Lead Cyber Risk Analyst

About the Team:
This position works as part of the Risk and Compliance organization, which is responsible for compliance and the management of risk across the enterprise. As a member of the department, this individual will be committed to safeguarding the organization against risks associated with third-party relationships.

About the Role:
The Lead Third-Party Risk Analyst will serve as a trusted advisor for internal UKG business stakeholders and will be responsible for identifying, assessing, and mitigating risks related to third-party relationships and services. Risks include information security, privacy, financial, business resiliency, and more. The role demands an organized, action-oriented team player with the ability to prioritize daily work and support on multiple initiatives simultaneously; strong communication and customer focus is required.

• Supports the Third-Party Risk Management program, providing support to Business Partners and Procurement department during vendor selection and contract negotiation processes.
• Identifies risks with prospective services and products and works with Business Partners to factor the risk into the vendor selection process.
• Works to gain process efficiencies and performs monthly analysis on team metrics.
• Supports the Third-Party Risk Management team in daily operations.
• Periodically reassesses Third Parties based on risk and/or a material change in the utilization of that Third Party
• Identifies third parties for ongoing monitoring to ensure reviews are performed in a timely manner.
• Assesses risk associated with third-party partner and vendor relationships, focusing on the third party’s ability to demonstrate existence of information security controls, privacy controls and ability to support critical business functions of the company.
• Advises Business Partners on appropriate implementation of information security and privacy controls for new third-party services, leveraging a combination of these controls and the Third Party’s security and privacy programs to maintain UKG’s information security and privacy posture.
• Partners with Procurement and Legal departments during contractual negotiations to provide consultation on security and privacy clauses included in third party agreements.
• Identifies risks associated with a Third Party and tracks those risks as necessary for future assessment.
• Administers the company’s Vendor Risk Management (VRM) platform which supports the Third-Party Risk program. Responsibilities include access management, configuration changes and report generation.

About You:
Basic Qualifications:
• 5-7 years of related work experience in third-party risk, information security governance, enterprise risk, and/or related functions (such as IT audit and IT risk management).
• 5-7 years of experience providing input into third party contract agreements from an information security and privacy perspective.
• BS/BA degree in Enterprise Risk Management, Information Security, Computer Information Systems/Management Information Systems or related discipline or equivalent experience.
• Experience administering Process Unity VRM tool or similar platform.
• Proficiency in comprehending the dynamics of third-party relationships, including vendors, partners, suppliers, and contractors.
• Knowledge of the risks associated with external entities that interact with an organization’s systems or process confidential information.
• Ability to assess risks across various dimensions (such as information security, privacy, business continuity, financial, etc.).
• Understanding of data privacy and cybersecurity regulations (such as GDPR, CCPA, DORA, etc.)
• Knowledge of business continuity planning and disaster recovery and ability to evaluate third-party capabilities in maintaining business resiliency.
• Knowledge of security practices in cloud environments (such as data encryption, access controls, and compliance with regulations).
• Familiarity with Software as a Service (SaaS) and potential risks.
• Experience with information security management frameworks such as AT101 SOC 2, ISO, ITIL, COBIT, NIST to include development of policies, process, and procedures within the environment.

Preferred Qualifications:
• Excellent verbal and written communication skills to effectively communicate with employees, vendors, third-party partners, customers, business partners, and all levels of management.
• Experience supporting regulatory and compliance programs (such as HIPAA, PCI, MA 201 CMR 17, FedRAMP).
• Experience designing and implementing controls within corporate networks to include computer/network security and operating systems such as UNIX, Linux, and WINDOWS, as well as LAN/WAN internetworking protocols such as TCP/IP and network perimeter protection (firewalls).
• Knowledge of risks associated with GenAI.
• Experience leveraging Enterprise Risk Management and Issues Management applications in LogicGate platform.
• CISA, CISM, CRISC, CISSP, CTPRP, or similar security certification.