established security frameworks.
  • Advise on vendor integration architecture and maintain approved reference patterns.

Benefits

  • 100% company-paid medical premiums.
  • Generous PTO offering and 17 paid holidays.
  • Flexible hybrid work environment with summer hours.
  • Free catered food services for in-office days.
  • Casual dress code and monthly community happy hours.
  • 150% 401(k) match up to $7,500, and 100% match thereafter.
  • Additional perks like gym reimbursement and backup childcare services.
Full Job Description
Vendor Risk Manager

Dalio Family Office

Position Summary:

The Vendor Risk Manager owns the end-to-end third-party risk lifecycle, onboarding, diligence, monitoring, and exit across a high-volume, diverse vendor portfolio. You will synthesize risk across cybersecurity, AI, privacy, financial, and AML/CFT/sanctions domains into clear, actionable risk positions, performing structured threat modeling for high-exposure vendors.

Day-to-day responsibilities would include a combination of the following:
  • Own the VRM program end-to-end: strategy, policy, procedure, workflow, tooling, metrics, and executive reporting for CISO/CRO/board visibility.
  • Lead holistic vendor risk assessments across cybersecurity, AI risk, privacy, financial, AML/CFT/sanctions.
  • Document residual risk acceptances with named accountable executives and time-boxed review dates; coordinate with IT, Legal, Finance, and Compliance as appropriate.
  • Evaluate and monitor vendor security controls based on data sensitivity and business criticality, leveraging industry frameworks and evidence such as SOC 2, ISO 27001, penetration testing, and security assessments.
  • Conduct structured threat models (STRIDE, PASTA) for high risk vendors, and document findings as durable artifacts informing contracting, monitoring, and exit planning.
  • Translate threat model outputs into concrete, testable control requirements drawing from OWASP (ASVS, API Security Top 10, LLM/Agentic Top 10), NIST (SP 800-53, SP 800-161, CSF 2.0, SP 800-207), and MITRE ATT&CK; scale requirements to vendor tier.
  • Partner with Legal to translate identified risks into enforceable contractual requirements.
  • Apply FAIR or comparable quantitative methods for high-impact vendor decisions, expressing cyber risk in loss-exposure terms that resonate with senior leadership.
  • Advise IT, Engineering and business teams on vendor integration architecture (SSO/SCIM, OAuth, conditional access, DLP, segmentation, BYOK, VPC peering) and maintain approved reference patterns.
  • Drive automation and tooling maturity to handle high vendor volume without proportional headcount growth; produce program dashboards tracking throughput, cycle time, recertification compliance, and remediation aging.

The ideal candidate will possess the following knowledge, skills, attributes, and values:
  • Expert knowledge of third-party/vendor risk management
  • Strong risk assessment and analytical skills
  • Technical understanding of enterprise security architecture
  • Excellent communication and stakeholder management skills
  • Proven ability to lead and optimize vendor risk programs


Illustrative Benefits:
  • 100% company paid medical premiums
  • 17 company paid holidays
  • Friday summer hours
  • Monthly community happy hours
  • Hybrid work environment
  • Free catered food services for in-office days
  • Generous PTO offering
  • Casual dress code
  • 150% 401(k) match up to $7,500 and 100% match above $7,500 ($15k match limit)
  • Gym reimbursement, back up childcare services, insurance, financial, and legal services, and much more!

Qualifications:
  • Bachelor's degree in Information Security, Risk Management, Computer Science, Cybersecurity, or a related discipline.
  • At least 7 years of progressive experience across vendor risk management, cybersecurity architecture, security engineering, GRC, audit, or related fields.
  • Experience managing the full third-party/vendor risk lifecycle, including vendor onboarding, due diligence, risk assessments, continuous monitoring, recertification, remediation tracking, and vendor exit planning, with at least 2 years owning an end-to-end TPRM program.
  • Strong technical knowledge of cybersecurity frameworks, standards, and methodologies including NIST, ISO 27001/27002, OWASP, MITRE ATT&CK, Shared Assessments, threat modeling approaches (STRIDE/PASTA), and risk management practices.
  • Hands-on experience evaluating enterprise security controls, cloud and integration architectures, SOC 2 Type II reports, ISO certifications, penetration testing results, data protection requirements, and third-party security risks across complex technology environments.
  • Ability to communicate complex technical and risk concepts to executive stakeholders, collaborate effectively across business functions
  • 10% travel as required based on business needs.

Compensation:

Compensation for the role includes a competitive salary in the range from $175,000 -$260,000 (inclusive of a merit-based bonus, dependent on years of experience, level of education obtained, as well as applicable skillset) and an excellent benefits package, including paid time off ranging from 15 to 25 days based on years of service, paid sick and safe leave, dental, vision, life and disability insurance, paid parental time off, birth mother recovery pay, sick family member pay, parental ramp back up program, gym reimbursement and generous employer match for 401k.

Please note we are unable to provide immigration sponsorship for this position.

Similar Jobs

More Jobs at DFO Referrals

More Finance & Insurance Jobs

Find similar Vendor Risk Manager jobs: