Sierra Club

Vendor Security Manager

Sierra Club$130K — $180K *
Information Technology
8 - 10 years of experience
Job Overview by Ladders

Qualifications

  • 10+ years in information security with focus on vendor security, third-party risk, or GRC in regulated sectors.
  • Strong technical knowledge in AWS, GCP, IAM, encryption, and cloud security architecture.
  • In-depth understanding of ISO 27001, NIST 800-53, SOC 2, and FedRAMP requirements for vendor oversight.
  • Experience in automation, integration, or detection logic relevant to vendor security risk.
  • Curiosity about AI security and model supply chains with the ability to learn continuously.
  • Exceptional communication skills for interpreting risk to diverse audiences effectively.
  • Comfortable navigating ambiguity and evolving regulatory landscapes.

Responsibilities

  • Act as the point of contact for all vendor security-related matters within Sierra.
  • Lead vendor security risk assessments and make risk decisions with clear documentation.
  • Develop and enhance the vendor security program's methodology and monitoring tools.
  • Evaluate and manage security risks across the entire third-party vendor landscape.
  • Conduct in-depth technical assessments of various vendor architectures and configurations.
  • Implement monitoring strategies for Sierra’s supply chain, including fourth-party assessments.
  • Build automated systems for detecting vendor security posture changes and streamline evidence collection.

Benefits

  • Unlimited paid time off for work-life balance.
  • Comprehensive medical, dental, and vision insurance for employees and families.
  • Life insurance and disability coverage for security and peace of mind.
  • Retirement plan options based on employment location.
  • Generous parental leave policies.
  • Fertility and family building assistance through specialized programs.
  • Complimentary lunches and snacks for a supportive work environment.
  • Flexible discretionary stipend for personal needs.
  • Unique offer of free alphorn lessons to foster community.
Full Job Description
The Role

We're looking for a Vendor Security Manager to join Sierra's Security team. The security of our Conversational AI Platform depends on the security of everything connected to it, the vendors, model providers, infrastructure partners, and supply chain dependencies that enable how Sierra operates and scales.

You'll build and scale Sierra's vendor security program from the ground up, conducting deep technical assessments, developing frameworks purpose-built for AI vendor risk, and driving security decisions across all of Sierra's third-party security relationships. This is a hands-on role that requires both technical depth and strong judgment. You'll help Sierra make informed trade-offs between speed, scale, and security in a business that moves fast and operates in regulated industries.

We value people who are energized by uncertainty and who can form a credible point of view even with incomplete information and can get more rigorous as the situation sharpens.

What You'll Do

Program Ownership & Security Risk Management

Be the interface between Security and Sierra teams on everything vendor security related, drive risk conversations, and keep the program moving.

Own vendor security risk decisions and escalation paths end-to-end, including clear documentation of risk acceptance rationale, mitigation plans, and trade-offs.

Build and continuously improve the vendor security program methodology, tooling, risk tiering, monitoring, and response, scaling it intelligently as Sierra's vendor footprint grows.

Assess and manage security risk across Sierra's full third-party landscape, recognizing that vendors, strategic partners, and contractors carry distinct risk profiles and require tailored oversight. A technology partner with deep API integration is a different security conversation than a SaaS tool or a contractor with scoped environment access - the program you build should reflect that.

Ensure the program meets audit and regulatory expectations across SOC 2, PCI DSS, FedRAMP, ISO 42001, ISO 27001, and emerging AI governance frameworks that hold up under enterprise customer and regulator scrutiny.

Technical Assessment & Supply Chain

Conduct deep, evidence-based security assessments across Sierra's vendor landscape SaaS providers, cloud and infrastructure partners, AI and model providers, and strategic suppliers including reviewing architectures, IAM configurations, access scopes, and vulnerability assessments.

Develop assessment frameworks for AI and model vendors that address risks specific to how these systems actually work including prompt data handling, training data practices, inference infrastructure access, and model supply chain integrity.

Develop and maintain a model provider oversight program that reflects Sierra's reality of working across a constellation of LLM and AI model vendors. That means understanding each provider's data handling commitments, inference infrastructure security, model update and versioning practices, and what contractual and technical controls govern how Sierra's data moves through each. When a model provider changes terms, updates a model, or discloses a security issue, you're the person who understands what it means for Sierra and what to do about it.

Map and monitor Sierra's full supply chain surface, including fourth parties and subprocessors, with visibility into software dependencies, open source components, and AI model provenance.

Think in blast radius. Understand what's reachable if they're compromised data flows, network adjacency, privilege scope, lateral movement paths and let that analysis drive technical controls and contractual requirements.

Automation & Visibility

Build detection logic and automated alerting that fires when a vendor's security posture degrades lapsed certifications, exposed services, configuration drift, or new vulnerability disclosures so Sierra's response is proactive.

Automate evidence collection and control validation across the vendor portfolio, reducing the manual overhead of assessment cycles and creating an audit trail that holds up under scrutiny.

Build integrations between vendor security tooling and Sierra's internal systems, procurement workflows and Slack alerting so risk signals reach the right people quickly and efficiently.

Use AI and tooling to analyze vendor documentation at scale and surface risk signals early and continuously. Develop dashboards and reporting that give leadership real visibility into vendor risk posture, remediation velocity, assessment coverage, and aging findings.

Who You'll Work With

You'll work with Platform Engineering, Security Engineering, Legal, Operations and Finance teams to understand IAM boundaries, model provider's API access and infrastructure scaling.

You'll partner on understanding what vendors actually have access to, how third-party components sit inside Sierra's architecture, and how supply chain security gets built into how Sierra ships.

What You'll Bring
  • 10 or more years in information security with real depth in vendor security, third-party risk, or GRC in a regulated environment financial services, healthcare, government, or enterprise SaaS. You've made consequential risk decisions under pressure and know what it means to be accountable for them.
  • Technical fluency in cloud security, AWS and GCP IAM, VPC architecture, encryption, logging and monitoring, shared responsibility models at a level where you can assess what a vendor's architecture actually means for Sierra's exposure, not just whether their controls list maps to a framework.
  • Deep working knowledge of ISO 27001, NIST 800-53, SOC 2, PCI DSS, and FedRAMP as they apply to third-party oversight. You understand what auditors are actually looking for and build programs that hold up because they're rigorous, not just well-documented.
  • Experience building automations, integrations, or detection logic whether through GRC tooling, APIs, or scripting that reduce manual work and surface risk signals faster. You think about scale from the start.
  • Genuine curiosity about AI security model supply chains, prompt data handling, adversarial ML, and the governance frameworks being built around AI systems. You don't need to have all the answers, but this space should excite you.
  • The ability to communicate complex risk clearly to engineers, and auditors without losing precision or confidence. Your assessments and risk decisions need to be technically sound and immediately legible to people with very different backgrounds.
  • Comfort operating in ambiguity and fast-moving environments where the challenges are new, the regulatory frameworks are still forming, and learning on the job is part of the work.


Even Better
  • You've built a vendor security program from scratch and know what you'd do differently.
  • You have experience with AI or ML vendors and a developing point of view on what good looks like.
  • You're familiar with software supply chain security, SBOM and dependency integrity.
  • You've built or led implementation of GRC, TPRM, supply chain security tooling.
  • You hold a CISSP, CISA or have led ISO 27001, PCI DSS or other compliance programs in the past.

What we offer

We want our benefits to reflect our values and offer the following to full-time employees:
  • Flexible (unlimited) paid time off
  • Medical, dental, and vision benefits for you and your family
  • Life insurance and disability benefits
  • Retirement plan dependent on country of employment
  • Parental leave
  • Fertility and family building benefits through Carrot
  • Lunch, as well as delicious snacks and coffee to keep you energized
  • Discretionary benefit stipend giving people the ability to spend where it matters most
  • Free alphorn lessons

These benefits are further detailed in Sierra's policies, may vary by region, and are subject to change at any time, consistent with the terms of any applicable compensation or benefits plans. Eligible full-time employees can participate in Sierra's equity plans subject to the terms of the applicable plans and policies.

About Sierra Club

The Sierra Club is a nonprofit organization that promotes environmental conservation. It was founded in 1892 by John Muir and is one of the oldest and largest environmental organizations in the United States. The organization has over 3.8 million members and supporters and is dedicated to protecting the planet's natural resources and wildlife. The Sierra Club engages in a variety of activities, including lobbying for environmental legislation, organizing outdoor activities, and publishing a magazine. The organization is headquartered in Oakland, California.
Learn more about Sierra Club
Size
800 employees
Industry
Founded
1892

Similar Jobs

More Jobs at Sierra Club

More Information Technology Jobs

Find similar Vendor Security Manager jobs: