Information Security Client & Vendor Risk Manager
Leads Baker Botts' client due diligence program and oversees third-party vendor security vetting across the firm. Owns and matures the firm-wide due diligence framework, conducts risk assessments, and serves as the primary liaison between clients, internal teams, and vendors. Requires 6+ years of experience in information security, vendor risk management, and compliance within a regulated legal environment.
Key Highlights
Key Responsibilities
Technical Skills Required
Benefits & Perks
Nice to Have
Job Description
About Baker Botts
Baker Botts is a leading international law firm recognized for its deep understanding of the industries it serves. With offices across major global markets, the firm delivers sophisticated legal services while cultivating a collaborative, inclusive culture where both attorneys and professional staff contribute to client success and organizational excellence.
About The Role
The Information Security Client & Vendor Risk Manager leads the firm’s client due diligence program and oversees all information security vetting for third party vendors across the firm. This role requires deep expertise in security frameworks, strong risk‑assessment judgment, and the ability to influence senior stakeholders, including internal stakeholders, and client security teams. The Manager acts as a key liaison between the firm’s clients, internal leadership, IT Security, Procurement, and Risk Management, ensuring the firm meets the heightened expectations of our clients.
What You'll Do
Primary Responsibilities
- Own and mature the firm‑wide client and vendor due‑diligence program, ensuring consistency, accuracy, and alignment with the firm’s security posture and regulatory obligations.
- Serve as the firm’s subject‑matter expert on information‑security controls, certifications, and risk posture during client audits, RFPs, and reviews or client engagement terms.
- Lead complex vendor‑risk assessments for high‑impact technology and service providers, including review of SOC 2 reports, ISO 27001 certifications, penetration‑test results, cloud‑security controls, data‑protection, privacy, and retention practices.
- Develop and maintain the firm’s vendor‑risk management framework, including risk‑scoring methodologies, onboarding workflows, and continuous‑monitoring processes.
- Partner with Procurement, IT, and Office of General Counsel to evaluate vendor contracts, negotiate security requirements, and recommend risk‑mitigation strategies.
- Prepare the firm for client audits and regulatory reviews, coordinating evidence collection, documentation, and SME participation across multiple departments.
- Represent the firm in client‑facing security discussions, including responding to escalated inquiries from corporate counsel, privacy officers, and client security teams.
- Monitor emerging risks and regulatory developments relevant to the legal industry (e.g., SEC cybersecurity rules, state privacy laws, international data‑transfer requirements).
- Mentor junior analysts and contribute to the professional development of the broader Risk and Compliance team.
- Drive continuous improvement, identifying opportunities to streamline due‑diligence workflows, enhance tracking and remediation of client-identified risks, and strengthen the firm’s security posture.
Searching for Development & Programming roles that provide visa sponsorship? Connect with international employers through Development & Programming Jobs with Visa Sponsorship opportunities actively seeking talented professionals.
- Provide management with periodic reports & briefings on evolving topics within their area of responsibility.
- Other related projects and duties as assigned by the Director of Information Security.
WHAT YOU'LL BRING
- 6+ years of experience in information security, vendor risk management, compliance, or legal‑industry operations, ideally within an Am Law 200 firm or similarly regulated environment.
- Deep understanding of security frameworks and standards (SOC 2, ISO 27001, NIST CSF, HIPAA, GLBA, state privacy laws).
- Experience conducting or leading vendor‑risk assessments for enterprise‑level technology providers.
- Strong communication skills, including the ability to brief partners, respond to client security teams, and translate technical concepts for non‑technical audiences.
- Demonstrated ability to work independently, manage sensitive information, and lead cross‑functional initiatives in a high‑pressure environment.
- Professional certifications such as CTPRA, ISO 27001 Lead Implementer or Lead Auditor and CISSP, CISM, CRISC, or CISA required.
- Experience with legal‑industry technologies (DMS, e‑discovery platforms, cloud‑based practice‑management tools) is a plus.
Explore our comprehensive directory of visa sponsorship jobs from employers worldwide who are ready to sponsor talented international professionals.
Extent of Contact
This position requires contact with individuals within the firms as follows:
- Daily contact with staff from the Firm’s Information Technology, Client Development and Office of the General Counsel teams.
- Moderate contact with Firm’s attorneys and client representatives.
- Occasional contact with Firm Management.
- Moderate contact with Firm vendors or potential vendors.
- Moderate contact with Firm clients
- Must be able to routinely lift and carry event materials and other items up to 10 pounds.
- Must be able to work at a computer for extensive periods of time.
- Position requires extensive telephone use.
- Must be able to lift, squat, kneel and bend.
- Position requires the ability to visit face-to-face and on the phone with firm lawyers.
Interested in opportunities specifically in United State? Discover our dedicated Visa Sponsorship Jobs in United State page featuring roles from top employers in this location.
- Position is full-time and requires a five-day work week and standard hours as outlined in the Firm policy manual. Additional hours, including weekend and evening hours may be required to perform the essential functions of the job.
- Must be able to perform essential duties of the position with time constraints and frequent interruptions.
- Ability to work well in high pressure environments.
- 24x7 communication access is required.
- This position is fully remote. You will be required to come to the office periodically for team meetings or when there is a business or client need.
- There is potential for travel when needed for team meetings, onsite assessments etc. when there is a business or client need.
- When working remotely, you must have secure and reliable internet service and a safe, private workspace from which to work.
Similar Jobs
Explore other opportunities that match your interests