Third Party Security Risk Analyst

Job Description

DRW is a diversified trading firm with over 3 decades of experience bringing sophisticated technology and exceptional people together to operate in markets around the world. We value autonomy and the ability to quickly pivot to capture opportunities, so we operate using our own capital and trading at our own risk. 

Headquartered in Chicago with offices throughout the U.S., Canada, Europe, and Asia, we trade a variety of asset classes including Fixed Income, ETFs, Equities, FX, Commodities and Energy across all major global markets. We have also leveraged our expertise and technology to expand into three non-traditional strategies: real estate, venture capital and cryptoassets. 

We operate with respect, curiosity and open minds. The people who thrive here share our belief that it’s not just what we do that matters–it's how we do it. DRW is a place of high expectations, integrity, innovation and a willingness to challenge consensus.  

We are seeking a Third Party Security Risk Analyst to join to the team. This individual will be responsible for driving the third-party security risk management program at DRW, including: 

  • Performing vendor risk assessments including sending, receiving, and processing questionnaires from vendors.
  • Continuously monitoring vendors. 
  • Validating control evidence requests, interpreting SOC 2, ISO, SIG, etc. reports. 
  • Validating DRW's ability to manage vendor admin access, logging and monitoring, MFA, and other critical control areas during onboarding.
  • Tracking issues and their remediations with vendors.
  • Escalating issues with vendors to the appropriate DRW personnel.
  • Working with key technology stakeholders / vendor relationship owners within DRW to determine inherent risk of vendors.
  • Assisting in due diligence questionnaire requests that DRW receives from partners and regulatory bodies. 

Minimum qualifications: 

  • 2-3+ years' experience in vendor risk management, security control testing, internal audit, InfoSec consulting, or similar. 
  • Ability to understand and interpret vendor responses. 
  • Familiarity with control frameworks such as ISO, NIST, CIS, CSA, SiG, etc. 
  • Driven – ability to execute independently, not afraid to ask questions and dig deeper when things are unclear; ability to handle ambiguity and propose solutions / new ideas. 
  • Knowledge of vendor risk management best practices.
  • Proactive learner who seeks to consistently enhance their knowledge and understanding of cybersecurity news and best practices. 

Nice to have's: 

  • CISA, CRISC, CISSP, Shared Assessments Certified Third Party Risk Professional (CTPRP) or other related certification. 
  • At least 3-4 years of experience.

For more information about DRW's processing activities and our use of job applicants' data, please view our Privacy Notice at

California residents, please review the California Privacy Notice for information about certain legal rights at