Position: Principal – Third Party Cyber Risk Assessment
Primary Location: Raritan, NJ (preferred). Also available internally in São José dos Campos, São Paulo, Brazil and Warsaw, Poland.
Job Description
Johnson & Johnson is recruiting a senior technical authority and thought leader for third‑party cyber risk assessments across its global ecosystem of vendors, SaaS providers, and strategic partners. The role is based in the United States with Raritan, NJ preferred, but is also open to our ISRM Service Centers in Brazil and Poland.
Key Responsibilities
* Perform and lead third-party risk assessments, risk rankings, and collaboration on remediation strategies.
* Conduct deep technical reviews of third‑party security controls, evidence artifacts, attestations, and independent reports.
* Evaluate complex risk scenarios involving sensitive data types, regulatory obligations, complex architectures, and cross‑border data flows.
* Identify, document, and risk‑rate third‑party cyber issues, ensuring consistent severity determination and alignment to ISRM standards.
* Drive automation and process improvements through relevant projects and operations.
* Communicate assessment results to senior leaders and provide input on remediation plans.
* Enhance third‑party cyber risk assessment processes by defining and implementing process improvements.
* Offer consulting support to the larger cybersecurity team on third‑party risk assessment understanding and remediation.
* Lead and mentor junior team members, ensuring ongoing learning and supporting special projects.
Education
* A bachelor’s degree in Computer Science, Engineering, Information Security/Cybersecurity or equivalent degree.
* Advanced degree is preferred.
* Security certifications such as CISSP, CCSP, CISA, CRISC are preferred.
Required Experience and Skills
* 5+ years of direct third‑party cybersecurity risk assessment experience.
* 5+ years using ServiceNow GRC tool to support security risk objectives.
* Proficiency in conducting and leading third‑party risk assessments, including data classification, risk scoring, and mitigation planning.
* Ability to translate technical findings into business impact.
* Strong analytical and problem‑solving skills.
* Strong interpersonal skills to build and maintain relationships with internal partners.
Preferred Experience and Skills
* Foundational knowledge of regulatory requirements (SOX404, Privacy, HIPAA, GxP, cyber regulations).
* Experience assessing third‑party risk in a large, multinational organization.
* Experience in identifying key security risks, security controls, and providing consulting services throughout the vendor lifecycle.
* Experience with security standards and control frameworks (FAIR, HITRUST, ISO27001, NIST, SOC 2).
* Demonstrable record of effectively collaborating with virtual, global teams.
EEO Statement
Johnson & Johnson is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, age, national origin, disability, protected veteran status or other characteristics protected by federal, state or local law. We actively seek qualified candidates who are protected veterans and individuals with disabilities as defined under VEVRAA and Section 503 of the Rehabilitation Act. If you are an individual with a disability and would like to request an accommodation, please contact us via
#J-18808-Ljbffr