"Alerted.org

Principal Cybersecurity 3rd Party Risk Management (C)

Job ID: 11707

Business Unit: MTA Headquarters

Regular/Temporary: Regular

Department: IT CISO

Date Posted: May 16, 2025

Description

JOB TITLE: Principal Cybersecurity 3rd Party Risk Management (C)

SALARY RANGE: $156,476 - $184,692

HAY POINTS: 775

DEPT/DIV: Information Technology / Cybersecurity

SUPERVISOR: Cybersecurity Officer- Manager

HOURS OF WORK: 9:00 am - 5:30 pm (7.5 hours/day) or as required )

This position is eligible for telework which is currently two day s per week. New hires are eligible to apply 30 days after their effective date of hire.

The Metropolitan Transportation Authority is North America's largest transportation network, serving a population of 15.3 million people across a 5,000-square-mile travel area surrounding New York City, Long Island, southeastern New York State, and Connecticut. The MTA network comprises the nation’s largest bus fleet and more subway and commuter rail cars than all other U.S. transit systems combined. MTA strives to provide a safe and reliable commute, excellent customer service, and rewarding opportunities.

About Us

Summary:

The role will manage vendor risks and assessments to anticipate, identify, monitor and mitigate risks associated with third-party providers of goods or services. In addition, this role is tasked with compiling data and completing documentation related to vendor risk, as well as ensuring that the issues that arise are appropriately captured, assessed and mitigated to acceptable levels.

This role must ensure that the organization’s vendor ecosystem is properly evaluated, assessed and managed to minimize risk exposure and risk impacts to the business.

Responsibilities:

+ Assessing the information security posture of third parties (service providers, business partners, and Third-Party Administrators (TPAs)) and coordinating the overall execution and delivery of assessments and related remediation of any findings

+ Identifying and tracking continuous monitoring activities to ensure the risks associated with individual third parties have not changed or exceeded risk tolerance thresholds, and where it has exceeded approved thresholds, agree remediation plans with the counterparty

+ Participate in cross-functional teams to promote information security polices and best practices and address third-party security compliance issues

+ Develop and implement cybersecurity policies and procedures to protect information assets

+ Conduct cybersecurity risk assessments of third-party vendors and suppliers using industry-standard frameworks, such as NIST, ISO, and CSA

+ Develop and maintain a comprehensive inventory of third-party vendors and suppliers, and track their cybersecurity risk profiles

+ Collaborate with procurement and legal teams to ensure that third-party contracts include appropriate cybersecurity requirements and provisions

+ Coordinate, plan and execute risk-based security assessments of third parties to ensure ongoing compliance with regulations, legislation, contractual obligations, company policies, and internal controls

+ Monitor third-party vendors and suppliers for changes in their cybersecurity risk profiles and report any concerns to management

+ Provide guidance and recommendations to internal teams on best practices for managing third-party cybersecurity risks

+ Keep abreast of the latest security, privacy, and regulatory concerns and best practices impacting third party risk management

+ Continuously monitor information security and privacy regulation changes, Design and implement process improvements to ensure organizational adaptation of those changes and compliance

+ Perform IT Security assurance/compliance reviews as appropriate

+ Identify enhancements and process efficiencies to keep assessment program in line best practices

+ May mentor less experienced staff

+ Performs other duties and tasks as assigned

+ May need to work outside of normal work hours (i.e., evenings and weekends)

+ Travel may be required to other MTA locations or other external sites

+ Observing the work performed by the contractor

+ Reviews invoices and approve them if the work had contractual standards

+ Addressing performance issues with the contractor when possible

+ Escalating issues to other parties as needed.

Qualifications:

+ Education: Bachelor’s Degree

+ Experience: At least 10 years of relevant experience. An equivalent combination of education and experience may be considered in lieu of a degree.

+ Certification(s): Must possess at least two of the following professional certifications in subject domain including but not limited to:

Relevant Certifications

Certification in Risk Management Assurance (CRMA)

ISC2 Certified in Cybersecurity

Certified Information Systems Auditor (CISA)

Global Information Assurance Certification (GIAC)

Certified Third-Party Risk Professional (CTPRP)

Certified Compliance & Ethics Professional (CCEP)

Certified Information Systems Security Professional (CISSP )

Certified in Risk and Information Systems Control (CRISC)

Certified Information Privacy Professional (CIPP)

Certified Information Security Manager (CISM)

Certified Information Systems Auditor (CISA)

Certified Information Systems Security Professional (CISSP)

ISO 27001 Lead Auditor

Certified Secure Software Lifecycle Professional (CSSLP)

Offensive Security Certified Professional (OSCP)

CompTIA Security+ Certification

Cybersecurity Nexus (CSX) Practitioner

GIAC Certified Incident Handler (GCIH)

GIAC Security Essentials (GSEC)

ISC2 Certified Governance, Risk and Compliance (CGRC)

Technical Skills:

+ Expert/Highly Proficient, experience with implementation and maturing of Cyber frameworks, MITRE ATTACK Framework, etc.

+ Strong background and understanding of all cybersecurity domains.

+ Expert/Highly Proficient, experience in IT risk management or audit

+ Expert/Highly Proficient, Experience working with third party risk and vendor management

+ One or more of the following certifications are highly desired: CRISC, CISA, CISSP, CRISC or other related certification(s) a plus

+ Comprehensive understanding of cybersecurity principles, frameworks, and regulations (e.g., ITIL, NIST, MITRE, COBIT, COSO, HITRUST, SOC reports, CSF, ISO, GDPR, PCI)

+ Extensive hands-on experience with GRC tools.

+ Solid working knowledge of IT security and infrastructure.

+ Ability to develop a rapport with all employees to cultivate an environment conducive to reporting possible policy violations/risks. Ability to competently follow through on investigating such potential violations.

+ Proven ability to assess third party risk programs, evaluate organizational needs and implement required changes

+ Ability to work independently and strategically

+ Demonstrated expertise in identifying and analyzing risks and developing effective mitigation strategies.

+ Strong technical knowledge and diverse skillset to understand various technologies, systems, and potential risks.

+ Excellent critical thinking, problem-solving, and decision-making skills.

+ Strong interpersonal and communication skills, with the ability to effectively collaborate with both technical and non-technical peers.

+ Proven ability to manage multiple projects simultaneously and prioritize tasks based on urgency and impact.

+ Supply Chain Risk Management standards, processes, and practices (NIST SP 800-161).

+ Risk Management Framework (RMF) requirements

+ Risk management processes (e.g., methods for assessing and mitigating risk).

+ Laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.

Soft Skills:

+ Active Listening, Attention to Detail, Customer Service,

+ Prioritization, Problem Solving, Effective Verbal and Written Communication

Competencies:

Core Competency

Proficiency Level

Competency Definition

Collaborates

Expert

Building partnerships and working collaboratively with others to meet shared objectives

Cultivates Innovation

Advanced

Creating new and better ways for the organization to be successful

Customer Focus

Advanced

Building strong customer relationships and delivering customer-centric solutions

Communicates Effectively

Expert

Developing and delivering multi-mode communications that convey a clear understanding of the unique needs of different audiences

Tech Savvy

Expert

Anticipating and adopting innovations in business-building digital

and technology applications

Technical Skills

Expert

Specialized knowledge and expertise on tools, programs, domains, platforms, and products used for specific tasks

Values Diversity

Expert

Recognizing the value that different perspectives and cultures bring to an organization

Desired, but not required:

+ MBA or other advanced degree

OTHER INFORMATION:

Pursuant to the New York State Public Officers Law & the MTA Code of Ethics, all employees who hold a policymaking position must file an Annual Statement of Financial Disclosure (FDS) with the NYS Commission on Ethics and Lobbying in Government (the “Commission”).

Equal Employment Opportunity

MTA and its subsidiary and affiliated agencies are Equal Opportunity Employers, including with respect to veteran status and individuals with disabilities.

The MTA encourages qualified applicants from diverse backgrounds, experiences, and abilities, including military service members, to apply.