Hubspotjobs
Senior Third Party Risk & Controls Specialist
engineeringfull-timeRemote - USA
SALARY
Not listed
WORK TYPE
remote
JOB TYPE
full-time
INDUSTRY
general
✦ AutoApply Let us apply to roles like this on your behalf.
Learn more
About the role
What you’ll do
Third-Party Risk Assessment (Primary Focus - 60%)
- Conduct technical security assessments of third-party applications, vendors, and service providers beyond traditional questionnaire-based reviews
- Evaluate API security, authentication mechanisms, data flows, and integration architectures for vendor solutions
- Assess generative AI vulnerabilities in third-party applications, including model security, data privacy, and information disclosure risks
- Perform security reviews of Model Context Protocol (MCP) servers and implementations
- Review vendor security documentation, architecture diagrams, and technical controls
- Identify security gaps and provide risk-based recommendations and guardrails to stakeholders
- Collaborate with procurement, legal, and business teams on vendor onboarding and ongoing monitoring requirements.
IAM & Enterprise Application Management (40%)
- Support Shadow IT discovery and risk assessment initiatives using enterprise tooling
- Evaluate security risks associated with unsanctioned applications and browser extensions
- Assist with managing and reducing risk relating to non-human identity (NHI) including service accounts and API keys.
- Assess access control implementations across enterprise applications and also members of HubSpot’s global contractor base.
- Review OAuth grants, SAML configurations, and application integrations for security risks
- Support identity governance initiatives and access certification processes
- Collaborate and support the enterprise application management team on shared security initiatives
What we’re looking for
- 5+ years of experience in application security, vendor risk management, cloud security, and/or related field
- Experience with security frameworks (NIST CSF, ISO 27001, SOC 2, etc.)
- Strong understanding of API security (REST, GraphQL, authentication/authorization)
- Strong understanding of IAM principles (RBAC, ABAC, least privilege) and modern authentication protocols (OAuth 2.0, SAML)
- Experience with non-human identity management (service accounts, API tokens, certificates)
- Understanding of SaaS architectures, access controls, and integration security
- Excellent prioritization, organization, and time management skills to suit a high-volume environment.
- Understanding of LLM and generative AI security challenges and the emerging threat landscape.
- Strong project management and communication skills to support a highly cross-functional work environment.
- Working knowledge of privacy and compliance standards (GDPR, CCPA, HIPAA)
- Background in technical due diligence or managing large-scale supplier security programs (preferred)
- Certifications such as CISSP, CCSP, CISM, or CRISC are a plus
✦ Let us apply for you
We find roles like this and apply on your behalf. Cover letter written for each one. Plans from $15/mo. Cancel anytime.
Get AutoApply