Director of Cyber Third-Party Assurance

The Opportunity

As the Director of the Cyber Third-Party Assurance team you will work in a fast-paced, collaborative environment overseeing the onboarding and continuous monitoring of Mass Mutual’s third-parties. The Director of Cyber Third-Party Assurance (CTPA) leads the enterprise’s vendor and supplier cybersecurity risk management function. This role is responsible for ensuring that third-party engagements meet Mass Mutual’s cybersecurity standards and comply with regulatory expectations. The position manages a team responsible for four critical verticals: onboarding new vendors, conducting risk-based assessments of returned questionnaires, actively monitoring critical vendors through continuous oversight and managing third-party risk questionnaires received when Mass Mutual serves as a vendor. This role ensures that there is a consistent, risk-driven approach to protecting the enterprise from supplier-related cyber threats.

• Vendor Onboarding & Due Diligence:

Oversee the vendor onboarding process, beginning with inherent risk assessments and tailored due diligence questionnaires. Lead the review of questionnaire responses, assign risk scores, and determine requirements for follow-up remediation or reassessment. Partner with Procurement, Legal, and Governance to ensure contract language reflects cyber requirements.

• Ongoing Vendor Monitoring:

Direct continuous monitoring of critical and high-risk vendors using third-party risk intelligence tools (e.g., RiskRecon). Oversee periodic reassessments based on vendor tier, risk exposure, and regulatory requirements. Ensure supplier vulnerabilities and incident notifications are addressed and escalated appropriately.

• Third-Party Questionnaire Responses:

Manage the function that responds to cybersecurity questionnaires MassMutual receives as a third party to other organizations. Ensure responses are accurate, consistent, and aligned with enterprise security posture and regulatory expectations.

• Governance, Reporting & Stakeholder Engagement:

Provide executive-level reporting on third-party cyber risk posture, metrics, and emerging risks. Align with Governance, Enterprise Risk Management, and Internal Audit to ensure defensible oversight. Partner with BISOs, platform engineering, and security control owners to ensure vendor cyber risk is accurately identified and managed.

The Team

The Cyber Third-Party Assurance (CTPA) team plays a critical role in protecting Mass Mutual’s enterprise by managing cyber and operational risks across its vast supplier ecosystem. This team serves as a strategic partner to the business, providing assurance that our vendors and SaaS providers maintain the highest standards of security, compliance, and resilience. Leveraging advanced tools and regulatory expertise, CTPA delivers proactive risk insights, drives remediation of control gaps, and strengthens the organization’s ability to meet stringent expectations from regulators, clients and the board. The team operates at the intersection of governance, procurement, and enterprise risk, ensuring that third-party dependencies do not become enterprise vulnerabilities. By leading this function, the incoming director will directly influence Mass Mutual’s risk posture, reputation and ability to innovate securely with trusted partners.

The Impact:

• Protects the enterprise from supplier-related cyber threats and regulatory exposure.
• Strengthens resilience through proactive risk identification, monitoring, and remediation.
• Enhances vendor trust and reputation through a mature, transparent, and defensible third-party cyber risk program.
• Provides leadership with actionable intelligence to inform decision-making.

The Minimum Qualifications

• Bachelor’s degree in information technology, Cyber Security, or a related field.

• 8+ years of experience in cybersecurity, including 4+ years in a leadership role focused on third-party risk management, or vendor assurance.
• Authorized to work in the US without requiring sponsorship now and in the future.

The Ideal Qualifications

• Knowledge of regulatory frameworks (NIST CSF 2.0, CRI Profile, etc.).
• Strong analytical skills for measuring program effectiveness and driving continuous improvement.
• Demonstrated experience in managing risk assessments, due diligence, and continuous monitoring processes.
• Familiarity with vendor risk intelligence platforms (e.g., , RiskRecon) and GRC tools (e.g., Archer, Process Unity).
• Excellent communication and stakeholder engagement skills, including executive-level reporting.
• CISSP, CTPRP, or related certifications preferred.