Company Description
For over 100 years, BlueScope continues to build on our reputation of quality brands and products, leading technology and a customer-first spirit. Through our global brands, we are one of the largest manufacturers of building solutions in the world. Our diverse, bright and inspired workforce is committed to bettering the communities we serve through breakthrough thinking and innovations. Your goals, ideas and perspective can help shape our future – we look forward to hearing them!   

The Third-Party Technology Risk Management Specialist is responsible for leading and evolving the third-party risk management (TPRM) program within a manufacturing environment, ensuring that vendors, suppliers, and service providers meet the company’s cybersecurity, compliance, and business continuity requirements. 

This role demands a self-directed expert who can proactively identify, assess, and mitigate risks across IT, Operational Technology (OT), and cloud environments. A significant focus will be on ensuring vendor resilience, RTO (Recovery Time Objective), and RPO (Recovery Point Objective) to minimize disruptions to manufacturing operations. 

The Third-Party Technology Risk Management Specialist possess strong competencies in leadership, emotional intelligence, manufacturing business processes, technology risk management, business continuity planning, vendor security assessments, and compliance auditing.  

The Third-Party Technology Risk Management Specialist has the ability to influence and create consensus across the global organization, ability to operate independently under ambiguous circumstances and use discernment to lead organization-wide technology changes and usher third-party technology implementations and monitor the third-party through their life cycle at BlueScope. 

Key Responsibilities:

Third-Party Risk Management & Governance 

Develop, implement, and maintain a third-party technology risk management framework with a focus on business resilience and cyber risk mitigation. 

Define risk assessment methodologies and establish policies to evaluate vendor security, compliance, and RTO/RPO capabilities. 

Establish and maintain a vendor risk register, tracking security gaps, mitigation plans, and ongoing monitoring efforts. 

Proactively drive security improvements across the vendor ecosystem by engaging with IT, Procurement, Legal, and Operations teams. 

Business Continuity, RTO/RPO Planning & Disaster Recovery 

Evaluate vendors’ ability to meet required RTO (maximum downtime) and RPO (maximum data loss) for critical manufacturing systems. 

Assess third-party backup, failover, and disaster recovery (DR) strategies, ensuring alignment with corporate continuity plans. 

Develop contingency plans for high-risk vendors to ensure uninterrupted operations in case of security incidents. 

Lead tabletop exercises to test vendor recovery capabilities and enhance preparedness for cyber events affecting OT and IT environments. 

Vendor Risk Assessments & Compliance Audits 

Conduct thorough third-party cybersecurity risk assessments, prioritizing high-risk vendors with access to critical systems. 

Ensure vendors comply with NIST 800-82, IEC 62443, ISO 27001, SOC 2, and other regulatory standards. 

Implement continuous monitoring using security rating tools (e.g., SecurityScorecard, BitSight) to track vendor cyber posture. 

Lead onsite and remote audits of vendors handling sensitive manufacturing or operational data. 

Incident Response & Risk Mitigation 

Establish clear incident reporting and response protocols for third-party security breaches. 

Lead investigations into vendor-related security incidents, ensuring rapid containment and remediation. 

Collaborate with OT security teams to mitigate vendor-related risks in ICS/SCADA environments. 

Collaboration & Stakeholder Engagement 

Act as the liaison between IT, OT, Legal, Procurement, and Compliance teams to balance security with business needs. 

Provide training and awareness programs on vendor risk management for internal stakeholders. 

Work with engineering and plant operations teams to minimize downtime and prevent supply chain disruptions caused by third-party failure 

Serve as the internal authority on third-party cyber risk, educating teams on vendor security best practices. 

Provide strategic risk guidance to executive leadership, IT, procurement, and plant operations. 

Work closely with legal teams to define contractual security clauses, RTO/RPO expectations, and security SLAs for vendors. 

Reporting & Metrics 

Develop and present risk dashboards, reports, and key risk indicators (KRIs) to leadership. 

Provide actionable insights into vendor risk exposure and recommend proactive risk mitigation strategies. 

Strategic Risk Management & Vendor Oversight 

Enterprise-Wide Dependency Mapping: Conduct comprehensive mapping of internal and external system dependencies, ensuring a clear understanding of critical integrations and vendor reliance across the organization. 

Annual Vendor Continuity Assurance: Lead the annual third-party business continuity assurance process, evaluating vendors’ ability to meet operational, security, and resiliency standards. 

SOC 2 Report Analysis & Risk Remediation: Review and analyze SOC 2, ISO 27001, and other compliance reports, identifying gaps in security controls and developing remediation strategies for compensating controls. 

Risk Briefing for Executives: Provide clear, concise, and actionable briefings to executives on third-party technology reliance, ensuring leadership has a holistic view of vendor risks and dependencies. 

Risk Assessment & Treatment Decision-Making 

Trusted Advisory Role: Act as a subject matter expert (SME) and trusted advisor to engagement owners considering new vendor relationships, helping them navigate risk treatment options and ensuring security standards are met. 

Risk Acceptance & Governance: Operate a structured risk acceptance framework, ensuring risk is accepted by appropriate BlueScope representatives whose level of responsibility matches the risk exposure. 

Business Impact Contextualization: Assess third-party risks within the context of business operations, ensuring that security decisions align with BlueScope’s risk appetite and operational resilience requirements. 

Industry 4.0 & Advanced Technology Risk Management 

Third-Party Risk Oversight in Manufacturing: Perform oversight of vendors involved in manufacturing technology ecosystems, including Industrial IoT (IIoT), IT/OT convergence, and Industry 4.0 initiatives. 

AI & Automated OT Risk Assessments: Conduct risk assessments of AI-driven and automated OT systems, ensuring compliance with emerging AI risk standards and safe deployment of Rockwell automation products. 

Required Qualifications & Experience: To be considered for this position, you must possess the following qualifications:

Bachelor’s or Master’s degree in Cybersecurity, Information Security, Risk Management, Business Continuity, or a related field.

5 years of experience in third-party risk management, cybersecurity, IT governance, business continuity planning, or manufacturing security, or combination of education and experience.

Desired Qualifications: To be considered an ideal candidate, you should possess some or all of the following qualifications:

Certifications such as CRISC, CTPRP, CBCP, IEC 62443, GIAC GICSP, etc.)

Experience in manufacturing, industrial control systems (ICS), or critical infrastructure is highly desirable.

Experience overseeing third-party risk in IT/OT converged environments, Industry 4.0, and AI-driven automation is a plus.

Additional Information
The preceding job responsibilities and tasks were designed to indicate the general nature and level of work performed by associates in this job.  It is not designed to contain or be interpreted as a comprehensive inventory of all job duties and responsibilities required of associates assigned to this job.  Associates may be required to perform other duties as assigned.  Additional job competencies, individual goals, and performance measurements are set at the department level.

The benefits are just as rewarding as the work at BlueScope.  To support our goal, we offer a total compensation plan and an outstanding benefits package that includes health insurance, life insurance, short and long term disability, paid time off, and retirement. 

EEO: Employer/M/F/Disabled/Protected Veteran

BlueScope is an equal opportunity employer.  All qualified applicants will receive consideration for employment without regard to race, religion, color, national origin, sex, sexual orientation, gender identity, age, status, as a protected veteran, among other things, or status as a qualified individual with disability.