Principal – Third Party Cyber Risk Assessment

Principal – Third Party Cyber Risk Assessment

Technology Enterprise Strategy & Security – Security & Controls – Scientific/Technology

Location:

Raritan, New Jersey (preferred). Also available at the ISRM Service Centers in São José dos Campos, São Paulo, Brazil and Warsaw, Poland.

Job Description:

• Serve as a senior technical authority and thought leader for third‑party cyber risk assessments across Johnson & Johnson’s global ecosystem of vendors, SaaS providers, and strategic partners.
• Identify and assess cyber risks within the Third‑Party Risk Assessment (TPRA) service, working with a diverse, global team of cyber security professionals.

• Perform and lead third‑party risk assessments, risk rankings, and collaborate on remediation strategies.
• Conduct deep technical reviews of third‑party security controls, evidence artifacts, attestations, and independent reports to assess control design, implementation, and operating effectiveness.
• Evaluate complex risk scenarios involving sensitive data types, regulatory obligations, complex architectures, and cross‑border data flows.
• Identify, document, and risk‑rate third‑party cyber issues, ensuring consistent severity determination and alignment to ISRM standards.
• Drive automation and process improvements as identified and through relevant projects and/or operations.
• Communicate cybersecurity third‑party risk assessment results to senior leaders and provide input on remediation plans.
• Enhance third‑party cyber risk assessment processes by defining and implementing process improvements.
• Offer consulting support to the larger cybersecurity team on third‑party risk assessment understanding and remediation.
• Lead and mentor junior members of the team, ensuring ongoing learning, and support special projects as needed.

• Bachelor’s degree in Computer Science, Engineering, Information Security/Cybersecurity, or equivalent (required).
• Advanced degree preferred.
• Security certifications such as CISSP, CCSP, CISA, CRISC, etc., are preferred.

• 5+ years of direct third‑party cybersecurity risk assessment experience.
• 5+ years using Service Now GRC tool to support security risk objectives.
• Proficiency in conducting and leading third‑party risk assessments, including data classification, risk scoring, and mitigation planning.
• Ability to translate technical findings into business impact for key partners.
• Strong analytical and problem‑solving skills.
• Strong interpersonal skills to build and maintain relationships with internal partners.

• Foundational knowledge of regulatory requirements (e.g., SOX 404, Privacy, HIPAA, GxP, cyber regulations).
• Experience assessing third‑party risk in a large, dynamic, multinational organization.
• Experience identifying key security risks, controls, and providing consulting services throughout the third‑party vendor lifecycle.
• Experience with security standards and control frameworks (FAIR, HITRUST, ISO 27001, NIST, SOC 2, etc.).
• Record of effectively collaborating with virtual, global teams, including diverse groups of people.

Base salary range: $102,000 – $177,100.

Employees and eligible dependents may participate in company‑sponsored programs, including medical, dental, vision, life insurance, short‑ and long‑term disability, business accident insurance, and group legal insurance. Employees are eligible for the Company’s consolidated retirement plan (pension and 401(k)). Time‑off benefits include vacation (120 hours per calendar year), sick time (40 hours per calendar year), holiday pay (13 days per calendar year), floating holidays, personal and family time (up to 40 hours per calendar year), parental leave (480 hours within one year), condolence leave, caregiver leave, volunteer leave, and military spouse time‑off.

Additional benefit details can be found at

Johnson & Johnson is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, age, national origin, disability, protected veteran status, or other characteristics protected by federal, state, or local law. The company actively seeks qualified candidates who are protected veterans and individuals with disabilities.

Johnson & Johnson is committed to providing an interview process that is inclusive of applicants’ needs. If you have a disability and would like to request an accommodation, please contact us via  or ask for your accommodation resource.