Director - IS Third Party Risk Management

You have a clear vision of where your career can go. And we have the leadership to help you get there. At CNA, we strive to create a culture in which people know they matter and are part of something important, ensuring the abilities of all employees are used to their fullest potential.
CNA seeks to offer a comprehensive and competitive benefits package to our employees that helps them - and their family members - achieve their physical, financial, emotional and social wellbeing goals.
For a detailed look at CNA's benefits, check out our Candidate's Guide .
The IS (InfoSec) Third Party Risk Management program coordinates with the Third Party Risk & Assurance department to perform risk management assessments across cybersecurity, business continuity, compliance, and general operational risk controls throughout the lifecycle of the Third Party relationship. This position reports directly to the AVP, IT Risk & Compliance and is responsible for proactively providing updates and inputs to the program methodology design of TPRM through a security lens. This role will provide Information Security expertise throughout the lifecycle of the TPRM process to improve the risk assessments, gap closures and analytics.
JOB DESCRIPTION:
Essential Duties & Responsibilities
Performs a combination of duties in accordance with departmental guidelines:

• Partner with TPRM team to review assessment methodology design to ensure questions, ratings, finding guidelines etc. are in alignment with our policies and the industry standards.
• Responsible for training TPRM assessors to ensure that they are enabled to perform initial review of Information Security questions.
• InfoSec proactively identifies and partners with TPRM to implement needed changes to assessment design (i.e. questions, ratings, findings)
• InfoSec consults on assessment responses and provides needed follow up questions or requests for evidence.
• In the course of executing onsite assessments, actively conduct the information security sections of the assessment and provide input where necessary on all other aspects of the onsite assessment
• Provide input on draft assessment report to include findings within the information security area and assign risk ratings.
• Provide input regarding remediation of information security findings. Own tracking of findings to ensure remediation plan is sound and timing is reasonable and managed.
• Oversee Third Party Risk Management's remediation action/issue management process to ensure timely closure of identified control gaps.
• Leveraging general Third Party Risk Management expertise, take the lead on performing annual updates of CNA's Third Party Risk Management assessment methodology covering questionnaire content, inherent/residual risk calculation, and testing procedures.
• While updating CNA's assessment methodology, coordinate directly with CNA risk stakeholders to ensure updates take into account most recent internal CNA standards and subsequently make all update proposals directly to the AVP of Third Party Risk and Assurance.
• Review and submit program analytics to the AVP of IT Risk & Compliance. These metrics will focus on vendors that have security issues that are open and/or past due.
• Partner with Director of Third Party Risk and Assurance in managing and implementing all identified program, process, and technology configuration process improvements in the Third Party Risk Management program roadmap.

May perform additional duties as assigned.
Reporting Relationship
AVP or above
Skills, Knowledge & Abilities

• Program expertise in Third Party Risk Management best-practices including industry security, business continuity, and data privacy standards, risk assessment testing procedures, issue management processes, and inherent/residual risk calculations
• Ability to manage remote teams, train and coach assessors on internal processes.
• Compelling communicator; demonstrated verbal and written communication skills.
• Detail oriented with strong organizational skills and ability to manage multiple projects effectively.
• Experience developing and managing remediation action/incident management processes.
• Experience in developing remediation action/incident management specific reporting and analytics.
• Ability to communicate and simplify technical concepts for those not familiar with risk management concepts, particularly in the context of business stakeholder training.
• Strong interpersonal skills with the ability to work with staff at all levels.
• Proven thought leadership and ability to provide informal guidance to more junior team members.
• Strong knowledge of Microsoft Office Suite and other business-related software systems including processing systems and applications.

Education & Experience

• Bachelor's degree or equivalent
• Typically 5-10 years of experience in Supplier Risk or Third-Party Risk assessment
• Experience managing remote teams
• CISSP, CRISC, or CISA highly preferred

#LI-JB1
#remote
CNA is committed to providing reasonable accommodations to qualified individuals with disabilities in the recruitment process. To request an accommodation, please contact [email protected] .