Client & Vendor Risk Manager
Baker Botts • Dallas, Texas • Full Time
Posted on Thu, Jul 9, 2026
ABOUT BAKER BOTTS
Baker Botts is a leading international law firm recognized for its deep understanding of the industries it serves. With offices across major global markets, the firm delivers sophisticated legal services while cultivating a collaborative, inclusive culture where both attorneys and professional staff contribute to client success and organizational excellence.
ABOUT THE ROLE
The Information Security Client & Vendor Risk Manager leads the firm’s client due diligence program and oversees all information security vetting for third party vendors across the firm. This role requires deep expertise in security frameworks, strong riskâassessment judgment, and the ability to influence senior stakeholders, including internal stakeholders, and client security teams. The Manager acts as a key liaison between the firm’s clients, internal leadership, IT Security, Procurement, and Risk Management, ensuring the firm meets the heightened expectations of our clients.
WHAT YOU'LL DO
Primary Responsibilities
- Own and mature the firmâwide client and vendor dueâdiligence program, ensuring consistency, accuracy, and alignment with the firm’s security posture and regulatory obligations.
- Serve as the firm’s subjectâmatter expert on informationâsecurity controls, certifications, and risk posture during client audits, RFPs, and reviews or client engagement terms.
- Lead complex vendorârisk assessments for highâimpact technology and service providers, including review of SOC 2 reports, ISO 27001 certifications, penetrationâtest results, cloudâsecurity controls, dataâprotection, privacy, and retention practices.
- Develop and maintain the firm’s vendorârisk management framework, including riskâscoring methodologies, onboarding workflows, and continuousâmonitoring processes.
- Partner with Procurement, IT, and Office of General Counsel to evaluate vendor contracts, negotiate security requirements, and recommend riskâmitigation strategies.
- Prepare the firm for client audits and regulatory reviews, coordinating evidence collection, documentation, and SME participation across multiple departments.
- Represent the firm in clientâfacing security discussions, including responding to escalated inquiries from corporate counsel, privacy officers, and client security teams.
- Monitor emerging risks and regulatory developments relevant to the legal industry (e.g., SEC cybersecurity rules, state privacy laws, international dataâtransfer requirements).
- Mentor junior analysts and contribute to the professional development of the broader Risk and Compliance team.
- Drive continuous improvement, identifying opportunities to streamline dueâdiligence workflows, enhance tracking and remediation of client-identified risks, and strengthen the firm’s security posture.
Additional Responsibilities
- Provide management with periodic reports & briefings on evolving topics within their area of responsibility.
- Other related projects and duties as assigned by the Director of Information Security.
WHAT YOU'LL BRING
Required
- 6+ years of experience in information security, vendor risk management, compliance, or legalâindustry operations, ideally within an Am Law 200 firm or similarly regulated environment.
- Deep understanding of security frameworks and standards (SOC 2, ISO 27001, NIST CSF, HIPAA, GLBA, state privacy laws).
- Experience conducting or leading vendorârisk assessments for enterpriseâlevel technology providers.
- Strong communication skills, including the ability to brief partners, respond to client security teams, and translate technical concepts for nonâtechnical audiences.
- Demonstrated ability to work independently, manage sensitive information, and lead crossâfunctional initiatives in a highâpressure environment.
- Professional certifications such as CTPRA, ISO 27001 Lead Implementer or Lead Auditor and CISSP, CISM, CRISC, or CISA required.
- Experience with legalâindustry technologies (DMS, eâdiscovery platforms, cloudâbased practiceâmanagement tools) is a plus.
HOW YOU'LL WORK
Extent of Contact
This position requires contact with individuals within the firms as follows:
- Daily contact with staff from the Firm’s Information Technology, Client Development and Office of the General Counsel teams.
- Moderate contact with Firm’s attorneys and client representatives.
- Occasional contact with Firm Management.
This position requires contact with individuals outside the firm as follows:
- Moderate contact with Firm vendors or potential vendors.
- Moderate contact with Firm clients
Physical Requirements
- Must be able to routinely lift and carry event materials and other items up to 10 pounds.
- Must be able to work at a computer for extensive periods of time.
- Position requires extensive telephone use.
- Must be able to lift, squat, kneel and bend.
- Position requires the ability to visit face-to-face and on the phone with firm lawyers.
Working Conditions and Environment
- Position is full-time and requires a five-day work week and standard hours as outlined in the Firm policy manual. Additional hours, including weekend and evening hours may be required to perform the essential functions of the job.
- Must be able to perform essential duties of the position with time constraints and frequent interruptions.
- Ability to work well in high pressure environments.
- 24x7 communication access is required.
- This position is fully remote. You will be required to come to the office periodically for team meetings or when there is a business or client need.
- There is potential for travel when needed for team meetings, onsite assessments etc. when there is a business or client need.
- When working remotely, you must have secure and reliable internet service and a safe, private workspace from which to work.
Baker Botts L.L.P. is an equal opportunity employer and considers all qualified applicants for employment without regard to race, color, gender, sex, age, religion, creed, national origin, citizenship, marital status, sexual orientation, disability, medical condition, military and veteran status, gender identity or expression, genetic information, or any other basis protected by federal, state, or local law.