Third Party Risk Lead Cyber in City of London

Key Responsibilities

• Lead and continuously improve the organisation's third-party cyber risk assurance process, covering onboarding, risk assessment, due diligence, and ongoing monitoring.
• Develop and maintain a robust vendor criticality assessment model, ensuring assurance activities are aligned to supplier risk level.
• Define and own due diligence requirements for critical and high-risk third parties in alignment with DORA, NIS2, PRA, FCA, and other emerging regulatory obligations.
• Produce dashboards, scorecards, and MI reports that provide senior stakeholders with meaningful insight into the organisation's third-party cyber risk posture.
• Embed third-party security controls into vendor governance processes, working closely with Procurement, Legal, Technology, and Risk.
• Monitor compliance with industry frameworks such as CIS Controls, NIST, GDPR, and sector-specific guidance.
• Support contract reviews and provide expert input on security clauses, ensuring risk-based decisions are supported by strong security requirements.
• Maintain process documentation, templates, and training materials for all third-party security assurance activities.
• Track developments in vendor security, regulatory change, and emerging threats, ensuring the programme remains aligned to best practice.
• Provide data, commentary, and risk metrics for divisional or organisational IT risk reporting.
• Escalate material risks or emerging issues to the Cyber Governance Manager and BISO leadership when required.

Performance Objectives

• Build a comprehensive understanding of the organisation's supplier landscape and existing vendor governance controls, taking full ownership of third-party cyber risk management.
• Identify gaps within current third-party cyber risk processes and deliver a clear roadmap to mature security controls and oversight.
• Demonstrate measurable improvements in third-party cyber assurance, including reduced risk exposure and increased visibility across leadership teams.

Skills and Experience Specification

Essential

• Experience in cyber security, information security, or technology risk roles with a focus on third-party/vendor risk management.
• Bachelor's degree in Information Security, Technology Risk Management, or a related discipline.
• Professional certifications such as CISSP, CISM, CRISC, ISO 27001 Lead Implementer/Lead Auditor, or equivalent.
• Experience working in regulated industries and applying regulatory expectations to third-party assurance programmes.
• Proven experience designing, executing, and improving structured vendor due diligence processes.
• Strong understanding of vendor-held assurance artefacts such as ISO 27001, SOC 2, CSA STAR/CAIQ, and security questionnaires.
• Ability to communicate complex vendor-related cyber risks clearly to both business and technical audiences.
• Skilled in facilitating cross-functional meetings, workshops, and risk discussions with diverse stakeholders.
• Confident presenting information, acting as an SME, and influencing decision-making at all levels.
• Strong analytical, conceptual thinking, and structured execution skills.
• Ability to drive initiatives, coordinate effectively across teams, and manage outcomes to agreed targets.
• Results-driven mindset with a commitment to continuous improvement.
• Strong communication skills with the ability to translate technical issues into actionable business insight.
• Passion for championing good cyber behaviours and staying informed about emerging cyber and vendor-related threats.

Desirable

• Experience with third-party risk management or GRC platforms.
• Ability to develop meaningful MI and dashboards (e.g., using Power BI) and convert data into clear insights and decisions.
• Experience within the specialty insurance, financial services, or wider regulated industries.