Business Information Security Officer

Description:

We are looking for a pro-active and forward-thinking Business Information Security Officer that is well versed in information security management principles and comes from a technical hands-on background and can manage multiple parallel projects. This is a leadership position within the S&P Enterprise Data Organization (EDO) focusing on establishing best practices and driving security practices within the business unit.

As the Business Information Security Officer, you will be the Cyber Security & Assurance primary point of contact for the division, responsible for the development, communication, compliance and governance of the divisional security strategy, roadmap and policies that are in alignment with the organization’s overall security objectives.

Responsibilities :
Design, implement, and maintain global security policies, standards, and procedures focused on protecting data across all environments, ensuring alignment with business and IT priorities.

Ensure the divisional security strategy aligns with broader organizational goals, particularly data privacy and protection regulations (e.g., GDPR, CCPA).

Own and manage all data-related security risks, performing risk assessments specific to data storage, processing, and transfer.

Identify, assess, and prioritize data security vulnerabilities, ensuring effective remediation plans are in place and executed.

Conduct periodic audits of data security controls to ensure compliance with internal policies and external regulations.

Ensure adherence to data protection laws and implement robust measures for data privacy, security, and retention.

Work closely with software development teams to ensure secure data handling throughout the software development lifecycle (SDLC), embedding security in data processing systems and applications.

Ensure that data security requirements are incorporated into all phases of technology systems, from design through deployment.

Lead investigations into data security breaches, ensuring proper reporting and communication with senior management during incidents.

Work with the Cyber Incident Response Team (CIRT) to address and mitigate cybersecurity incidents, ensuring appropriate remediation of data breaches.

Develop and deliver targeted security training programs for employees, contractors, and third parties on best practices for data protection.

Implement ongoing data security awareness initiatives, ensuring all stakeholders understand the importance of safeguarding organizational data.

Coordinate with third-party security vendors to conduct vulnerability assessments, penetration tests, and security audits focused on data protection.

Stay current on emerging data security trends, threats, and technologies, recommending updates to security measures as needed.

Establish and maintain a strong data security posture, continuously monitoring the effectiveness of controls and processes.

Represent EDO security to external stakeholders.

Regularly evaluate the organization’s data security safeguards, ensuring they provide robust protection against evolving threats and data-related risks.

Qualifications & Experience:
Bachelor’s degree in computer science, Information Systems, Engineering, or a related field (master’s preferred).

CISSP (Certified Information Systems Security Professional) is a MUST (non-expired).

OWASP Membership and CRISC (Certified in Risk and Information Systems Control) preferred.

8- 10+ years of experience in security-focused roles, particularly in technology-heavy industries (e.g., Software, Financial Services).

Prior experience as a software engineer or systems/network engineer.

Proven track record of securing cloud-based services, ensuring scalability, performance, and reliability.

Experience with PII (Personally Identifiable Information) and security compliance regulations.