Manager, Third Party Security Risk

Company Description

Who We Are

The Security Governance, Risk & Compliance (GRC) team works across Twitter to organize risk governance organizational structures, methodologies, and processes that are commensurate with industry best practice but tailored to Twitter’s niche risk sensitivities. Security GRC capabilities allow Twitter to manage security risk & control programs that enable us to achieve company goals and better protect its customers and data in a responsible and proactive manner. We work with internal and external stakeholders to build and operate sustainable and cohesive programs - including Information Security, IT, Engineering, Product, Strategy & Operations, Internal Audit, Legal, Privacy, Procurement, etc. 

The Position

What You’ll Do

We are continuing to mature our security program and ensuring that processes across GRC are effective, sustainable, and scalable to manage security and compliance risks for the company. This role will be reporting to the Head of Security GRC and will be responsible for leading the Third Party Security Risk Management program and team including hands-on execution of processes. You will have oversight and accountability for security risk assessments specific to third party products and services, program strategy, security engagement with Twitter’s external partners/customers, maturing and optimizing third party processes, managing related project work, and building strong relationships across the business and our stakeholders.

As the Manager, Third Party Security Risk, you will:

  • Manage day-to-day oversight and operations of the Third Party Security Risk Management team including resource management

  • Execute security risk assessments for third party products and services (hands-on operations) with the team and regularly engage with the business and vendors/suppliers

  • Identify opportunities to reduce risk and associated remediation options (e.g., acceptance or mitigation) during reviews

  • Drive risk informed discussions and complex decisions with the business regarding supplier/vendor adherence to security requirements at Twitter

  • Mature the company’s third party security practices including risk assessments, monitoring, risk remediation, reporting, and tooling capabilities

  • Lead and prioritize third party related initiatives  including alignment to overall Security GRC and Information Security priorities and strategies

  • Drive strategy development for the Third Party Security Risk Management program

  • Develop and manage processes for customer security engagements (inbound security review requests, etc.)

  • Assist with the implementation and operation of Governance, Risk and Compliance (GRC) tooling to further improve and automate risk and control management processes

  • Design security risk metrics & reporting for management

  • Build and maintain strong relationships with key business partners and stakeholders for the program including working with cross functional teams collaboratively

  • Evangelize security risk & compliance to other teams and organizations 

  • Keep up with relevant regulation, emerging threats, forecasts, policies and best practices, and maintain a mindset of constant innovation to consider possibilities in advancing our third party risk capabilities

Qualifications

Who You Are 

  • A domain expert in third party security risk management practices with demonstrated industry experience 

  • An inspiring and resourceful leader who is able to effectively prioritize multiple projects simultaneously and drive successful delivery and outcomes

  • Innovator that is forward thinking in order to identify, conceptualize and implement maturity improvements

  • Experience tackling complex problems from initial proposal to implementation with proven success in building influence and driving consensus across multiple stakeholders

  • Proficient at designing and delivering key risk metrics and reports to varying audiences across the management chain 

  • Adept at communicating risks and issues clearly and concisely to both technical and non-technical audiences

  • Able to work efficiently with minimal oversight/direction and practices good judgment on matters requiring attention and escalation

  • Have technical security-related knowledge of common risks, vulnerabilities, and threats and solid experience in escorting these issues through risk analysis / treatment / mitigation processes

  • Willing to advocate for the security of Twitter users and communicate why security decisions are important to other internal teams

  • Have great people skills and able to flourish under pressure and ambiguity in a fast-paced team environment

Requirements

  • Bachelor degree in Information Security, Computer Science, Management Information Systems or related field preferred

  • Minimum 6+ years of related work experience managing teams, building or operating third party risk security programs to mitigate risks around security, confidentiality, integrity, availability, and privacy. This includes demonstrated success leading third party security / operational risk management areas at large complex organizations with a mature risk oversight function with direct experience in:

    • Identifying, classifying and carrying out third party risk assessments in fast paced, high volume environments

    • Building / improving techniques around executing risk assessments (e.g., methodology, rubrics)

    • Operating intake / triage processes for third party reviews

    • Reporting (scorecards / dashboards) to enable transparency to management

    • Risk trends and root cause analysis

  • Preferred prior experience in Information Security, Governance Risk or Compliance, or relevant Audit / Assessments functions.

  • Ability to influence and build strong partnerships at all levels (management and stakeholders)

  • Familiar with common audit and risk management methodologies

  • Knowledge of relevant information security frameworks, including related regulatory compliance requirements, such as ISO 27001/2, CIS Top 20, SOC 2 Trust Services Criteria, PCI DSS, GDPR, NIST CSF / 800-53

  • Knowledge of audit and risk management methodologies, such as SOX, COBIT, NIST RMF / 800-37 / 800-30, FAIR.

  • A driven leader, critical thinker, passionate, ambitious, and detail oriented

  • Able to discuss issues at technical and business levels with audiences of various backgrounds

  • Relevant professional certifications in Information Security or Risk Management (e.g., CISA, CISM, CRISC, CGEIT, CSX-P, CISSP, CCSK)

Additional Information

All your information will be kept confidential according to EEO guidelines.

The applicable salary range for each U.S.-based role is based on where the employee works and is aligned to one of 4 tiers according to a cost of labor index in that geographic area. Starting pay for the successful applicant will depend on a variety of job-related factors, which may include education, training, experience, location, business needs, or market demands. The expected salary ranges for this role, are set forth below. These ranges may be modified in the future.

  • Tier A: USD $162,000 - USD $226,000
  • Tier B: USD $154,000 - USD $216,000
  • Tier C: USD $146,000 - USD $204,000
  • Tier D: USD $138,000 - USD $193,000

You can view which tier applies to where you plan to work here and is updated for any future jurisdiction which requires publication of the salary range on the job posting. If your location is not listed, please speak with your recruiter for additional information.

This job is also eligible for participation in Twitter’s Performance Bonus Plan and Equity Incentive Plan subject to the terms of the applicable plans and policies.

Twitter offers a wide range of benefits to U.S.-based employees, including medical, dental, and vision insurance, 401(k) program with employer match, generous time off for vacation, sick time, and parental leave. Twitter’s benefits prioritize employee wellness and progressive support to our diverse workforce.

Location

San Francisco, Remote US, New York City, Seattle

 

Application

U.S. Equal Employment Opportunity information (Completion is voluntary)
Non U.S. Equal Employment Opportunity information (Completion is voluntary)
Privacy and data