The Role

We are looking for an Associate Director, Third-Party Risk Management (TPRM) to own the TPRM pillar at Flex. This is not a program management role. It is a pillar ownership role: you set the risk posture, define the operating model, and are accountable for outcomes across a vendor population that touches every part of the business.

You will lead a small team, establish the direction for how Flex evaluates and monitors third-party risk, and make the calls on where speed and rigor need to be balanced. You will design AI-enabled workflows that scale the team's capacity without sacrificing auditability or regulatory defensibility. And you will hold Flex's third-party risk position across the organization, shaping decisions in Product, Engineering, Finance, and Procurement rather than responding to requests from them.

This role is right for someone who has owned TPRM at a mature, regulated institution and also built something from the ground up at a high-growth fintech. Someone comfortable with ambiguity, confident in their risk judgment, and ready to be handed the reins.

What You’ll Do

1. Own Flex's third-party risk posture end-to-end: set the strategy, define the operating model, and be accountable for outcomes across the full vendor population
2. Establish and maintain the policies, standards, and governance framework that underpin TPRM across the organization
3. Make risk-based decisions on vendor approvals, exceptions, and escalations, including explicit tradeoffs between speed and risk exposure, and defend those positions to senior leadership and regulators
4. Architect scalable intake, tiering, due diligence, and monitoring workflows, designing AI-enabled automation where it improves speed and consistency without removing human judgment from consequential decisions
5. Build signal-driven monitoring systems that surface vendor risk in real time (financial distress, security incidents, operational failures) rather than relying on calendar-based review cycles
6. Design and own AI workflows for high-volume tasks like SOC report analysis, questionnaire scoring, and exception tracking, with clear auditability and human-in-the-loop checkpoints throughout
7. Drive risk alignment across Product, Engineering, Finance, and Procurement, shaping vendor strategy and sourcing decisions upstream rather than reviewing them after the fact
8. Serve as Flex's authoritative voice on third-party risk in regulatory exams, audits, and customer due diligence requests
9. Own the reporting framework that gives senior leadership real-time, decision-relevant visibility into third-party risk posture
10. Proactively identify emerging third-party risks across new vendor categories, evolving threat landscapes, and regulatory developments, and evolve controls before they become issues
11. Help mentor and develop more junior team members as the program and team scale

What We’re Looking For

• 7+ years of experience in third-party risk, vendor risk, or a closely related risk and compliance discipline
• Experience at both a large, regulated institution with a mature risk function and a high-growth, venture-backed fintech or technology company
• Demonstrated track record of making and defending risk-based decisions under ambiguity, including explicit speed-vs-risk tradeoffs
• Experience designing AI-enabled workflows for risk or compliance use cases, with a clear point of view on where automation helps and where human oversight is non-negotiable
• Strong working knowledge of vendor risk domains: security, privacy, operational, financial, and regulatory
• Proven ability to influence across Product, Engineering, and Finance, not just within a compliance or risk silo
• Strong communication skills; able to translate complex risk positions into clear recommendations for executive and board-level audiences
• Comfort with data; SQL experience or the ability to query and analyze data independently is a strong plus
• Experience supporting or leading regulatory exams in a financial services or fintech environment

Nice to Have

• Experience building a TPRM program from scratch at a high-growth company
• Familiarity with GRC platforms and common TPRM tooling
• Working knowledge of relevant frameworks and standards (SOC 2, ISO 27001, NIST, PCI, etc.)
• Prior people management or team lead experience

Flex takes a market-based approach to pay, ensuring compensation is commensurate with a candidate's experience and our internal leveling guidelines. For candidates located in our Tier 1 markets (NYC/ SF), the base salary pay range for this role is $176,000—$220,000 USD. For all other U.S. locations, Flex utilizes a geographic pay differential based on a cost of labor index. If you are located outside of the Tier 1 states listed above, your starting pay will be adjusted to align with the market conditions of your specific geographic zone. Please speak with your recruiter for additional information regarding the specific range for your location.

ABOUT THIS ROLE 

LVT is actively seeking a highly motivated and detail-oriented Information Security Analyst (GRC) to join our growing Information Security team. This role will report directly to the Information Security Manager (GRC). This position is designed for an individual eager to delve deeply into the operational aspects of Governance, Risk, and Compliance, directly supporting LVT’s steadfast commitment to security excellence and regulatory adherence as the business continues its innovative scaling.

LVT values managing risk in alignment with our customer’s and stakeholder’s expected levels. We design, implement, and monitor controls that reduce real risk. The Information Security Analyst (GRC) will work with Management to operate key GRC processes. The primary focus of this hands-on position will be answering customer security questionnaires, performing risk assessments and internal audits, developing and maintaining policies, being a liaison for our external auditors, and helping to identify, manage, and reduce risk across our environment.

ROLE RESPONSIBILITIES

• Support LVT’s annual SOC 2 audit.
• Facilitate effective communication and coordination with internal SOC 2 control owners. 
• Proactively assist in identifying, analyzing, and resolving audit concerns or control deficiencies, proposing initial remediation steps. 
• Document audit outcomes, lessons learned, and recommended improvements post-audit. 
• Execute control testing, including evidence collection and documentation.
• Develop  LVT’s security policies, submitting them for approval, and ensuring alignment with organizational standards.
• Maintain and update the risk register to ensure accurate and timely recording of identified risks and their mitigation status.
• Maintain GRC documentation to ensure accuracy, accessibility, compliance with internal controls
• Execute quarterly  user access reviews.

OUR IDEAL CANDIDATE

• 1-3 years of experience with Information Security, GRC or IT Audit roles.
• Highly organized and can multitask and juggle multiple priorities.
• Familiarity with leveraging and applying AI tools and technologies to automate routine GRC tasks and improve program efficiency.
• Practical experience with SOC 2 audit processes including proficiency in control testing, evidence collection, and internal coordination.
• Familiarity with information security and risk frameworks.
• A foundational understanding of business operations and how security controls impact business functions. 
• Effective verbal and written communicator.
• Desire to work directly with key stakeholders, including customers.
• Hunger to learn and grow their abilities.
• Consistently demonstrates high integrity and transparency.
• Willing to take on tasks with a positive attitude, but also speaks up on concerns.
• A Bachelor's degree in Information Security, Computer Science, Information Technology, Business, or a related field, or equivalent practical experience, is preferred. 
• Experience working with GRC platforms (e.g., Drata, Vanta, ZenGRC) and project management tools (e.g., Jira, Asana) is helpful.
• Relevant professional certifications such as CompTIA Security+, CISA, CC, or CRISC are a plus

ABOUT THIS ROLE 

LVT is actively seeking a highly motivated and detail-oriented Information Security Manager (GRC) to join our growing Information Security team. This role will report directly to the Information Security Director (GRC). This position is designed for an individual eager to delve deeply into the operational aspects of Governance, Risk, and Compliance, directly supporting LVT’s steadfast commitment to security excellence and regulatory adherence as the business continues its innovative scaling.

LVT values managing risk in alignment with our customer’s and stakeholder’s expected levels. We design, implement,  and monitor controls that reduce real risk. The  Information Security Manager (GRC) will play an instrumental role in driving key operational GRC initiatives. The primary focus of this hands-on position will be the end-to-end management of LVT’s SOC 2 audit processes, initiating third-party risk assessments, actively contributing to the policy review and approval lifecycle, and documenting and treating risks in our risk register. 

Fostering collaborative relationships and good communication is critical as you will work closely with cross-functional teams across the organization to integrate GRC standards and principles into LVT’s operations. This role demands exceptional organizational skills, both strategic vision and tactical efforts, and the ability to build and mentor a team of security professionals to meet both current and future GRC challenges.

ROLE RESPONSIBILITIES

• Manage LVT’s annual SOC 2 audit and other audits as necessary.  
• Collaborate with IT, Finance, and Legal to represent Information Security in various cross-functional processes including vendor risk, contractual terms , and customer security questions.
• Identify inefficiencies in different GRC processes and improve them.
• Design and manage regular internal audits of security controls.
• Implement automated control monitoring and evidence collection.
• Create, review, and maintain LVT’s security policies.  
• Maintain LVT’s risk register to ensure accurate and timely recording of identified risks and their mitigation statuses.  
• Build strong relationships with risk owners to drive program buy-in, accountability, and ownership.
• Work with SalesOps to develop an approach to customer security questionnaires.
• Mature our public-facing Security Trust Center to enhance transparency, showcase LVT’s commitment to security, and streamline the sales process.
• Identify and operationalize ways to automate tools and processes to improve LVT’s compliance program efficiency and collaboration across multiple teams.
• Establish and maintain measurable GRC program metrics to quantify effectiveness, highlight progress, and drive continuous improvement.

OUR IDEAL CANDIDATE

• 5+ years of experience with Information Security, GRC or IT Audit roles, demonstrating a growing understanding of GRC concepts and methodologies. 
• Experience managing a GRC function and staff.
• Effective writing skills for tasks such as policy review and approval, developing risk treatment plans, and creating audit documentation and responses for external auditors.
• Strong organizational skills and attention to detail for managing documentation, audit evidence, and maintaining accurate GRC records.
• Proven track record of developing and implementing policies and procedures, assessing and prioritizing risks, and maturing security compliance programs.
• Substantial experience with regulatory frameworks and standards, such as NIST, SOC 2, ISO 27001, and FedRAMP.
• Experience communicating detailed security concepts, risks, and controls to both technical and non-technical stakeholders.
• Outstanding interpersonal and leadership skills that inspire collaboration and drive alignment across teams.
• Demonstrates an ability to lead effectively in dynamic, fast-paced environments, balancing strategic vision with tactical execution to respond to evolving security needs.
• Experience working with GRC platforms (e.g., Drata, Vanta, ZenGRC) and project management tools (e.g., Jira, Asana) is a plus.
• A Bachelor's degree in Information Security, Computer Science, Information Technology, Business, or a related field, or equivalent practical experience, is preferred. 
• Relevant professional certifications such as CISSP, CompTIA Security+, CISA, or CRISC are highly desirable.