Important: If you applied for a position before March 24, 2023, please check the status of your application here. MTA employees, click here to check your job application status.

Join our Talent Network
Skip to main content
Back to job search

Principal Cybersecurity 3rd Party Risk Management

Job ID: 5849
Business Unit: MTA Headquarters
Location: New York, NY, United States
Regular/Temporary: Regular
Department: IT CISO
Date Posted: Feb 9, 2024


JOB TITLE:                                Principal Cybersecurity 3rd Party Risk Management
SALARY RANGE:                     $151,918 - $179,313
HAY POINTS:                            775
DEPT/DIV:                                 Information Technology / Cybersecurity
SUPERVISOR:                           Cybersecurity Officer- Manager, Supply Chain & Compliance
LOCATION:                               Various/ 2 Broadway New York, NY 10004
HOURS OF WORK:                  9:00 am - 5:30 pm

This position is eligible for telework which is currently two day per week. New hires are eligible to apply 30 days after their effective date of hire.   


The role will manage vendor risks and assessments to anticipate, identify, monitor and mitigate risks associated with third-party providers of goods or services. In addition, this role is tasked with compiling data and completing documentation related to vendor risk, as well as ensuring that the issues that arise are appropriately captured, assessed and mitigated to acceptable levels. 
This role must ensure that the organization’s vendor ecosystem is properly evaluated, assessed and managed to minimize risk exposure and risk impacts to the business.   


    • Assessing the information security posture of third parties (service providers, business partners, and Third-Party Administrators (TPAs)) and coordinating the overall execution and delivery of assessments and related remediation of any findings
    • Identifying and tracking continuous monitoring activities to ensure the risks associated with individual third parties have not changed or exceeded risk tolerance thresholds, and where it has exceeded approved thresholds, agree remediation plans with the counterparty
    • Participate in cross-functional teams to promote information security polices and best practices and address third-party security compliance issues
    • Develop and implement cybersecurity policies and procedures to protect information assets
    • Conduct cybersecurity risk assessments of third-party vendors and suppliers using industry-standard frameworks, such as NIST, ISO, and CSA
    • Develop and maintain a comprehensive inventory of third-party vendors and suppliers, and track their cybersecurity risk profiles
    • Collaborate with procurement and legal teams to ensure that third-party contracts include appropriate cybersecurity requirements and provisions
    • Coordinate, plan and execute risk-based security assessments of third parties to ensure ongoing compliance with regulations, legislation, contractual obligations, company policies, and internal controls
    • Monitor third-party vendors and suppliers for changes in their cybersecurity risk profiles and report any concerns to management
    • Provide guidance and recommendations to internal teams on best practices for managing third-party cybersecurity risks
    • Keep abreast of the latest security, privacy, and regulatory concerns and best practices impacting third party risk management
    • Continuously monitor information security and privacy regulation changes, Design and implement process improvements to ensure organizational adaptation of those changes and compliance
    • Perform IT Security assurance/compliance reviews as appropriate
    • Identify enhancements and process efficiencies to keep assessment program in line best practices
    • May mentor less experienced staff
    • Performs other duties and tasks
    • May need to work outside of normal work hours (i.e., evenings and weekends)
    • Travel may be required to other MTA locations or other external sites
    Education and Experience:   
    • Education: Bachelor’s Degree
    • Experience: At least 10 years of relevant experience. An equivalent combination of education and experience may be considered in lieu of a degree.
    • Must possess at least two of the following professional certifications in subject domain including but not limited to: Certified Information Security Professional (CISSP), or Global Information Assurance Certification (GIAC), or Certified Information Security Manager (CISM), or Certified in Risk and Information Systems Control (CRISC), or Certified Information Systems Auditor (CISA), or other related certification(s)
    Technical Skills:   
    • Expert/Highly Proficient, experience with implementation and maturing of Cyber frameworks, MITRE ATTACK Framework, etc.
    • Strong background and understanding of all cybersecurity domains.
    • Expert/Highly Proficient, experience in IT risk management or audit
    • Expert/Highly Proficient, Experience working with third party risk and vendor management
    • Comprehensive understanding of cybersecurity principles, frameworks, and regulations (e.g., ITIL, NIST, MITRE, COBIT, COSO, HITRUST, SOC reports, CSF, ISO, GDPR, PCI)
    • Extensive hands-on experience with GRC tools.
    • Solid working knowledge of IT security and infrastructure.
    • Ability to develop a rapport with all employees to cultivate an environment conducive to reporting possible policy violations/risks. Ability to competently follow through on investigating such potential violations.
    • Proven ability to assess third party risk programs, evaluate organizational needs and implement required changes
    • Ability to work independently and strategically
    • Demonstrated expertise in identifying and analyzing risks and developing effective mitigation strategies.
    • Strong technical knowledge and diverse skillset to understand various technologies, systems, and potential risks.
    • Excellent critical thinking, problem-solving, and decision-making skills.
    • Strong interpersonal and communication skills, with the ability to effectively collaborate with both technical and non-technical peers.
    • Proven ability to manage multiple projects simultaneously and prioritize tasks based on urgency and impact.
    • Supply Chain Risk Management standards, processes, and practices (NIST SP 800-161).
    • Risk Management Framework (RMF) requirements
    • Risk management processes (e.g., methods for assessing and mitigating risk).
    • Laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
    Soft Skills:   
    Active Listening, Attention to Detail, Customer Service,Prioritization, Problem Solving, Effective Verbal and Written Communication   
    • Collaborates: Building partnerships and working collaboratively with others to meet shared objectives
    • Cultivates Innovation: Creating new and better ways for the organization to be successful.
    • Customer Focus: Building strong customer relationships and delivering customer-centric solutions.
    • Communicates Effectively: Developing and delivering multi-mode communications that convey a clear understanding of the unique needs of different audiences.
    Desired, but not required:   
    • MBA or other advanced degree
    • Certification in Risk Management Assurance (CRMA)
    • Certified Information Systems Auditor (CISA)

    Other Information:   

    Pursuant to the New York State Public Officers Law & the MTA Code of Ethics, all employees who hold a policymaking position must file an Annual Statement of Financial Disclosure (FDS) with the NYS Commission on Ethics and Lobbying in Government (the “Commission”).   

    Equal Employment Opportunity    

    MTA and its subsidiary and affiliated agencies are Equal Opportunity Employers, including with respect to veteran status and individuals with disabilities.   

    The MTA encourages qualified applicants from diverse backgrounds, experiences, and abilities, including military service members, to apply.   


    Save Job Saved
    Similar Jobs