Share this Job
Apply now »
ID:  119822

Montreal Qc, CA

Cyber Third-party Risk Management Expert (GRC)


CMA CGM Group, founded by Jacques R. Saadé, is a leading worldwide shipping & logistics group.

Now headed by Rodolphe Saadé, CMA CGM reinvents transport and logistics in order to offer an integrated maritime, port and land service that exceeds its customers' expectations. 

Present in over 160 countries through 755 offices, 750 warehouses, equipped with a young and diverse fleet of 511 vessels, CMA CGM serves 420 of the world's 521 commercial ports and operates on more then 200 shipping lines. The group currently employs 110,000 people worldwide, including nearly 2,400 in its headquarters in Marseilles.




We are looking for a GRC cybersecurity profile: Third-Party Risk Analyst, with a risk-based approach, you participate in cybersecurity activities, in order to bolster cybersecurity activities in the various business processes and ultimately in the culture of the organization.

As a quasi-second line of defense, you participate in the major cybersecurity activities within the procurement processes.


The Cybersecurity Risk Analysts report to the GRC Director under the supervision of a Team Lead.




The primary responsibility of the Third Party Risk Analyst position will be to conduct formalized Information Security risk assessments of Third Parties, focusing on Information Security and Data Privacy controls. The position will participate as needed in all aspects of TPRM lifecycle starting with information gathering process, due diligence/documentation review, assessing risk including formalized risk analysis and identifying potential gaps and providing security solutions to mitigate risks.

This position will interact with individuals all throughout the company as well as third parties.


Primary Duties & Responsibilities:

  • Review services and data in scope of the assessment and analyze engagement risk ratings
  • Conduct formal end to end Information Security Risk Assessments (review of questionnaires, third party security audit reports and evidence, onsite assessments, etc.)
  • Document risk assessment in a formal report, including any identified deficiencies in third party’s Information Security program.
  •  Work together with the rest of the TPRM team and stakeholders to review the assessment and escalate any issues. Work with operating units, BISO and partners to get additional information and to properly vet any issues prior to finalizing the report.
  •  Review and analyze evidence supporting deficiency remediation efforts prior to closure.
  •  Assess remediation plans and non-compliance acceptances where CyberSecurity standards compliance cannot be achieved.
  •  Keep assigned review inventory in the system of record up-to-date
  •  Partner with other CyberSecurity teams, BISO, Operating units and IT, to ensure that risks are clearly articulated in a manner that is understood by business and technology audiences
  • Participate in and influence Third Party Risk assessment process improvement, including procedures, processes, project deliverables and reporting initiatives
  • Build and maintain positive relationships with management, team members, and stakeholders across the company using effective written and oral communication practices.
  • Serve as a subject matter expert and process ambassador as it relates to TPRM related processes, procedures, and workflows
  • Other duties and special projects as assigned
  • Travel expected -10% or less




Your profile meet the following criteria, as for qualifications and behavior:


Minimum Qualifications:

  • 3 + years’ experience in Audit/ IT and/or Information Security experience performing technical security assessments of vendors, products, and solutions based on industry standards and frameworks such as PCI, CSA CAI, HIPAA, GDPR, or similar.
  • Experience with Information Security Risk Analysis, including formal risk assessments
  • Strong oral and written communication skills, you speak fluent English
  • Strong analytical and problem-solving skills with the ability to analyze data, identify opportunities, determine solutions, identify and obtaining needed resources, and execute to completion with minimal or no supervision
  • Exhibit strong relationship management and interpersonal skills, along with excellent written and oral communication skills that include being able to synthesize data, develop recommendations, and influence and persuade partners.
  • Possess a foundational understanding of common technology architectures. Will be able to credibly understand high level system architecture and data flow diagrams for the purpose of identifying gaps and risk.
  • Demonstrate knowledge of key regulatory risks and industry guidance, i.e. GDPR, Swift, NYS Part 500, Sarbanes-Oxley, DoD DFARS clauses and PCI desired.
  • Ability to effectively communicate complex Information Security Cyber Security issues to non-technical audiences
  • Understanding the principles of IT Audit, General Controls and/or IT Compliance related standards
  • Experience with OSInt tools a plus, (RiskRecon, BitSight, Security Scorecard, …)
  • Experience with GRC software/solutions considered a plus
  • Large-scale organization such as Financial Services experience preferred, experience in the Transport / Shipping / Logistics sector is an asset
  • Advanced Information Security certifications (CISSP, CISA, or similar certifications) an asset
  • Extremely detail oriented
  • Excellent organizational and planning skills


You also have the following qualities:

  • Ability to adapt to various situations and adapt their behavior according to the environment and the type of interlocutor
  • Be proactive to unblock complex situations, in the interest of the organization
  • Capacity for popularization and synthesis of issues and proposed solutions
  • Autonomy and proactive behavior,
  • Perfect written communication, ability to analyze and synthesize, especially orally
  • Team spirit, pedagogy, ability to develop the skills of its partners
  • Ability to acquire new functional skills
  • Ability to work in an international environment, in contact with multicultural and offshore teams
  • Leadership, perseverance and endurance, challenging the status quo
  • Ability to manage change and unite partners around innovative ideas
  • You speak fluently English, and French an asset



We are an equal opportunity employer. 

You must have a legal authorization to work in Canada. 

Come along on CMA CGM’s adventure !











Apply now »