SrDir-Information Security - Security Risk Management

Profile

Job Number 23015561

Job Category Information Technology

Location Marriott International HQ, 7750 Wisconsin Avenue, Bethesda, Maryland, United States

Schedule Full-Time

Located Remotely? Y

Relocation? N

Position Type Management

JOB SUMMARY

Leads and drives security risk management as part of the Security Risk, Compliance and Governance team. Responsible and accountable for assessing security risk across the enterprise using both qualitative and quantitative methods such as Factor Analysis of Information Risk methodology Analyze the threat landscape, determine impact and likelihood of potential security events to understand residual risk exposure. Responsible for facilitating risk treatment with business partners and IT to optimize Marriott International’s overall security risk profile. This role will provide a wholistic view of Marriott International’s security risk profile and will communicate that profile to all levels of the company. Additional activities will include assessing third party vendor’s security controls to determine alignment with security requirements. The controls applied are part of Marriott Internationals standard security controls framework based on standards and frameworks such as ISO 27001, NIST CSF, NIST 800-53, CSA, UCF, etc. Collaborates broadly across the IT, business organizations, and international teams to define and communicate security risks.

CANDIDATE PROFILE

Education and Experience

Required:


Bachelor’s degree in Computer Sciences or related field or equivalent experience/certification
10 years of information technology leadership experience that include implementing, managing, or governing security technologies, including encryption, network security, intrusion detection and digital forensics
8 years’ experience direct management of a team
Some or all of the following: 8 years’ experience in managing enterprise security risk management frameworks and processes (e.g., ISO2700X, NIST, Cloud Security Alliance), 8 years’ experience in implementation of risk management frameworks and processes (e.g., ISO2700X, NIST, Cloud Security Alliance), 8 years’ experience in facilitating and conducting security assessments related to PCI-DSS, ISO 27001, NIST 800-53, Cybersecurity Framework


Attributes


Strong verbal and written communication skills with the ability to articulate complex technical ideas in easy to understand business terms.
Ability to effectively prioritize and execute tasks in a high-pressure environment.
Strong negotiating, influencing and problem resolution skills


Preferred:


Experience in implementation or management of security risk programs.
Current information security certification, including Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or Certified Information Systems Security Professional (CISSP)
Knowledge of IT security within an infrastructure environment
Knowledge of ServiceNow and the GRC module within ServiceNow.
Reviewing and assessing the risk of service providers.
Implementing, managing and governing security policies
Experience assessing a 3-tiered system architecture (Web Server, App Server & Database)
Experience with Dynamic Application Security Testing using applications such as Nessus, IBM App Scan, HP Web Inspect, Fortify on Demand, Qualys, Burp, Cigital or Retina.
Proven knowledge of ISO 27001 standard, NIST security standards, PCI-DSS requirements
Demonstrated ability to assess customer/client needs, creatively approach solutions, decide and influence appropriate courses of action
Understanding of IT financial structures and ability to manage to corporate financial practices and goals, including drivers of process cost
Graduate/post graduate degree


CORE WORK ACTIVITIES

Security Risk & Compliance


Validates the process for and monitoring and reporting of security risks
Oversees, evaluates, and supports the documentation, and validation processes necessary to assure that associates, information technology systems and business processes meet the organization’s information assurance, security, and privacy requirements. Ensures appropriate treatment of risk, compliance, and assurance of internal policies and external regulations.
Leads team in performing risk analysis and facilitates risk discussions for cross functional teams.
Provides consultative services to a broad range of internal business leaders on risk and IT security to determine current and target risk levels.
Develop remediation plans. Monitor progress of agreed upon remediation plans.
Provide deep expertise in computer network theory, IT standards and protocols, as well as an understanding of the lifecycle of cyberspace threats, attack vectors, and methods of exploitation.
Provides guidance and educates the organization in risk management principles and practices
Communicates with Subject Matter Experts to determine expected impact and likelihood of loss events
Maintain organizational Risk Register
Leads in the evaluation and selection of security and risk management services products
Oversees, evaluates, and supports the documentation, and validation processes necessary to assure that associates, information technology systems and business processes meet the organization’s information assurance, security, and privacy requirements. Ensures appropriate treatment of risk, compliance, and assurance of internal policies and external regulations.
Manages and administers processes and tools that enable the organization to identify, document, and access intellectual capital and information content (e.g., policies, standards, processes and procedures).
Conducts assessments of threats and vulnerabilities, determines deviations from acceptable configurations or enterprise or local policy, assesses the level of risk, and develops and/or recommends and operationalizes appropriate mitigation countermeasures.
Provides sound advice and recommendations to leadership and staff on a variety of relevant topics within the pertinent subject domain. Advocates policy changes and makes a case on behalf of the company via a wide range of written and oral work products.


Cultivate a High-Performing Team


Create a compelling vision, clear direction and strategy for the team
Generate enthusiasm and understanding of the information security vision and how each role contributes to the achievement of that vision
Ensure capabilities are developed and resources are aligned to support the strategy
Attract, motivate, develop and retain highly skilled leaders; champion and model leadership development
Create and sustain a work environment that drives associate engagement and enables business success
Ensure appropriate processes are in place and executed to drive collaboration and alignment within the team and with the broader IT organization
Serve as a role model and ensure all information security leaders are visible and effective partners with IT counterparts, broader Marriott stakeholders, and service providers


Marriott International is an equal opportunity employer. We believe in hiring a diverse workforce and sustaining an inclusive, people-first culture. We are committed to non-discrimination on any protected basis, such as disability and veteran status, or any other basis covered under applicable law. Marriott International considers for employment qualified applicants with criminal histories consistent with applicable federal, state and local law.

Marriott International is the world’s largest hotel company, with more brands, more hotels and more opportunities for associates to grow and succeed. We believe a great career is a journey of discovery and exploration. So, we ask, where will your journey take you?

Company info

Sign Up Now - HospitalityCrossing.com