Assessments & Exercises Director - Third Party Assurance

Job Summary

As an Executive Director within the Cybersecurity and Technology Controls (CTC) Assessments & Exercises function, you will serve as the senior technical authority for third‑party cybersecurity assurance. You will bring deep, hands‑on expertise in cybersecurity architecture, cloud security, and enterprise control frameworks to critically evaluate the control maturity of the firm's most complex and strategically significant suppliers.

Reporting to the Global Third-Party Assurance Lead, you help to elevate the technical rigor, depth, and credibility of third‑party assurance outcomes. You will translate complex technical findings into clear, business‑relevant risk insights for senior stakeholders across Cybersecurity, Technology, Risk, and the Business, and will act as a trusted escalation point for the most technically challenging assessments.

• Provide authoritative technical leadership across third‑party cybersecurity assessments, bringing deep expertise in cybersecurity architecture, cloud-native and hybrid environments, application security, and enterprise control domains.
• Lead and personally conduct in-depth technical evaluations of supplier cybersecurity posture, control maturity, and architectural resilience, particularly for the firm's most critical and complex third‑party relationships.
• Perform threat modelling against supplier environments to identify potential security risks and develop mitigation strategies tailored to the firm's risk appetite.
• Evaluate supplier security architectures across public cloud providers (AWS, Azure, Google Cloud), assessing the design and effectiveness of controls in cloud-native, hybrid, and on‑premises environments.
• Act as the senior technical escalation point for complex supplier risks, control gaps, and remediation strategies, providing credible challenge and expert advisory input.
• Drive the evolution of the third‑party assurance methodology by embedding deeper technical assessment capabilities, including architecture reviews, threat modelling, and cloud security posture evaluation.
• Translate complex technical cybersecurity risks and supplier control deficiencies into clear, actionable, business‑relevant insights for senior leadership and non‑technical audiences through detailed reports, presentations, and other appropriate methods.
• Partner with Product Security, Cybersecurity Architecture, Technology Risk & Controls, and Cybersecurity pillar leads to ensure alignment in control intent, solution design, and third‑party risk remediation.
• Lead thematic analysis to identify systemic technical weaknesses, emerging risks, and trends across the supplier landscape, and recommend strategic remediation approaches.

• 10+ years of professional experience in cybersecurity, with significant depth in senior technical and/or architecture-focused positions.
• Proven ability to assess and articulate the cybersecurity control maturity of complex technology environments, including enterprise, cloud-native, and hybrid architectures.
• Deep, hands‑on expertise in cybersecurity architecture, threat modelling, and designing or evaluating secure controls for enterprise‑level solutions.
• Strong understanding of industry cybersecurity frameworks and key control domains (e.g., NIST CSF, ISO 27001, FFIEC, SOC 2, GDPR).
• Thorough design and operational experience across one or more major public cloud providers (AWS, Azure, Google Cloud), with relevant certifications advantageous.
• Proficiency with Cloud Security Posture Management (CSPM) tools and cloud security assessment methodologies.