Third Party Risk Assessor
About the position
The Third Party Risk Assessor will lead and execute cyber security risk assessments of BMO's global suppliers, ensuring compliance with established risk management processes. This role involves evaluating cyber security controls, identifying risks, and making recommendations to enhance the organization's risk posture. The position requires collaboration with various stakeholders and a strong understanding of the threat landscape.
Responsibilities
• Coordinate with key Global Third Party Risk Management stakeholders to initiate, scope and plan cyber security risk controls assessments of new and existing high risk suppliers.
• Make meaningful risk mitigating recommendations to directly improve the third party risk posture of BMO.
• Serve as a third party risk assessor, performing risk assessments by evaluating third party attestations, performing control design review, and control implementation validation.
• Complete assessments using established procedures and standards, industry frameworks, and best practices.
• Leverage OSINT, consortiums, and other independent reviews during the assessment process.
• Multitask and project manage multiple assessment deadlines by coordinating execution with both the external suppliers and internal business partners.
• Escalate issues, understand project trends, and anticipate potential blockers.
• Foster relationships with internal and external stakeholders.
• Collaborate internally with security experts to understand requirements and standards.
• Understand the threat landscape and evaluate supplier control environments to measure the rigor of cyber security controls.
• Engage and influence stakeholders to discuss and risk treat identified gaps.
• Be a champion for security and model behaviors consistent with cybersecurity best practices.
Requirements
• Bachelor's degree in technology, information/cyber security, related major, or equivalent work experience
• 4 or more years experience with cybersecurity, third party risk management, IT Risk and Compliance (GRC), IT Audit, Information Security or Assurance
• Strong audit/technical evaluation experience with various types of systems and networks and cloud technology
• Experience with conducting cybersecurity assessments using common industry frameworks, including NIST Cyber Security Framework (CSF), NIST 800-53, ISO 27001 and 27002, Payment Card Industry (PCI) Data Security Standard (DSS), CIS Top 18/20, or OWASP
• Industry certifications such as CISA, CISM, CRISC, CISSP, CTPRP, or related is highly preferred
• Demonstrated in-depth knowledge of concepts, best practices and controls in a breadth of information security areas/domains
• Self-driven performer with established skills in tracking self and project performance
• Strong ability to interact and communicate both written and verbally with people at all levels
• Strong risk analysis and problem solving skills
• Must be flexible to ensure assessments are performed by the mandated compliance date
• Experience debating issues with senior decision makers and pushing back when necessary
• Strong written and verbal skills
Nice-to-haves
• Experience with cloud security
• Knowledge of incident management processes
Benefits
• Medical, dental & vision
• Critical Illness, Accident, and Hospital
• 401(k) Retirement Plan - Pre-tax and Roth post-tax contributions available
• Life Insurance (Voluntary Life & AD&D for the employee and dependents)
• Short and long-term disability
• Health Spending Account (HSA)
• Transportation benefits
• Employee Assistance Program
• Time Off/Leave (PTO, Vacation or Sick Leave)
Apply tot his job
Apply To this Job