Senior Vendor Security Risk Management Analyst

Established nearly two centuries ago, FM is a leading mutual insurance company whose capital, scientific research capability and engineering expertise are solely dedicated to property risk management and the resilience of its policyholder-owners. These owners, who share the belief that the majority of property loss is preventable, represent many of the world’s largest organizations, including one of every four Fortune 500 companies. They work with FM to better understand the hazards that can impact their business continuity to make cost-effective risk management decisions, combining property loss prevention with insurance protection. 

Work Schedule 
This position requires on-site work one day per week at our Corporate Headquarters and flexibility to be on-site when needed based on the demands of the business 

Relocation is not offered for this position. 

Position Summary 

FM is seeking a Senior Information Security Analyst with deep expertise in Third-Party Risk Management (TPRM), you will play a critical role in protecting FM by assessing how external vendors, SaaS platforms, and cloud solutions interact with our systems and data. This high-impact role where your expertise in cyber risk, vendor security, and cloud architecture will help shape business decisions, strengthen our security posture, and support innovation in a secure way. This includes reviewing both the vendor’s security control environment and the specific solution being implemented, with a focus on data handling, storage, and integration with internal systems. 

You will partner closely with business, technology, and procurement teams to identify risks and recommend practical, business-aligned mitigation strategies. 

You will lead end-to-end cybersecurity risk assessments of third-party vendors and solutions—going beyond standard due diligence to evaluate real-world risk across systems, data, and integrations. 

Key Responsibilities  

• Lead end-to-end third-party solution risk assessments and vendor security reviews across the vendor lifecycle, including due diligence, onboarding, ongoing monitoring, and reassessments. 

• Evaluate vendor security programs, control effectiveness, and governance, along with deep-dive assessment of the specific product being implemented including solution architecture, data flows, and integration points. 

• Identify and communicate inherent and residual cyber risks related to data protection, privacy, IAM, privileged access, system connectivity, and external attack surface exposure. 

• Review and interpret security documentation, including SOC 1/SOC 2 reports, ISO 27001 certifications, audit reports, architecture diagrams, data flow diagrams, and technical configurations. 

• Recommend practical risk mitigation strategies, including compensating controls, secure design changes, and contractual safeguards to support risk-informed decisions. 

• Partner with business, technology, procurement, and legal teams to support risk acceptance, exception management, and third-party risk governance. 

• Contribute to the evolution of FM’s third-party risk management framework, methodology, and standards in alignment with NIST, ISO 27001, NYDFS, and other applicable regulatory expectations. 

Qualifications

• 5+ years of experience in cybersecurity, information security, or cyber risk, with a background in third-party risk management (TPRM), IT risk, audit, incident response, or access management. 

• Experience assessing vendor security posture in cloud (SaaS/PaaS)and enterprise environments. 

Technical Expertise

• Strong understanding of systems, networks, application architecture, cloud security, and secure system design across AWS, Azure, SaaS, PaaS, APIs, and enterprise integrations. 

• Experience evaluating data flows, data classification, data protection, data governance, and secure data handling practices. 

• Knowledge of IAM, SSO, federation, privileged access, cyber threats, vulnerabilities, and attack methodologies. 

• Ability to interpret SOC 1, SOC 2, ISO certifications, and other third-party assurance artifacts to identify control gaps and residual risk. 

Risk & Analysis: 

• Ability to identify, assess, and clearly communicate complex cyber risks, trade-offs, and residual risk. 

• Experience recommending practical, business-aligned risk based mitigation strategies, including compensating controls and secure design changes. 

• Strong analytical judgment, attention to detail, and risk-based decision-making. 

Collaboration & Communication

• Ability to translate technical findings into clear, business-relevant insights and recommendations. 

• Strong stakeholder management and partnership across business, technology, procurement, and legal teams. 

• Collaborative, solutions-focused mindset with strong influencing skills in a fast-paced assessment environment. 

• High degree of professional skepticism and curiosity when evaluating vendor claims and evidence 

• Ability to manage multiple priorities independently while maintaining quality and consistency of assessments 

Tools & Certifications: 

• Proficiency with Microsoft Office tools. 

• Relevant certifications such as CISSP, CISA, CSA, CISM, Security+, GIAC, CEH, or similar are strongly desired. 

Education  

Bachelor's degree in information security, Computer Science, Information Technology, or a related field required. An equivalent of relevant work experience will also be considered. 

The hiring range for this position is $106,000- $152,000. The final salary offer will vary based on geographic location, individual education, skills, and experience. The position is eligible to participate in FM’s comprehensive Total Rewards program that includes an incentive plan, medical, dental and vision insurance, life and disability insurance, well-being programs, a 401(k) and pension plan, career development opportunities, tuition reimbursement, flexible work, and time off, including vacation and sick time. 

FM is an Equal Opportunity Employer and is committed to attracting, developing, and retaining a diverse workforce. 

#LI-NL1 

• 5+ years of experience in cybersecurity, information security, or cyber risk, with a background in third-party risk management (TPRM), IT risk, audit, incident response, or access management. 

• Experience assessing vendor security posture in cloud (SaaS/PaaS)and enterprise environments. 

Technical Expertise

• Strong understanding of systems, networks, application architecture, cloud security, and secure system design across AWS, Azure, SaaS, PaaS, APIs, and enterprise integrations. 

• Experience evaluating data flows, data classification, data protection, data governance, and secure data handling practices. 

• Knowledge of IAM, SSO, federation, privileged access, cyber threats, vulnerabilities, and attack methodologies. 

• Ability to interpret SOC 1, SOC 2, ISO certifications, and other third-party assurance artifacts to identify control gaps and residual risk. 

Risk & Analysis: 

• Ability to identify, assess, and clearly communicate complex cyber risks, trade-offs, and residual risk. 

• Experience recommending practical, business-aligned risk based mitigation strategies, including compensating controls and secure design changes. 

• Strong analytical judgment, attention to detail, and risk-based decision-making. 

Collaboration & Communication

• Ability to translate technical findings into clear, business-relevant insights and recommendations. 

• Strong stakeholder management and partnership across business, technology, procurement, and legal teams. 

• Collaborative, solutions-focused mindset with strong influencing skills in a fast-paced assessment environment. 

• High degree of professional skepticism and curiosity when evaluating vendor claims and evidence 

• Ability to manage multiple priorities independently while maintaining quality and consistency of assessments 

Tools & Certifications: 

• Proficiency with Microsoft Office tools. 

• Relevant certifications such as CISSP, CISA, CSA, CISM, Security+, GIAC, CEH, or similar are strongly desired. 

Education  

Bachelor's degree in information security, Computer Science, Information Technology, or a related field required. An equivalent of relevant work experience will also be considered. 

The hiring range for this position is $106,000- $152,000. The final salary offer will vary based on geographic location, individual education, skills, and experience. The position is eligible to participate in FM’s comprehensive Total Rewards program that includes an incentive plan, medical, dental and vision insurance, life and disability insurance, well-being programs, a 401(k) and pension plan, career development opportunities, tuition reimbursement, flexible work, and time off, including vacation and sick time. 

FM is an Equal Opportunity Employer and is committed to attracting, developing, and retaining a diverse workforce. 

#LI-NL1