Dir 3rd Party Security Risk

RemoteFull-time$152k–$201kPosted Jul 16, 2026

Our Mission

Our mission is to SAVE AND IMPROVE LIVES BY EMPOWERING HEALTHCARE CONSUMERS. Come be part of remarkable.

Overview

How you can make a difference  

HealthEquity relies on a broad ecosystem of third party partners, vendors, platforms, and service providers to support member, client, and teammate experiences while protecting trust, resilience, and compliance. The Director of 3rd Party Risk is a strategic leadership role responsible for overseeing and evolving the 3rd party (third-party) risk management program into an enterprise-wide, AI-aware risk governance capability.

 

In this role, you will drive a pragmatic, measurable program that defines “what good looks like” across vendor tiers, incorporates AI and agentic system risks into due diligence and lifecycle oversight, and aligns third party risk practices with enterprise strategy, regulatory expectations, resiliency objectives, and business priorities. The Director will lead a growing team and collaborate cross-functionally with Security, Procurement, Legal, Privacy, Enterprise Risk, IT, Engineering, Finance, and business owners to identify, assess, quantify, and manage third party risks across cybersecurity, resiliency, financial, operational, contractual, reputational, and AI domains.

 

This role is critical in establishing clear operating procedures, risk-tiered requirements, meaningful KRIs/KPIs, and board-ready reporting, ensuring third party relationships and AI-enabled vendor services align with the company’s risk appetite, strategic objectives, and obligation to protect member, client, and company data while fostering a culture of accountability and resilience.

 

 

What you’ll be doing 

  • Develop and execute a transformatiomal third-party risk strategy that integrates cybersecurity, privacy, resiliency, financial, operational, contractual, reputational, and AI risks into enterprise goals.
  • Design policies, standards, playbooks,  and scalable processes to streamline third party intake, risk assessments, issues mananagement, offboarding and continuous monitoring and automated assurance of controls while reducing duplicative or low-value work.
  • Incorporate AI and agentic systems and solutions into the TPRM lifecycle, including AI-use disclosure, AI-specific due diligence, data-use restrictions, model or system documentation review, human oversight expectations, output integrity, monitoring, incident response, and residual risk acceptance.
  • Partner with the AI Governance Council, Legal, Privacy, Enterprise Risk, Data Governance, Procurement, and business owners to ensure third party-sourced AI capabilities are reviewed, approved, monitored, and governed consistently with enterprise AI policies and standards.
  • Establish meaningful KRIs, KPIs, dashboards, and management routines that demonstrate whether the program is buying down third-party risk, including coverage, assessment quality, remediation aging, contract control gaps, external risk posture, AI-enabled vendor coverage, and unresolved risk acceptances.
  • Design and maintain tier-based operating procedures that clearly articulate what is required for tiered third party, including required risk assessments, contract safeguards, monitoring cadence, remediation expectations, and escalation triggers.
  • Lead third party tiering and re-tiering efforts using objective criteria such as criticality, data sensitivity, regulatory exposure, operational dependency, resiliency impact, replaceability, AI usage, and business materiality.
  • Identify and address risks proactively, engaging stakeholders to drive effective remediation efforts.
  • Identify and address risks proactively, engaging stakeholders to drive effective remediation efforts and ensuring ownership is assigned across Security, Procurement, Legal, IT, Engineering, Finance, Enterprise Risk, and business teams.
  • Prepare strategic updates of third-party and AI-enabled risk updates for executive leadership, auditors, regulators, and the board of directors.
  • Support Legal and Procurement as an infosec SME in collboration with security relevant teams for negotiating and approving third-party contracts,
  • Collaborate across teams to ensure third-party risk management practices are integrated and aligned
  •  into procurement, contracting, technology governance, SaaS security, identity governance, business continuity, incident response, audit, and enterprise risk processes.
  • Lead creation, execution, and automation of security, privacy, resiliency, and AI-specific assessments for third-party partners.
  • Validate third party security controls and AI controls to ensure compliance with organizational policies, standards, regulatory requirements, contractual commitments, and recognized frameworks.
  • Track and report remediation progress overdue findings, exception trends, and unresolved residual risks, providing insights and clear accountability to stakeholders.
  • Facilitate risk acceptance processes and escalate critical issues, material vendor events, AI-related risks, and control deficiencies to senior leaders as needed.
  • Reassess critical third-party security and AI risks periodically, applying lessons learned, external risk signals, material changes, incidents, regulatory updates, and evolving practices.
  • Support audit inquiries, regulatory exams, client due diligence, and executive requests by maintaining defensible evidence of program design, control execution, decision records, metrics, and risk treatment.
  • Set team goals aligned with organizational priorities, coach team members toward strategic thought leadership,  and foster continuous improvement, automation, accountability, and business-oriented risk management.
  • Other third party leadership duties as assigned.

 

What you will need to be successful

Education and Experience:

  • Bachelor’s Degree in Computer Science or Engineering, or a related technical field. Technical work experience may be substituted in lieu of educational requirements.
  • 12+ years of combined experience in information security.
  • Prior supervisory experience.

Specialized Knowledge, Skills, and Abilities:

  • Ability to integrate with the existing team and deliver on key objectives.
  • Become an integral part of a high performing team and motivate others.
  • Builds constructive relationships with diverse groups of people, including internal and external stakeholders.
  • Demonstrates excellent communication and listening skills.
  • Drives results and champions change.
  • Demonstrated ability to transform a third-party risk program from activity-based execution to measurable enterprise risk reduction, including development of operating procedures, governance routines, metrics, and executive-ready reporting.
  • Knowledge of AI technologies, governance concepts, and third-party AI risks, including AI-use disclosure, data protection, system documentation, human oversight, agentic workflow controls, monitoring, and incident response.
  • Ability to align TPRM practices with enterprise risk management, AI governance, privacy, legal, procurement, SaaS security, business continuity, and technology governance processes.
  • Experience in reviewing technical policies and developing standard operating procedures.
  • Fosters teamwork and collaboration.
  • High level of credibility, a technical background, particularly in security, preferably in environments with similar complexity and regulatory profiles to HealthEquity, spanning financial services, financial technology, and healthcare.
  • Operates with a commitment to customer service excellence.
  • Strong passion and motivation for security.

Certifications, Licenses, Registrations:

  • At least one advanced certification demonstrating enterprise security and risk leadership such as CISM, CISSP, or CRISC, required.
  • CTPRP, CTPRA, or HITRUST CCSFP to demonstrate depth in third party and assurance governance, preferred.
  • CIPP/US, CIPT, or CDPSE for privacy and data-protection alignment, preferred.
  • CGRC or ISO 27001 Lead Implementer/Auditor to support control and compliance maturity, preferred.
  • Active involvement in professional organizations such as ISACA, (ISC)², IAPP, or Shared Assessments, preferred.

 

#LI-Remote

This is a remote position.

Salary Range

$151500.00 To $200500.00 / year

Benefits & Perks

The actual compensation offer is determined based on job-related knowledge, education, skills, experience, and work location. This position will be eligible for performance-based incentives and restricted stock units as part of the total compensation package, in addition to a full range of benefits including:

  • Medical, dental, and vision
  • HSA contribution and match
  • Dependent care FSA match
  • Uncapped paid time off
  • Paid parental leave
  • 401(k) match
  • Personal and healthcare financial literacy programs
  • Ongoing education & tuition assistance
  • Gym and fitness reimbursement
  • Wellness program incentives

 

Onboarding & Travel

This is a remote role, with an in-person onboarding training component. New team members must participate in Trailhead, HealthEquity’s immersive onboarding experience Trailhead is designed to foster meaningful connections, support your integration into the organization, and equip you with a strong understanding of our business. Trailhead participation is a key expectation of this role. Trailhead is held onsite at our headquarters once per quarter. HealthEquity covers all required travel and accommodations. 

 

This role may begin with a virtual, self-paced onboarding experience, followed by a mandatory onsite Trailhead session at a later date.

 

HealthEquity is committed to providing reasonable accommodations to team members with qualifying disabilities. Should you be selected for this role and require an accommodation, we will put you in touch with our Benefits Team so you can begin the accommodation request process.

Why work with HealthEquity 

HealthEquity has a vision that by 2030 we will make HSAs as wide-spread and popular as retirement accounts. We are passionate about providing a solution that allows American families to connect health and wealth. Join us and discover a work experience where the person is valued more than the position. Click here to learn more. 

 

You belong at HealthEquity!

HealthEquity, Inc. is an equal opportunity employer, and we are committed to being an employer where no matter your background or identity – you feel welcome and included. We ensure equal opportunity for all applicants and employees without regard to race, age, color, religion, sex, sexual orientation, gender identity, national origin, status as a qualified individual with a disability, veteran status, or other legally protected characteristics. HealthEquity is a drug-free workplace. For more information about our EEO policy, or about HealthEquity’s applicant disability accommodation, drug-free-workplace, background check, and E-Verify policies, please visit our Careers page.

 

HealthEquity uses Microsoft Copilot to transcribe screening interviews between candidates and their direct Talent Partner for note taking and interview summaries. By scheduling a screening interview with us, you consent to Microsoft Copilot’s AI technology recording and transcribing your interview with your Talent Partner. This information will be reviewed for accuracy and then used by HealthEquity to summarize the interview, ensure accuracy, and facilitate our hiring process. We take privacy seriously. You have the option to opt out. If you wish to opt out of this Microsoft Copilot transcription, please notify your Talent Partner in advance of the interview. If we do not receive an opt-out request from you, we will assume that you consent to the use of Microsoft Copilot.

 

At HealthEquity, our goal is to save and improve lives by empowering healthcare consumers. This shared purpose inspires everything we do, including how we approach hiring. Our process is designed to get to know the real you: your skills, experiences, and potential to make a difference. We value honesty, originality, and the courage to do the right thing, even when it is not the easiest path. Showing up as your authentic self reflects these values and helps us build something truly remarkable together.

 

As AI is becoming a common tool throughout the application process, we want to be clear about its appropriate use at HealthEquity. Using AI to support resume writing, research, or interview preparation is perfectly acceptable, provided the content is accurate and genuinely represents your qualifications and skills.  For other key parts of our interview process, however, it is important that the ideas, communication, and work you share reflect your own voice, experiences, and thinking. We ask that you participate in our live interviews and complete any assessments without AI assistance unless instructions explicitly indicate otherwise or a specific exception is discussed and approved in advance. This approach ensures fairness, celebrates your individuality, and allows your authentic perspective to shine. Behaviors that do not align with these guidelines may result in disqualification from the hiring process or termination of employment if later discovered. We appreciate your understanding and look forward to learning about the unique contributions only you can bring to HealthEquity.

 

HealthEquity is committed to your privacy as an applicant for employment.  For information on our privacy policies and practices, please visit HealthEquity Privacy.

Want jobs like this matched to you?

Swoopd scores fresh postings against your résumé so you only see the matches that matter.

Get started free