Information Security Manager - Third Party Contracting and Negotiation Lead (NYC Only)

Get Referred

Job Description

Why American Express?


There’s a difference between having a job and making a difference.


American Express has been making a difference in people’s lives for over 160 years, backing them in moments big and small, granting access, tools, and resources to take on their biggest challenges and reap the greatest rewards.


We’ve also made a difference in the lives of our people, providing a culture of learning and collaboration, and helping them with what they need to succeed and thrive. We have their backs as they grow their skills, conquer new challenges, or even take time to spend with their family or community. And when they’re ready to take on a new career path, we’re right there with them, giving them the guidance and momentum into the best future they envision.


Because we believe that the best way to back our customers is to back our people.


The powerful backing of American Express.

Don’t make a difference without it.

Don’t live life without it.

 Information Security Manager – Third Party Contracting and Negotiation Lead 


Reporting to the Director of Third Party Security and Execution, the Third Party Contracting and Negotiation Lead is responsible for providing Information Security subject matter expertise.  In this role, the candidate will work closely with General Counsel Organization, Third Party Lifecycle Management, Global Procurement, and Global Business Units to ensure third parties adhere to American Express Security requirements.


The candidate will participate in and represent Information Security and IT Risk during contract negotiations relevant to third party cybersecurity oversight and will develop and maintain cybersecurity requirements for third parties.


The ideal candidate is  

  • Knowledgeable in multiple areas of technology, with hands-on experience and technical expertise across all Information Security domains

  • Experienced with local, national, and international financial services and privacy regulations, such as GLBA, NYDFS, GDPR, CCPA, etc. and credit card industry standards, such as PCI-DSS.

  • An agile thinker, passionate and energetic; highly collaborative, possessing strong cultural awareness and fantastic written and verbal communication skills  

Primary Responsibilities

  • Provide information Security subject matter expertise to General Counsel Organization, Third Party Lifecycle Management, Global Procurement, and Global Business Units organizations for the inclusion of Information Security and IT Risk requirements into third party supplier and non-supplier contracts 

  • Negotiate cybersecurity contractual addendums, riders, etc. directly with third party account managers, attorneys, and information security staff; effectively communicate American Express requirements to technical and non-technical representatives of third parties

  • Facilitate alignment across internal and external third party stakeholders

  • Evaluate criticality of issues and advise internal stakeholders with a risk-based approach and an understanding of Business objectives

  • Remain up to date on Information Security standards, industry best practices, cybersecurity and privacy regulations, trends, threats, and new technologies, and provide continued guidance on enhancements to contractual protections for cybersecurity, privacy and regulatory requirements

Additional Responsibilities 

  • Provide feedback to leadership, including regular reporting and metrics, in order to assist with the governance and overall growth of the third party security program

  • Provide guidance during risk acceptance process relating to third parties

  • Understand cybersecurity and regulatory issues specific to the third party landscape by connecting with peers, experts, standards organizations, and industry forums

  • Provide training, including the development of training materials, to internal stakeholders

  • Project management

  • Partner with internal stakeholders to develop, improve, and document processes

  • Assist with and participate in third party cyber incident response and outreach activity


  • 7-10 years of experience, in positions of increasing responsibility, in Information Security risk assessments, cyber security operations, threat and vulnerability management, security architecture, or cyber security incident response

  • Prior experience with contract negotiation

  • Ability to effectively communicate and articulate Information Security risks

  • Understanding of what information or assets are of value to threat actors and how organizations and data are breached, including through relationships with external third parties

  • Strong familiarity with industry standards and control frameworks, risk assessment frameworks, security assurance auditing standards, best practices guidelines, such as ISO27001, NIST CSF, FAIR, SSAE16/18, CSA, CIS Top 20, OWASP Top 10, etc.

  • Understanding of and experience with modern security controls, technologies, and procedures, including: vulnerability scanning, penetration testing, encryption, endpoint and anti-malware protection, network security, DLP systems, logging systems, physical security systems etc.

  • Strong familiarity with cloud based services, architectures, and underlying management frameworks

  • Familiar with network architectures and data exchange protocols, such as API usage, secure file transfers, etc.

  • Familiar with cyber resiliency, disaster recovery, and business continuity concepts

  • Basic understanding of cyber incident response, investigation, and forensic analysis

  • Must have excellent verbal and written communication skills, interpersonal collaborative skills, and the ability to communicate security and risk-related concepts to technical and non-technical audiences.

  • Must possess the ability to multitask, prioritize, and manage time effectively

  • Must be able to pay strong attention to detail

  • Bachelor's degree in Cybersecurity, Computer Science or Information Systems, or equivalent combination of education and experience preferred

  • CISSP, CISM or similar certifications preferred

Employment eligibility to work with American Express in the U.S. is required as the company will not pursue visa sponsorship for these positions. 

ReqID: 20000384
Schedule (Full-Time/Part-Time): Full-time
Date Posted: Jan 8, 2020, 9:41:33 PM