Sr Director, Cyber Third-Party Risk Management

Department Overview

The Senior Director of Cyber Third-Party Risk Management (TPRM) is accountable for leading and modernizing McDonald’s global third-party cyber risk management capability across a highly distributed, market-driven technology and supplier ecosystem. This role owns the design and execution of a scalable, intelligence-driven TPRM program that moves beyond traditional, questionnaire-centric approaches and delivers meaningful, defensible assurance over third-party cyber risk.

The role places particular emphasis on third-party providers operating within IDL market segments, where complex technology integrations, data flows, and operational dependencies introduce elevated cyber and business risk. The Senior Director develops deep understanding of these integrations, works closely with security architecture and technical SMEs to validate control effectiveness, and ensures that third-party solutions supporting markets do not introduce unacceptable systemic or concentration risk.

This leader partners closely with Global Supply Chain, Indirect Procurement, Legal, Privacy, ERM, and IDL Market CTOs to reduce fragmentation across markets by translating market-specific solution sets into standardized enterprise agreements, security configurations, and control expectations. A core mandate of the role is innovation: designing new, differentiated approaches to third-party assurance that leverage automation, technical validation, and continuous monitoring rather than relying solely on static questionnaires.

Responsibilities

Program Leadership & Modernization

• Own and evolve McDonald’s global TPRM strategy and operating model, ensuring it is scalable, risk-based, and aligned to enterprise cyber risk governance expectations.
• Transform TPRM from a primarily questionnaire-driven process into a modern program that blends survey efficiency with technical validation, continuous monitoring, and risk quantification.
• Establish and operate the full third-party risk lifecycle, including onboarding, inherent risk tiering, due diligence, technical assessment, ongoing monitoring, reassessment, and secure offboarding.

Continuous Monitoring, Automation & Innovation

• Implement continuous monitoring capabilities to provide near real-time visibility into third-party cyber posture, control degradation, and emerging risk signals.
• Explore and deploy innovative approaches, including automation and AI-assisted techniques, for evidence collection, risk scoring, and exception management.
• Continuously evaluate emerging tools, data sources, and assurance models to improve coverage, reduce friction, and increase signal quality beyond traditional questionnaires.

Governance, Reporting & Escalation

• Maintain a centralized inventory of third-party engagements, risk tiers, and risk treatment decisions across the enterprise.
• Provide clear, concise reporting on third-party cyber risk posture, trends, and concentration risk to the Vice President, Cyber GRC and senior leadership.

Leadership & Collaboration

• Build and lead a high-performing team of third-party risk professionals and technical reviewers.
• Reinforce a culture of accountability, innovation, and constructive challenge consistent with McDonald’s values and operating principles

Qualifications

• 12+ years of experience in cybersecurity, technology risk, or information security, with significant ownership of third‑party / supplier cyber risk management in large, complex enterprises.
• Proven experience designing and leading a global TPRM program, including the full third‑party risk lifecycle (onboarding, tiering, due diligence, monitoring, reassessment, and offboarding).
• Demonstrated success modernizing TPRM, moving beyond questionnaire‑centric models to risk‑based approaches that incorporate technical validation, automation, and continuous monitoring.
• Strong technical fluency across cloud, APIs, identity, data flows, and integration architectures, with the ability to partner credibly with security architects and technical SMEs.
• Experience overseeing deep technical assessments for high‑risk or critical third parties (e.g., architecture reviews, threat modeling, penetration testing results, vulnerability assessments).
• Ability to operate effectively in highly distributed, market‑driven or franchise‑based environments, translating local solutions into standardized enterprise security requirements.
• Demonstrated leadership experience, including building and leading high‑performing teams and influencing senior stakeholders across Technology, Procurement, Legal, Privacy, and ERM.
• Strong executive communication skills, with experience reporting third‑party cyber risk posture and trends to senior leadership.

Preferred

• Familiarity with systemic, concentration, and fourth‑party risk.
• Working knowledge of NIST CSF, ISO 27001, GDPR, and CCPA.
• Relevant certifications (e.g., CISSP, CISM, CRISC, CISA) 

Compensation

Bonus Eligible: Yes

Long - Term Incentive: Yes

Benefits Eligible: Yes

Salary Range

The expected salary range for this role is $237,102.00 - $296,377.00 per year
 
The above represents the expected salary range for this job requisition. Ultimately, in determining your pay, we may also consider your experience, and other job-related factors.