Logo
Rush University

Rush University is hiring: Cybersecurity Third Party Risk Manager in Chicago

Rush University, Chicago, IL, US, 60290

Save Job

Job Description

Location: Chicago, Illinois / Remote

Business Unit: Rush Medical Center

Hospital: Rush University Medical Center

Department: Cybersecurity Operations

Work Type: Full Time (Total FTE between 0.9 and 1.0)

Shift: Shift 1

Work Schedule: 8 Hr (8:00:00 AM - 5:00:00 PM)

Rush offers exceptional rewards and benefits learn more at our Rush benefits page (https://www.rush.edu/rush-careers/employee-benefits).

Pay Range: $55.75 - $93.66 per hour

Rush salaries are determined by many factors including, but not limited to, education, job-related experience and skills, as well as internal equity and industry specific market data. The pay range for each role reflects Rush's anticipated wage or salary reasonably expected to be offered for the position. Offers may vary depending on the circumstances of each case.

Summary:

Rush University System for Health is seeking an experienced Cybersecurity Third Party Risk Manager to lead our vendor risk program and strengthen security across the enterprise. In this role, you'll oversee a team of analysts, develop and mature our third-party risk management strategy, and collaborate with Cybersecurity, Legal, Compliance, and Procurement to ensure our vendors meet RUSH's security standards.

You'll be hands-on in evaluating vendor risks, guiding remediation efforts, and driving program improvements that safeguard patient data, protect our systems, and support organizational resilience. This is a high-impact leadership opportunity where your expertise in frameworks like NIST, HITRUST, or ISO and knowledge of regulations such as HIPAA and SOX will directly advance the future of healthcare security.

Bring your leadership, vision, and risk management expertise to a nationally ranked health system that values innovation and growth.

Responsibilities:

  • Collaborates with Cybersecurity leadership to develop and mature RUSH's overall TPRM program through effective governance, comprehensive vendor analysis and review processes, and implementation and monitoring of vendor management security controls.

  • Manages a team of cybersecurity analysts responsible for execution of the TPRM program vision.

  • Responsible for the TPRM team's adherence to RUSH's third-party risk management policies and standards.

  • Manages and maintains TPRM technology and toolsets that support the TPRM program.

  • Owns and oversees the RUSH's TPRM program charged with performing security reviews of all new and existing technology vendors on a regularly scheduled basis.

Third-party risk management will include:

  • Development of a TPRM program vision and methodology.

  • Management of RUSH's vendor information security questionnaires.

  • Interpretation and analysis of vendor input.

  • Reporting results of vendor security profiles; and

  • Where necessary, managing security gaps to ensure technology vendors meet RUSH's minimum-security requirements for vendors through enhancement or remediation of their security capabilities.

  • Preparing regular governance reports to various cross-functional stakeholders and management concerning the current state of information security measures.

  • Making recommendations for improvement, as required.

Additional Responsibilities:

  • Make meaningful risk mitigating recommendations to directly improving the third party risk posture

  • Foster relationships with internal and external stakeholders

  • Collaborate internally with security experts to understand requirements and standards

  • Works with Cybersecurity GRC to track vendor risks and risk exceptions to TPRM policies and standards.

  • Identifies and provides input on information security awareness training related to the TPRM program. Collaborates with RUSH training and cybersecurity awareness and education teams at RUSH to develop and implement training courses to enhance security capabilities and competencies of the organization.

  • Develops roadmaps for TPRM maturity at RUSH. Leads TPRM projects and initiatives to implement and execute on the roadmap.

  • Works with IT management, risk managers, corporate compliance, and in-house legal counsel to perform and maintain TPRM risk assessments concerning potential vendor cyber risks to RUSH. TPRM assessments may include assessment of vendor capacity, data privacy, vendor geography concerns, vendor competition, import/export sanctions, vendor insurance coverage, vendor performance, and vendor continuity concerns.

  • Provides support in the development and implementation of mitigating security controls where vendor controls may fall short of RUSH's requirements.

  • Maintains relationships with clinical and business management to ensure third-party reviews are completed timely and in accordance with RUSH policies and standards.

  • Keep informed regarding new and emerging information security trends in TPRM processes.

Required Job Qualifications:

  • Bachelor's degree.

  • 8+ years of relevant experience focusing on security policy creation and lifecycle management, auditing methodology, technology risk management, and/or third-party risk management.

  • Excellent verbal and written communications skills.

  • Self-starter with ability to work independently to create, build, and manage frameworks and programs.

  • Ability to analyze and present critical information to all levels of staff from general employee level to Board-level reporting metrics.

  • Ability to source, analyze, negotiate, select and manage third-party vendors to achieve program deliverables.

  • Must have excellent interpersonal skills to effectively communicate with all levels of hospital personnel, vendors, IT personnel, and direct reports.

  • Strong prioritization, multi-tasking, and time management skills.

  • Explicit knowledge of cyber security controls, implementation, compliance, and governance

  • Thorough understanding of vendor risk analysis.

  • Must possess the ability to deliver clear, concise communications and presentations. Must be able to train others quickly and thoroughly on key cybersecurity concepts.

  • Knowledge of Federal and State regulations including HIPAA, SOX, and FERPA.

  • Knowledge of industry leading frameworks including NIST, HITRUST, PCI, ISO, SOC 2, ITIL, and COSO.

Preferred Job Qualifications:

  • 3+ years of relevant and progressive GRC experience in a healthcare setting.

  • Security industry certifications such as CISM, CISSP, ISSMP or CCISO are desirable.

Rush is an equal opportunity employer. We evaluate qualified applicants without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, veteran status, and other legally protected characteristics.

Position Cybersecurity Third Party Risk Manager

Location US:IL:Chicago

Req ID 21450