Director, Information Security - Security Compliance

JOB SUMMARY

The Director of Security Compliance drives endpoint security compliance and exceptions management as part of the Security Compliance team. They are responsible and accountable for assessing the baseline security compliance posture across the enterprise using quantitative methods.  The candidate will be responsible for ensuring all endpoints meet Marriott’s Endpoint Security Technology policies, tracking areas of non-compliance and working with stakeholders to bring those areas back to compliance.

The position manages and improves the IT Security Compliance inventory/lifecycle within our environment including inventory and monitoring of all asset assessment and data analysis, reporting and findings remediation.  Collaborates broadly across the IT, business organizations, and international teams to define and communicate security risks.

This role will provide a wholistic view of Marriott International’s security compliance profile and will communicate that profile to all levels of the company.

CANDIDATE PROFILE 

Education and Experience

Required:

• Bachelor’s degree in Computer Sciences or related field or equivalent experience/certification
• 8 years of information technology leadership experience that include implementing, managing, or governing security technologies, including encryption, network security, intrusion detection and digital forensics
• 5 years of information technology leadership experience
• 4 years’ experience direct management of a team
• 4 years’ experience implementing, managing, or governing endpoint security technologies, like encryption, Anti-Virus, Endpoint-Detection & Response (EDR), Application Control technologies, network security, and host-based intrusion detection systems.

Attributes

• Strong verbal and written communication skills with the ability to articulate complex technical ideas in easy to understand business terms.
• Ability to effectively prioritize and execute tasks in a high-pressure environment.
• Strong negotiating, influencing and problem resolution skills

Preferred:

• Experience in implementation or management of Endpoint Security Compliance programs.
• Current information security certification, including Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or Certified Information Systems Security Professional (CISSP)

• Knowledge of IT security within an infrastructure environment
• Technical leadership experience in an Information Technology Outsourced (ITO) environment
• Knowledge of ServiceNow and the GRC module within ServiceNow.
• Knowledge of IT Protocols such as ARP, TCP/IP, WMI, SOAP, or Web Services.
• Reviewing and assessing the risk of service providers.
• Managing and governing of security policies
• Experience assessing a 3-tiered system architecture (Web Server, App Server & Database)
• Demonstrated ability to assess customer/client needs, creatively approach solutions, decide and influence appropriate courses of action
• Understanding of IT financial structures and ability to manage to corporate financial practices and goals, including drivers of process cost
• Graduate/post graduate degree

CORE WORK ACTIVITIES                                                                                   

Security Risk & Compliance

• Validates the process for and monitoring and reporting of security risks
• Oversees, plans, and conducts security policy compliance, risk assessment, exception evaluation, and processing for applications, infrastructure, data, and third-party vendor solutions.
• Consistently monitors compliance to applicable security policies and standards and reports related risk issues

• Executes technical risk assessments, advises business and IT leaders on risk of initiatives/tools
• Provides consultative services to a broad range of internal business leaders on risk and IT security to determine current and target risk levels.

• Develop remediation plans. Monitor progress of agreed upon remediation plans.
• Provide deep expertise in computer network theory, IT standards and protocols, as well as an understanding of the lifecycle of cyberspace threats, attack vectors, and methods of exploitation.
• Provides guidance and educates the organization in risk management principles and practices
• Communicates with Subject Matter Experts to determine expected impact and likelihood of loss events
• Maintain endpoint security Metrics and consults with Metrics teams to ensure metrics are accurately represented in the Enterprise Metrics program.
• Assigns appropriate level of risk and drives compliance to Endpoint Security internal policies and external regulations.
• Manages and administers processes and tools that identify, document, and retain intellectual capital and information content.
• Manages in the evaluation and selection of security and risk management services products
• Oversees, evaluates, and supports the documentation, and validation processes necessary to assure that associates, information technology systems and business processes meet the organization’s information assurance, security, and privacy requirements.  Ensures appropriate treatment of risk, compliance, and assurance of internal policies and external regulations.
• Conducts assessments of threats and vulnerabilities, determines deviations from acceptable configurations or enterprise or local policy, assesses the level of risk, and develops and/or recommends and operationalizes appropriate mitigation countermeasures.
• Provides sound advice and recommendations to leadership and staff on a variety of relevant topics within the pertinent subject domain. Advocates policy changes and makes a case on behalf of the company via a wide range of written and oral work products.

Cultivate a High-Performing Team

• Create a compelling vision, clear direction, and strategy for the team
• Generate enthusiasm and understanding of the information security vision and how each role contributes to the achievement of that vision
• Ensure capabilities are developed and resources are aligned to support the strategy
• Attract, motivate, develop, and retain highly skilled leaders, champion, and model leadership development
• Create and sustain a work environment that drives associate engagement and enables business success
• Ensure appropriate processes are in place and executed to drive collaboration and alignment within the team and with the broader IT organization
• Serve as a role model and ensure all information security leaders are visible and effective partners with IT counterparts, broader Marriott stakeholders, and service providers

Delivering on the Needs of Key Stakeholders

• Understands and meets the needs of key stakeholders.
• Communicates concepts in a clear and persuasive manner that is easy to understand.
• Demonstrates an understanding of business priorities.
• Supports achievement of performance goals, budget goals, team goals, etc.

Providing Technical Support and Consultation

• Provides technical expertise and technical leadership within own and other teams.
• Provides recommendations to improve the effectiveness of processes and programs.
• Demonstrates advanced knowledge of job-relevant issues, products, systems, and processes.
• Demonstrates advanced knowledge of function-specific procedures.
• Applies knowledge/judgment to achieve business goals.
• Foresees, identifies and resolves problems.
• Keeps up-to-date technically and applies new knowledge to job.
• Performs other reasonable duties as required for this position