SrDir-Information Security - Security Risk Management

Company: Marriott
Location: Saint Paul
Posted on: March 16, 2023

Job Description:

**Job Number** 23015561**Job Category** Information Technology**Location** Marriott International HQ, 7750 Wisconsin Avenue, Bethesda, Maryland, United States**Schedule** Full-Time**Located Remotely?** Y**Relocation?** N**Position Type** Management**JOB SUMMARY**Leads and drives security risk management as part of the Security Risk, Compliance and Governance team. Responsible and accountable for assessing security risk across the enterprise using both qualitative and quantitative methods such as Factor Analysis of Information Risk methodology Analyze the threat landscape, determine impact and likelihood of potential security events to understand residual risk exposure. Responsible for facilitating risk treatment with business partners and IT to optimize Marriott International's overall security risk profile. This role will provide a wholistic view of Marriott International's security risk profile and will communicate that profile to all levels of the company. Additional activities will include assessing third party vendor's security controls to determine alignment with security requirements. The controls applied are part of Marriott Internationals standard security controls framework based on standards and frameworks such as ISO 27001, NIST CSF, NIST 800-53, CSA, UCF, etc. Collaborates broadly across the IT, business organizations, and international teams to define and communicate security risks.**CANDIDATE PROFILE****Education and Experience****Required:**+ **Bachelor's degree in Computer Sciences or related field or equivalent experience/certification**+ **10+ years of information technology leadership experience that include implementing, managing, or governing security technologies, including encryption, network security, intrusion detection and digital forensics**+ **8+ years' experience direct management of a team**+ **Some or all of the following: 8+ years' experience in managing enterprise security risk management frameworks and processes (e.g., ISO2700X, NIST, Cloud Security Alliance), 8+ years' experience in implementation of risk management frameworks and processes (e.g., ISO2700X, NIST, Cloud Security Alliance),** **8+ years' experience in facilitating and conducting security assessments related to PCI-DSS, ISO 27001, NIST 800-53, Cybersecurity Framework****Attributes**+ **Strong verbal and written communication skills with the ability to articulate complex technical ideas in easy to understand business terms.**+ **Ability to effectively prioritize and execute tasks in a high-pressure environment.**+ Strong negotiating, influencing and problem resolution skills**Preferred:**+ **Experience in implementation or management of security risk programs.**+ **Current information security certification, including Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or Certified Information Systems Security Professional (CISSP)**+ Knowledge of IT security within an infrastructure environment+ Knowledge of ServiceNow and the GRC module within ServiceNow.+ Reviewing and assessing the risk of service providers.+ Implementing, managing and governing security policies+ Experience assessing a 3-tiered system architecture (Web Server, App Server & Database)+ Experience with Dynamic Application Security Testing using applications such as Nessus, IBM App Scan, HP Web Inspect, Fortify on Demand, Qualys, Burp, Cigital or Retina.+ Proven knowledge of ISO 27001 standard, NIST security standards, PCI-DSS requirements+ Demonstrated ability to assess customer/client needs, creatively approach solutions, decide and influence appropriate courses of action+ Understanding of IT financial structures and ability to manage to corporate financial practices and goals, including drivers of process cost+ Graduate/post graduate degree**CORE WORK ACTIVITIES****Security Risk & Compliance**+ Validates the process for and monitoring and reporting of security risks+ Oversees, evaluates, and supports the documentation, and validation processes necessary to assure that associates, information technology systems and business processes meet the organization's information assurance, security, and privacy requirements. Ensures appropriate treatment of risk, compliance, and assurance of internal policies and external regulations.+ Leads team in performing risk analysis and facilitates risk discussions for cross functional teams.+ Provides consultative services to a broad range of internal business leaders on risk and IT security to determine current and target risk levels.+ Develop remediation plans. Monitor progress of agreed upon remediation plans.+ Provide deep expertise in computer network theory, IT standards and protocols, as well as an understanding of the lifecycle of cyberspace threats, attack vectors, and methods of exploitation.+ Provides guidance and educates the organization in risk management principles and practices+ Communicates with Subject Matter Experts to determine expected impact and likelihood of loss events+ Maintain organizational Risk Register+ Leads in the evaluation and selection of security and risk management services products+ Oversees, evaluates, and supports the documentation, and validation processes necessary to assure that associates, information technology systems and business processes meet the organization's information assurance, security, and privacy requirements. Ensures appropriate treatment of risk, compliance, and assurance of internal policies and external regulations.+ Manages and administers processes and tools that enable the organization to identify, document, and access intellectual capital and information content (e.g., policies, standards, processes and procedures).+ Conducts assessments of threats and vulnerabilities, determines deviations from acceptable configurations or enterprise or local policy, assesses the level of risk, and develops and/or recommends and operationalizes appropriate mitigation countermeasures.+ Provides sound advice and recommendations to leadership and staff on a variety of relevant topics within the pertinent subject domain. Advocates policy changes and makes a case on behalf of the company via a wide range of written and oral work products.**Cultivate a High-Performing Team**+ Create a compelling vision, clear direction and strategy for the team+ Generate enthusiasm and understanding of the information security vision and how each role contributes to the achievement of that vision+ Ensure capabilities are developed and resources are aligned to support the strategy+ Attract, motivate, develop and retain highly skilled leaders; champion and model leadership development+ Create and sustain a work environment that drives associate engagement and enables business success+ Ensure appropriate processes are in place and executed to drive collaboration and alignment within the team and with the broader IT organization+ Serve as a role model and ensure all information security leaders are visible and effective partners with IT counterparts, broader Marriott stakeholders, and service providers_Marriott International is an equal opportunity employer. We believe in hiring a diverse workforce and sustaining an inclusive, people-first culture. We are committed to non-discrimination on any protected basis, such as disability and veteran status, or any other basis covered under applicable law. Marriott International considers for employment qualified applicants with criminal histories consistent with applicable federal, state and local law._Marriott International is the world's largest hotel company, with more brands, more hotels and more opportunities for associates to grow and succeed. We believe a great career is a journey of discovery and exploration. So, we ask, where will your journey take you?

Keywords: Marriott, St. Paul , SrDir-Information Security - Security Risk Management, Executive , Saint Paul, Minnesota