Sr Director, Cyber Third-Party Risk Management
McDonald's Corporation, Chicago, IL, United States
Job Description
Company Description
McDonald’s is proud to be one of the most recognized brands in the world, with restaurants in over 100 countries that serve 70 million customers daily. As the global leader in the food service industry, our legacy of innovation and hard work continues to drive us.
From drive thru updates to delivery to mobile order and pay, we are innovating quickly and growing. Joining McDonald's means thinking big and preparing for a career that can have influence around the world.
Department Overview The Senior Director of Cyber Third-Party Risk Management (TPRM) is accountable for leading and modernizing McDonald’s global third‑party cyber risk management capability across a highly distributed, market‑driven technology and supplier ecosystem. This role owns the design and execution of a scalable, intelligence‑driven TPRM program that moves beyond traditional, questionnaire‑centric approaches and delivers meaningful, defensible assurance over third‑party cyber risk.
The role places particular emphasis on third‑party providers operating within IDL market segments, where complex technology integrations, data flows, and operational dependencies introduce elevated cyber and business risk. The Senior Director develops deep understanding of these integrations, works closely with security architecture and technical SMEs to validate control effectiveness, and ensures that third‑party solutions supporting markets do not introduce unacceptable systemic or concentration risk.
This leader partners closely with Global Supply Chain, Indirect Procurement, Legal, Privacy, ERM, and IDL Market CTOs to reduce fragmentation across markets by translating market‑specific solution sets into standardized enterprise agreements, security configurations, and control expectations. A core mandate of the role is innovation: designing new, differentiated approaches to third‑party assurance that leverage automation, technical validation, and continuous monitoring rather than relying solely on static questionnaires.
Responsibilities Program Leadership & Modernization
Own and evolve McDonald’s global TPRM strategy and operating model, ensuring it is scalable, risk‑based, and aligned to enterprise cyber risk governance expectations.
Transform TPRM from a primarily questionnaire‑driven process into a modern program that blends survey efficiency with technical validation, continuous monitoring, and risk quantification.
Establish and operate the full third‑party risk lifecycle, including onboarding, inherent risk tiering, due diligence, technical assessment, ongoing monitoring, reassessment, and secure offboarding.
Continuous Monitoring, Automation & Innovation
Implement continuous monitoring capabilities to provide near real‑time visibility into third‑party cyber posture, control degradation, and emerging risk signals.
Explore and deploy innovative approaches, including automation and AI‑assisted techniques, for evidence collection, risk scoring, and exception management.
Continuously evaluate emerging tools, data sources, and assurance models to improve coverage, reduce friction, and increase signal quality beyond traditional questionnaires.
Governance, Reporting & Escalation
Maintain a centralized inventory of third‑party engagements, risk tiers, and risk treatment decisions across the enterprise.
Provide clear, concise reporting on third‑party cyber risk posture, trends, and concentration risk to the Vice President, Cyber GRC and senior leadership.
Leadership & Collaboration
Build and lead a high‑performing team of third‑party risk professionals and technical reviewers.
Reinforce a culture of accountability, innovation, and constructive challenge consistent with McDonald’s values and operating principles.
Qualifications
12+ years of experience
in cybersecurity, technology risk, or information security, with significant ownership of
third‑party / supplier cyber risk management
in large, complex enterprises.
Proven experience
designing and leading a global TPRM program , including the full third‑party risk lifecycle (onboarding, tiering, due diligence, monitoring, reassessment, and offboarding).
Demonstrated success
modernizing TPRM , moving beyond questionnaire‑centric models to risk‑based approaches that incorporate
technical validation, automation, and continuous monitoring .
Strong
technical fluency
across cloud, APIs, identity, data flows, and integration architectures, with the ability to partner credibly with security architects and technical SMEs.
Experience overseeing
deep technical assessments
for high‑risk or critical third parties (e.g., architecture reviews, threat modeling, penetration testing results, vulnerability assessments).
Ability to operate effectively in
highly distributed, market‑driven or franchise‑based environments , translating local solutions into standardized enterprise security requirements.
Demonstrated leadership experience, including
building and leading high‑performing teams
and influencing senior stakeholders across Technology, Procurement, Legal, Privacy, and ERM.
Strong executive communication skills, with experience reporting
third‑party cyber risk posture and trends
to senior leadership.
Preferred
Familiarity with
systemic, concentration, and fourth‑party risk .
Working knowledge of
NIST CSF, ISO 27001, GDPR, and CCPA .
Relevant certifications (e.g.,
CISSP, CISM, CRISC, CISA ).
Compensation Bonus Eligible:
Yes
Long‑Term Incentive:
Yes
Benefits Eligible:
Yes
Salary Range The expected salary range for this role is $237,102.00 - $296,377.00 per year.
The above represents the expected salary range for this job requisition. Ultimately, in determining your pay, we may also consider your experience, and other job‑related factors.
Additional information
At McDonalds we are People from all Walks of Life...
People are at the heart of everything we do , and they make the McDonalds experience.
We embrace diversity
and are
committed to creating an inclusive culture
that means people can be their best authentic self in our restaurants and offices, which helps us to better serve our customers. We have a strong heritage of diversity and representation within our communities, which we are proud of. The diversity of our people, customers, Franchisees, and suppliers gives us strength.
We
do not tolerate inequality, injustice, or discrimination of any kind.
These are hugely important issues and a brand with our reach and relevance means we have a very meaningful role to play.
We also recognize our responsibility as a large employer to continue being active in our communities,
helping to develop skills and drive aspirations
that will help people to be more aware of the world of work and more successful within it, whether with McDonalds or elsewhere.
#J-18808-Ljbffr
McDonald’s is proud to be one of the most recognized brands in the world, with restaurants in over 100 countries that serve 70 million customers daily. As the global leader in the food service industry, our legacy of innovation and hard work continues to drive us.
From drive thru updates to delivery to mobile order and pay, we are innovating quickly and growing. Joining McDonald's means thinking big and preparing for a career that can have influence around the world.
Department Overview The Senior Director of Cyber Third-Party Risk Management (TPRM) is accountable for leading and modernizing McDonald’s global third‑party cyber risk management capability across a highly distributed, market‑driven technology and supplier ecosystem. This role owns the design and execution of a scalable, intelligence‑driven TPRM program that moves beyond traditional, questionnaire‑centric approaches and delivers meaningful, defensible assurance over third‑party cyber risk.
The role places particular emphasis on third‑party providers operating within IDL market segments, where complex technology integrations, data flows, and operational dependencies introduce elevated cyber and business risk. The Senior Director develops deep understanding of these integrations, works closely with security architecture and technical SMEs to validate control effectiveness, and ensures that third‑party solutions supporting markets do not introduce unacceptable systemic or concentration risk.
This leader partners closely with Global Supply Chain, Indirect Procurement, Legal, Privacy, ERM, and IDL Market CTOs to reduce fragmentation across markets by translating market‑specific solution sets into standardized enterprise agreements, security configurations, and control expectations. A core mandate of the role is innovation: designing new, differentiated approaches to third‑party assurance that leverage automation, technical validation, and continuous monitoring rather than relying solely on static questionnaires.
Responsibilities Program Leadership & Modernization
Own and evolve McDonald’s global TPRM strategy and operating model, ensuring it is scalable, risk‑based, and aligned to enterprise cyber risk governance expectations.
Transform TPRM from a primarily questionnaire‑driven process into a modern program that blends survey efficiency with technical validation, continuous monitoring, and risk quantification.
Establish and operate the full third‑party risk lifecycle, including onboarding, inherent risk tiering, due diligence, technical assessment, ongoing monitoring, reassessment, and secure offboarding.
Continuous Monitoring, Automation & Innovation
Implement continuous monitoring capabilities to provide near real‑time visibility into third‑party cyber posture, control degradation, and emerging risk signals.
Explore and deploy innovative approaches, including automation and AI‑assisted techniques, for evidence collection, risk scoring, and exception management.
Continuously evaluate emerging tools, data sources, and assurance models to improve coverage, reduce friction, and increase signal quality beyond traditional questionnaires.
Governance, Reporting & Escalation
Maintain a centralized inventory of third‑party engagements, risk tiers, and risk treatment decisions across the enterprise.
Provide clear, concise reporting on third‑party cyber risk posture, trends, and concentration risk to the Vice President, Cyber GRC and senior leadership.
Leadership & Collaboration
Build and lead a high‑performing team of third‑party risk professionals and technical reviewers.
Reinforce a culture of accountability, innovation, and constructive challenge consistent with McDonald’s values and operating principles.
Qualifications
12+ years of experience
in cybersecurity, technology risk, or information security, with significant ownership of
third‑party / supplier cyber risk management
in large, complex enterprises.
Proven experience
designing and leading a global TPRM program , including the full third‑party risk lifecycle (onboarding, tiering, due diligence, monitoring, reassessment, and offboarding).
Demonstrated success
modernizing TPRM , moving beyond questionnaire‑centric models to risk‑based approaches that incorporate
technical validation, automation, and continuous monitoring .
Strong
technical fluency
across cloud, APIs, identity, data flows, and integration architectures, with the ability to partner credibly with security architects and technical SMEs.
Experience overseeing
deep technical assessments
for high‑risk or critical third parties (e.g., architecture reviews, threat modeling, penetration testing results, vulnerability assessments).
Ability to operate effectively in
highly distributed, market‑driven or franchise‑based environments , translating local solutions into standardized enterprise security requirements.
Demonstrated leadership experience, including
building and leading high‑performing teams
and influencing senior stakeholders across Technology, Procurement, Legal, Privacy, and ERM.
Strong executive communication skills, with experience reporting
third‑party cyber risk posture and trends
to senior leadership.
Preferred
Familiarity with
systemic, concentration, and fourth‑party risk .
Working knowledge of
NIST CSF, ISO 27001, GDPR, and CCPA .
Relevant certifications (e.g.,
CISSP, CISM, CRISC, CISA ).
Compensation Bonus Eligible:
Yes
Long‑Term Incentive:
Yes
Benefits Eligible:
Yes
Salary Range The expected salary range for this role is $237,102.00 - $296,377.00 per year.
The above represents the expected salary range for this job requisition. Ultimately, in determining your pay, we may also consider your experience, and other job‑related factors.
Additional information
At McDonalds we are People from all Walks of Life...
People are at the heart of everything we do , and they make the McDonalds experience.
We embrace diversity
and are
committed to creating an inclusive culture
that means people can be their best authentic self in our restaurants and offices, which helps us to better serve our customers. We have a strong heritage of diversity and representation within our communities, which we are proud of. The diversity of our people, customers, Franchisees, and suppliers gives us strength.
We
do not tolerate inequality, injustice, or discrimination of any kind.
These are hugely important issues and a brand with our reach and relevance means we have a very meaningful role to play.
We also recognize our responsibility as a large employer to continue being active in our communities,
helping to develop skills and drive aspirations
that will help people to be more aware of the world of work and more successful within it, whether with McDonalds or elsewhere.
#J-18808-Ljbffr