Metropolitan Transportation Authority (MTA)
Principal Cybersecurity 3rd Party Risk Management (C)
Metropolitan Transportation Authority (MTA), New York, New York, us, 10261
Overview
Job Title:
Principal Cybersecurity 3rd Party Risk Management (C) Job ID:
11707 Business Unit:
MTA Headquarters Location:
New York, NY, United States Department:
IT CISO Date Posted:
Aug 14, 2025 Regular/Temporary:
Regular Location Details:
2 Broadway New York, NY 10004 Hours:
9:00 am - 5:30 pm (7.5 hours/day) or as required Telework:
This position is eligible for telework which is currently two days per week. Salary:
SALARY RANGE: $156,476 - $184,692 Supervisor:
Cybersecurity Officer- Manager Summary: The role will manage vendor risks and assessments to anticipate, identify, monitor and mitigate risks associated with third-party providers of goods or services. In addition, this role is tasked with compiling data and completing documentation related to vendor risk, as well as ensuring that the issues that arise are appropriately captured, assessed and mitigated to acceptable levels. This role must ensure that the organization’s vendor ecosystem is properly evaluated, assessed and managed to minimize risk exposure and risk impacts to the business.
Responsibilities
Assessing the information security posture of third parties (service providers, business partners, and Third-Party Administrators (TPAs)) and coordinating the overall execution and delivery of assessments and related remediation of any findings
Identifying and tracking continuous monitoring activities to ensure the risks associated with individual third parties have not changed or exceeded risk tolerance thresholds, and where it has exceeded approved thresholds, agree remediation plans with the counterparty
Participate in cross-functional teams to promote information security polices and best practices and address third-party security compliance issues
Develop and implement cybersecurity policies and procedures to protect information assets
Conduct cybersecurity risk assessments of third-party vendors and suppliers using industry-standard frameworks, such as NIST, ISO, and CSA
Develop and maintain a comprehensive inventory of third-party vendors and suppliers, and track their cybersecurity risk profiles
Collaborate with procurement and legal teams to ensure that third-party contracts include appropriate cybersecurity requirements and provisions
Coordinate, plan and execute risk-based security assessments of third parties to ensure ongoing compliance with regulations, legislation, contractual obligations, company policies, and internal controls
Monitor third-party vendors and suppliers for changes in their cybersecurity risk profiles and report any concerns to management
Provide guidance and recommendations to internal teams on best practices for managing third-party cybersecurity risks
Keep abreast of the latest security, privacy, and regulatory concerns and best practices impacting third party risk management
Continuously monitor information security and privacy regulation changes, design and implement process improvements to ensure organizational adaptation of those changes and compliance
Perform IT Security assurance/compliance reviews as appropriate
Identify enhancements and process efficiencies to keep assessment program in line with best practices
May mentor less experienced staff
Performs other duties and tasks as assigned
May need to work outside of normal work hours (i.e., evenings and weekends)
Travel may be required to other MTA locations or other external sites
Observing the work performed by the contractor
Reviews invoices and approve them if the work had contractual standards
Addressing performance issues with the contractor when possible
Escalating issues to other parties as needed
Qualifications Education: Bachelor’s Degree
Experience: At least 10 years of relevant experience. An equivalent combination of education and experience may be considered in lieu of a degree.
Certification(s): Must possess at least two of the following professional certifications in subject domain including but not limited to:
Certification options (examples at time of posting): CRMA, CISSP, CISA, GIAC, CTPRP, CCEP, CRISC, CIPP, CISM, CSSLP, OSCP, Security+ and others listed, including GIAC GCIH, GSEC, CGRC, CSX Practitioner, CGRC, and related IT security certifications. A note: some certifications are listed more than once in the original posting but all are acceptable as part of the two-certificate minimum. Technical Skills:
Expert/Highly Proficient in implementing and maturing cybersecurity frameworks (e.g., MITRE ATT&CK) and related controls
Strong background across cybersecurity domains; experience in IT risk management or audit
Experience with third-party risk and vendor management
Desirable: CRISC, CISA, CISSP, or similar
Comprehensive understanding of cybersecurity principles, frameworks, and regulations (ITIL, NIST, MITRE, COBIT, COSO, HITRUST, SOC, ISO, GDPR, PCI)
Extensive hands-on experience with GRC tools
Solid working knowledge of IT security and infrastructure
Ability to develop rapport and investigate potential policy violations/risks
Proven ability to assess third-party risk programs and implement changes
Ability to work independently and strategically
Strong analytical, problem-solving, and decision-making skills
Strong communication skills with both technical and non-technical audiences
Experience managing multiple projects with prioritization
Knowledge of Supply Chain Risk Management standards (NIST SP 800-161)
Risk management processes and familiarity with laws, regulations, and ethics in cybersecurity
Soft Skills:
Active Listening, Attention to Detail, Customer Service
Prioritization, Problem Solving, Effective Verbal and Written Communication
Core Competencies Proficiency levels and definitions are described in the original posting and include leadership, customer focus, communication, technical skills, and diversity values. Desired (not required):
MBA or other advanced degree Other Information
Pursuant to New York State Public Officers Law and MTA Code of Ethics, all policymakers must file an Annual Statement of Financial Disclosure (FDS). MTA and its subsidiaries are Equal Opportunity Employers, including respect to veteran status and individuals with disabilities. The MTA encourages qualified applicants from diverse backgrounds, experiences, and abilities, including military service members, to apply.
#J-18808-Ljbffr
Job Title:
Principal Cybersecurity 3rd Party Risk Management (C) Job ID:
11707 Business Unit:
MTA Headquarters Location:
New York, NY, United States Department:
IT CISO Date Posted:
Aug 14, 2025 Regular/Temporary:
Regular Location Details:
2 Broadway New York, NY 10004 Hours:
9:00 am - 5:30 pm (7.5 hours/day) or as required Telework:
This position is eligible for telework which is currently two days per week. Salary:
SALARY RANGE: $156,476 - $184,692 Supervisor:
Cybersecurity Officer- Manager Summary: The role will manage vendor risks and assessments to anticipate, identify, monitor and mitigate risks associated with third-party providers of goods or services. In addition, this role is tasked with compiling data and completing documentation related to vendor risk, as well as ensuring that the issues that arise are appropriately captured, assessed and mitigated to acceptable levels. This role must ensure that the organization’s vendor ecosystem is properly evaluated, assessed and managed to minimize risk exposure and risk impacts to the business.
Responsibilities
Assessing the information security posture of third parties (service providers, business partners, and Third-Party Administrators (TPAs)) and coordinating the overall execution and delivery of assessments and related remediation of any findings
Identifying and tracking continuous monitoring activities to ensure the risks associated with individual third parties have not changed or exceeded risk tolerance thresholds, and where it has exceeded approved thresholds, agree remediation plans with the counterparty
Participate in cross-functional teams to promote information security polices and best practices and address third-party security compliance issues
Develop and implement cybersecurity policies and procedures to protect information assets
Conduct cybersecurity risk assessments of third-party vendors and suppliers using industry-standard frameworks, such as NIST, ISO, and CSA
Develop and maintain a comprehensive inventory of third-party vendors and suppliers, and track their cybersecurity risk profiles
Collaborate with procurement and legal teams to ensure that third-party contracts include appropriate cybersecurity requirements and provisions
Coordinate, plan and execute risk-based security assessments of third parties to ensure ongoing compliance with regulations, legislation, contractual obligations, company policies, and internal controls
Monitor third-party vendors and suppliers for changes in their cybersecurity risk profiles and report any concerns to management
Provide guidance and recommendations to internal teams on best practices for managing third-party cybersecurity risks
Keep abreast of the latest security, privacy, and regulatory concerns and best practices impacting third party risk management
Continuously monitor information security and privacy regulation changes, design and implement process improvements to ensure organizational adaptation of those changes and compliance
Perform IT Security assurance/compliance reviews as appropriate
Identify enhancements and process efficiencies to keep assessment program in line with best practices
May mentor less experienced staff
Performs other duties and tasks as assigned
May need to work outside of normal work hours (i.e., evenings and weekends)
Travel may be required to other MTA locations or other external sites
Observing the work performed by the contractor
Reviews invoices and approve them if the work had contractual standards
Addressing performance issues with the contractor when possible
Escalating issues to other parties as needed
Qualifications Education: Bachelor’s Degree
Experience: At least 10 years of relevant experience. An equivalent combination of education and experience may be considered in lieu of a degree.
Certification(s): Must possess at least two of the following professional certifications in subject domain including but not limited to:
Certification options (examples at time of posting): CRMA, CISSP, CISA, GIAC, CTPRP, CCEP, CRISC, CIPP, CISM, CSSLP, OSCP, Security+ and others listed, including GIAC GCIH, GSEC, CGRC, CSX Practitioner, CGRC, and related IT security certifications. A note: some certifications are listed more than once in the original posting but all are acceptable as part of the two-certificate minimum. Technical Skills:
Expert/Highly Proficient in implementing and maturing cybersecurity frameworks (e.g., MITRE ATT&CK) and related controls
Strong background across cybersecurity domains; experience in IT risk management or audit
Experience with third-party risk and vendor management
Desirable: CRISC, CISA, CISSP, or similar
Comprehensive understanding of cybersecurity principles, frameworks, and regulations (ITIL, NIST, MITRE, COBIT, COSO, HITRUST, SOC, ISO, GDPR, PCI)
Extensive hands-on experience with GRC tools
Solid working knowledge of IT security and infrastructure
Ability to develop rapport and investigate potential policy violations/risks
Proven ability to assess third-party risk programs and implement changes
Ability to work independently and strategically
Strong analytical, problem-solving, and decision-making skills
Strong communication skills with both technical and non-technical audiences
Experience managing multiple projects with prioritization
Knowledge of Supply Chain Risk Management standards (NIST SP 800-161)
Risk management processes and familiarity with laws, regulations, and ethics in cybersecurity
Soft Skills:
Active Listening, Attention to Detail, Customer Service
Prioritization, Problem Solving, Effective Verbal and Written Communication
Core Competencies Proficiency levels and definitions are described in the original posting and include leadership, customer focus, communication, technical skills, and diversity values. Desired (not required):
MBA or other advanced degree Other Information
Pursuant to New York State Public Officers Law and MTA Code of Ethics, all policymakers must file an Annual Statement of Financial Disclosure (FDS). MTA and its subsidiaries are Equal Opportunity Employers, including respect to veteran status and individuals with disabilities. The MTA encourages qualified applicants from diverse backgrounds, experiences, and abilities, including military service members, to apply.
#J-18808-Ljbffr