Lead Cybersecurity Third Party Risk Analyst (Remote)

Resp & Qualifications

PURPOSE:
To ensure the organization's data remains protected from inappropriate access, disclosure and/or damage. To advocate for and execute the processes and practices of the Cybersecurity team while supporting business and customer needs.

ESSENTIAL FUNCTIONS:
Under the supervision of the Manager, Cybersecurity Risk and Compliance, the incumbents accountabilities include, but are not limited to the following:

• Lead Third Party Security Risk Management program providing support and guidance to a team of technically diverse cybersecurity specialists personnel while further supporting collaboration across the various risk related teams in the organization.
• Lead the third-party continuous monitoring efforts by partnering with TPRM, Procurement, Legal, and key business stakeholders.
• Assess third party cybersecurity controls, identify gaps, assist in development of mitigation strategies, and manage them to closure.
• Collaborate with internal and external vendor teams to assess, monitor, and manage risks associated with third-party relationships.
• Work with business teams to conduct thorough assessments of third-party vendors to identify potential risks to the organization. This includes evaluating their security practices, data handling procedures, and regulatory compliance (e.g., HIPAA, PCI, GDPR, etc.)
• Represent Cybersecurity from a Cybersecurity Risk Management perspective and execute security risk management leadership through the design and implementation of cybersecurity controls to maintain the confidentiality, integrity and availability of information systems and data.
• Prepare detailed risk assessment reports, clearly articulating findings and recommendations and maintain a comprehensive repository of all third-party risk assessments and associated documentation.
• Lead risk analyses to ensure consistency in the detailed risk assessment lifecycle inclusive of identification, socialization, mitigation, and closure.
• Design, implement, and integrate security solutions to address enterprise risks and exposures.
• Develop and maintain Information Security Risk Metrics supported by KPIs and KRIs to support the analytics team.
• Test and report on new technologies to address security concerns and work closely with the vulnerability management team on the identified risks.
• Co-Lead CareFirst compliance/risk management efforts in support of NIST, FedRAMP, and HIPAA to include but not limited to: external assessment readiness/support, self-assessments, risk assessments, Plans-Of-Action-and-Milestone (POA&M) management, continuous monitoring.

QUALIFICATIONS:

Education Level: Bachelor's Degree in Computer Science, Cyber Security, Information Technology, or related field OR in lieu of a Bachelor's degree, an additional 4 years of relevant work experience is required in addition to the required work experience.

Licenses/Certifications:

• CISSP Certified Information Systems Security Professional Upon Hire Preferred or
• CISM - Certified Information Security Manager Upon Hire Preferred or
• Certified Ethical Hacker (CEH) Upon Hire Preferred

Experience: 8 years relevant information security experience.

Preferred Qualifications:

• Professional certification such as CISSP, CRISC, CISA, or CISM (lead level only).
• Significant understanding of NIST Risk Management Framework and Information Security Risk Management methodologies including FAIR quantitative model.
• Experience with Cybersecurity Governance, Risk, and Compliance (eGRC) Programs and Platforms.
• Proven ability to translate technical requirements to the business.
• Specific knowledge of CareFirst business and BlueCross BlueShield corporate structure.
• An understanding of the relationships among various units within the corporation.
• Ability to understand, develop, and socialize security policies, standards, and procedures.
• Proficiency with security controls for cloud environments (Azure and AWS) including FedRAMP requirements.
• Familiarity with security tools such as wireless and network scanning applications, vulnerability assessment applications and concepts, IDS/IPS, Data Loss Prevention, and other appropriate security related tools and capabilities.
• Experience working with Information Security tools in a large, complex, multi-platform environment.
• Familiarity with HIPAA Security Rule and compliance requirements.
• Understands complex cybersecurity issues as well as emerging technologies and develop creative solutions while ensuring compliance with cyber security laws and regulations.
• Experience in risk management, compliance, audit, or third party assessments.

Knowledge, Skills and Abilities (KSAs)

• Ability to manage multiple tasks and deliverables with minimal supervision.
• Ability to explain technical information to technical and nontechnical personnel.
• Knowledge of cyber security related risk management techniques.
• Knowledge of network architecture and firewall security.
• Understanding of business needs and commitment to delivering high-quality, prompt, and efficient service.
Must be able to meet established deadlines and handle multiple customer service demands from internal and external customers, within set expectations for service excellence. Must be able to effectively communicate and provide positive customer service to every internal and external customer, including customers who may be demanding or otherwise challenging.

Salary Range: $102,240 - $203,060

Salary Range Disclaimer

The disclosed range estimate has not been adjusted for the applicable geographic differential associated with the location at which the work is being performed. This compensation range is specific and considers factors such as (but not limited to) the scope and responsibilites of the position, the candidate's work experience, education/training, internal peer equity, and market and business consideration. It is not typical for an individual to be hired at the top of the range, as compensation decisions depend on each case's facts and circumstances, including but not limited to experience, internal equity, and location. In addition to your compensation, CareFirst offers a comprehensive benefits package, various incentive programs/plans, and 401k contribution programs/plans (all benefits/incentives are subject to eligibility requirements).

Department

Cybersecurity Governance

Equal Employment Opportunity

CareFirst BlueCross BlueShield is an Equal Opportunity (EEO) employer. It is the policy of the Company to provide equal employment opportunities to all qualified applicants without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, protected veteran or disabled status, or genetic information.

Where To Apply

Please visit our website to apply: www.carefirst.com/careers

Federal Disc/Physical Demand

Note: The incumbent is required to immediately disclose any debarment, exclusion, or other event that makes him/her ineligible to perform work directly or indirectly on Federal health care programs.

PHYSICAL DEMANDS:

The associate is primarily seated while performing the duties of the position. Occasional walking or standing is required. The hands are regularly used to write, type, key and handle or feel small controls and objects. The associate must frequently talk and hear. Weights up to 25 pounds are occasionally lifted.

Sponsorship in US

Must be eligible to work in the U.S. without Sponsorship

#LI-HS1