Third Party Risk Specialist

About Vultr: Vultr is on a mission to make high-performance cloud infrastructure easy to use, affordable, and locally accessible for enterprises and AI innovators around the world. With 32 global cloud data center locations, Vultr is trusted by hundreds of thousands of active customers across 185 countries for its flexible, scalable, global Cloud Compute, Cloud GPU, Bare Metal, and Cloud Storage solutions. Valued at $3.5 billion, Vultr has grown to become the world’s largest privately held cloud infrastructure provider.

Role Mission

We are seeking a highly skilled and experienced Third Party Risk Specialist to lead technical security assessments of new and existing vendors within our global supply chain. Serving as a core technical validator inside our Governance, Risk & Compliance (GRC) department, you will evaluate and continuously monitor the cybersecurity posture of Vultr’s expanding vendor ecosystem. This highly visible role is a critical defense layer against third-party cyber threats, tracking vendor lifecycles from due diligence to secure offboarding using specialized risk grading suites.

Key Responsibilities

• Technical Security Assessments: Conduct rigorous security audits of new and existing vendors utilizing standardized frameworks (SIG, CAIQ) alongside custom technical validation questionnaires.
• Framework Compliance Alignment: Validate third-party control matrices against global industry benchmarks including NIST CSF, ISO 27001, SOC 2 Type II, CIS Controls, and complex multi-national regulatory frameworks (GDPR, DORA, HIPAA, PCI-DSS).
• Evidence Packages Diagnostic: Evaluate vendor-submitted verification files including independent penetration test reports, vulnerability scans, system patch logs, and identity access architecture rules.
• Attack Surface Monitoring: Monitor vendor external perimeter vectors for freshly exposed digital assets, configuration drifts, and known vulnerabilities (CVEs/zero-days) using continuous automated security rating tooling.
• Incident Response Coordination: Monitor vendor breach disclosures, quantify potential structural blast-radii, and coordinate directly with internal Security Operations Centers (SOC) and Incident Response (IR) squads during third-party compromises.
• Supply Chain Concentration Analysis: Map out downstream sub-processors and technology dependencies to identify single points of failure where multiple critical vendors rely on identical hyperscalers or software components.
• Cross-Functional Contract Advisory: Partner alongside Procurement and Legal groups to evaluate vendor onboarding, analyze right-to-audit clauses, dictate remediation timelines, and outline strict SLA breach notification terms.

Required Skills & Qualifications

• 3 to 5 years of professional individual contributor experience operating inside an IT Security Compliance, Third-Party Risk Management (TPRM), or Cybersecurity Audit framework.
• Bachelor’s degree in Cybersecurity, Information Systems, Computer Science, or an allied quantitative computing discipline (7+ years of equivalent enterprise risk experience accepts waiver).
• Deep technical understanding of network architecture principles, cryptographic encryption standards, patch management cycles, and identity management implementations.
• Hands-on familiarity navigating modern GRC platforms and vendor tracking tools such as Jira, AuditBoard, Drata, or SecurityScorecard.
• Strong capabilities to interpret SOC 1 / SOC 2 reports, identify ledger control exceptions, and translate complex technical vulnerabilities into clear business risk narratives.
• Shift Flexibility: Full comfort and availability to routinely sync and collaborate across U.S. working time zones.
• Location Scope: 100% remote operational flexibility open to qualified compliance specialists based inside India (Must be available to start within 30 days of an offer).

Preferred Strategic Indicators (Nice to Have)

• Professional industry risk or compliance certifications such as CTPRM, CIPP, CRISC, or CISA credentials.
• Functional background assessing specific risk considerations, testing frameworks, and data boundaries unique to **AI models and LLM platforms**.
• Familiarity navigating India’s localized digital governance laws, specifically the **Digital Personal Data Protection Act (DPDPA), 2023** and MeitY mandates.

What We Offer

• Direct technical ownership protecting the data lines for the world’s largest independent private cloud cloud network.
• Annual company-paid medical insurance stipends.
• Generous leave structures accompanied by a 1-month fully paid sabbatical block every 5 years alongside annual anniversary bonuses.
• Dedicated technical professional development and training cost reimbursements.
• First-year remote office equipment provisioning setup plus dedicated quarterly hardware refresh allowances subsequently.
• Full home internet connectivity and fitness club membership cost reimbursements.