"I can succeed as the Third-Party Security Assurance Lead at Capital Group."
The Third-Party Security Assurance Lead will lead and oversee comprehensive security, technology and Disaster Recovery assessments of our 3rd and 4th party suppliers working closely with our Legal, Technology Risk, and Global Risk Management teams. This role will ensure that all 3rd and 4th party providers are risk ranked and assessed to meet our rigorous security, technology risk management and disaster recovery requirements.
Responsibilities:
Lead the development, implementation, and maintenance of the organization's Third-Party Security Program and Assessments.Conduct technical security assessments of third- and fourth-party systems, networks, business, D/R/Operations resilience, business processes, and applications, identifying information vulnerabilities and risks.Ensure security, D/R, Technology Risk clauses and requirements are included in third-party contracts and SLAs, protecting the organization, and ensuring compliance with security policies and procedures and regulatory requirements.Work with business units and the legal team to define security requirements, standards, and training for third-party contracts.Collaborate across the organization to document and identify all risk mitigation measures associated with third parties, including identifying back-up third parties, strength and/or maturity of the company, and other crucial factors.Independently create and consistently refine summaries, reports, KRI/KPI's and governance documentation associated with the Third-Party Security and Security Assurance Program.Manage the Policies and Procedures related to the Third-Party Information/Technology Risk Management, working closely with Global Risk Management.Monitor changes in the regulatory landscape to ensure program aligns with laws, regulations, and industry best practices (e.g., ISO 27001, MAS, SEC, GDPR, CCPA, etc.).Develop and provide regular reports on the status and effectiveness of the program to senior management and relevant committees.Lead risk remediation efforts when third-party security risks are identified, working in coordination with IT, Legal, and Compliance departments.Develop and deliver third-party security risk training and awareness programs to internal stakeholders in collaboration with the Security Awareness team.Improve third-party security risk management strategies, tools, and methodologies on an ongoing basis.Act as a point of contact for internal and external auditors on 3rd party related audits for Technology, Security, Disaster Recovery related diligence.Establish security, Disaster Recovery, and Technology Risk requirements with our oversight committee to drive reasonable vendors and vendor controls in alignment with our Cyber risk appetite.Perform assessment for Technology Risk and our Offshore Development Centers.Collaborate with various stakeholders, including third party providers, business units, Legal, Compliance, Global Risk Management, and other teams.
"I am the person Capital Group is looking for."
Bachelor's degree in information security, Computer Science, cybersecurity, business administration, finance, or risk management.A minimum of 6 years of experience in third-party security. Prefer experience within the financial services sector, but not required.Strong understanding of technical security principles, IT risk concepts, and familiarity with relevant regulatory requirements.Proficiency with technical security and D/R assessment tools and methodologies.Exceptional communication skills, with the ability to clearly explain complex security issues to non-technical stakeholders; ability to prepare detailed reports.Experience in contract negotiation from a cyber security standpoint.Ability to effectively manage multiple projects and provide leadership in a cross-functional financial services environment.A strong analytical skill set and approach, including the ability to analyze due diligence information collected from the Third Party, analysis from internal and external Subject Matter Experts, and information related to the services and products offered by the Third Party.Strong understanding of technical security and D/R principles, IT risk concepts, and familiarity with relevant 3rd/4th party oversight regulatory requirements.Proficiency with technical security assessment tools and methodologies.Knowledge of data analysis, contract review, data privacy, information security, information technology and Disaster Recovery/Business Continuity Plan principles.Ability to identify and assess potential risks and vulnerabilities and ensure evidence is sufficient when assessing the relevant controls.Strong written and verbal communication skills to prepare detailed reports and effectively communicate with stakeholders.Experience with Shared Assessments evaluations preferred.Proficiency with technical security assessment and monitoring tools and methodologies.Relevant certifications preferred (e.g., Shared Assessments (CTPRA, CTPRP), CISA, CRISC and/or CISSP certification).Strong knowledge of 3rd party oversight or industry security frameworks such as NIST 800-53, NIST CSF, NIST 800-161, CIS 20, Cloud CCM, Shared Assessments.Experience with MAS, FCA, OCC/FFIEC, SEC Vendor security oversight examinations.
Southern California Base Salary Range: $178,448-$285,517
San Antonio Base Salary Range: $146,698-$234,717
New York Base Salary Range: $189,164-$302,662
In addition to a highly competitive base salary, per plan guidelines, restrictions and vesting requirements, you also will be eligible for an individual annual performance bonus, plus Capital's annual profitability bonus plus a retirement plan where Capital contributes 15% of your eligible earnings.
You can learn more about our compensation and benefits here.
We are an equal opportunity employer, which means we comply with all federal, state and local laws that prohibit discrimination when making all decisions about employment. As equal opportunity employers, our policies prohibit unlawful discrimination on the basis of race, religion, color, national origin, ancestry, sex (including gender and gender identity), pregnancy, childbirth and related medical conditions, age, physical or mental disability, medical condition, genetic information, marital status, sexual orientation, citizenship status, AIDS/HIV status, political activities or affiliations, military or veteran status, status as a victim of domestic violence, assault or stalking or any other characteristic protected by federal, state or local law.