Business Information Security Officer – Third Party Risk

Group 1001 is a consumer-centric, technology-driven family of insurance companies on a mission to deliver outstanding value and operational performance by combining financial strength and stability with deep insurance expertise and a can-do culture. Group1001’s culture emphasizes the importance of collaboration, communication, core business focus, risk management, and striving for outcomes. This goal extends to how we hire and onboard our most valuable assets – our employees.

Job Description:

We are seeking an experienced Business Information Security Officer (BISO) specializing in Third Party Risk Management to join our team.  In this role, you will serve as the primary security advocate for managing risks posed by our third-party vendors, suppliers, and partners.  You will bridge the gap between business operations and security requirements, ensuring that our third-party ecosystem adheres to our security standards and regulatory compliance obligations.  You will report to the Director of Security Lifecycle and Architecture.

Key Responsibilities:

• Oversee the organization’s Third-Party Risk Management (TPRM) program including policies, standards, procedures, and governance.
• Lead comprehensive security assessments of potential and existing third-party vendors, evaluating their security posture, controls, and compliance with regulatory requirements.
• Partner with business stakeholders to integrate security requirements into vendor selection, contract negotiation, and ongoing vendor management processes.
• Monitor and report on third-party security risks to executive leadership, providing actionable insights and recommendations for risk mitigation.
• Establish and track key performance indicators for third-party security performance, identifying trends and implementing continuous improvement initiatives.
• Assist the security training team with training for stakeholders involved in third-party relationships.
• Lead periodic reviews of critical vendor relationships, conducting risk reassessments and compliance validation.

Required Qualifications:

• 10+ years of progressive experience in information security roles, with at least 5 years focused specifically on third-party risk management.
• Demonstrated experience developing and implementing third-party assessment methodologies and frameworks.
• Strong background in technical security domains including network security, application security, cloud security, and data protection.
• Extensive knowledge of information security frameworks (e.g., NIST CSF, ISO 27001, CIS) and regulatory requirements (e.g., GDPR, HIPAA, PCI DSS, HITRUST, NYDFS).
• Proven experience in risk assessment, analysis, and management methodologies.
• Current professional certifications such as CISSP, CISM, CRISC, or equivalent.
• Exceptional communication skills with the ability to effectively translate technical security concepts to diverse audiences including executive leadership, business partners, and technical teams.
• Experience in negotiating security requirements with third parties and managing security expectations throughout vendor relationships.
• Demonstrated project management experience with the ability to lead cross-functional initiatives.

Compensation:  

Our compensation reflects the cost of labor across several U.S. geographic markets. The base pay for this position ranges from $160,000/year in our lowest geographic market up to $190,000/year in our highest geographic market.  Pay is based on a number of factors including market location and may vary depending on job-related knowledge, skills, and experience.

Benefits Highlights:  

Employees who meet benefit eligibility guidelines and work 30 hours or more weekly, have the ability to enroll in Group 1001’s benefits package. Employees (and their families) are eligible to participate in the Company’s comprehensive health, dental, and vision insurance plan options.  Employees are also eligible for Basic and Supplemental Life Insurance, Short and Long-Term Disability, and to enroll in the Company’s Employee Assistance Program and other wellness initiatives.  Employees may also participate in the Company’s 401K plan, with matching contributions by the Company. 

Group 1001, and its affiliated companies, is strongly committed to providing a supportive work environment where employee differences are valued. Diversity is an essential ingredient in making Group 1001 a welcoming place to work and is fundamental in building a high-performance team. Diversity embodies all the differences that make us unique individuals.  All employees share the responsibility for maintaining a workplace culture of dignity, respect, understanding and appreciation of individual and group differences.