BISO (Business Information Security Office) Lead

About The Position

Requirements

• Bachelor's degree in Information Security, Computer Science, Risk Management, or a related field.
• 7–10 years of progressive experience in security architecture, IT risk management, and/or GRC.
• Deep knowledge of cybersecurity frameworks and regulatory standards including OWASP, NIST CSF, NIST 800-53, ISO 27001/27002, SOC 2, GDPR, and HIPAA.
• Demonstrated experience designing and reviewing secure architectures across cloud (AWS, Azure, GCP), hybrid, and on-premises environments.
• Proven ability to conduct threat modeling, risk quantification, and control assessments for complex enterprise environments.
• Hands-on experience with GRC platforms and tools (e.g., ServiceNow , Archer, OneTrust, or similar).
• Ability to influence cross-functional teams and communicate security architecture and risk concepts — both verbally and in writing — to business leaders, technical teams, and executive stakeholders.
• Experience developing and maintaining security policies, standards, and risk registers.
• CISSP, CISM, or CCSP — required (or obtained within 12 months of hire).
• CRISC (Certified in Risk and Information Systems Control) — highly preferred.

Nice To Haves

• Experience implementing and improving cybersecurity solutions and supporting operational processes
• Experience in infrastructure/network engineering and IT operations
• Experience designing and implementing Zero Trust architecture principles at scale.
• Familiarity with DevSecOps practices and integrating security into CI/CD pipelines.
• Experience with risk quantification methodologies (e.g., FAIR).
• Knowledge of cloud-native security services and infrastructure-as-code security scanning.
• Experience supporting M&A due diligence or third-party risk management from an architecture and GRC perspective.
• Additional certifications valued: CGEIT, TOGAF, SABSA, AWS/Azure Security Specialty.

Responsibilities

• Lead Security Architecture Design & Review: Drive and contribute to the end-to-end secure architecture review process for on-prem, cloud, and hybrid applications/infrastructure, ensuring adherence to secure design principles, reference architectures, security requirements and compliance standards.
• Support the use of and contribute to security architecture patterns, blueprints, and reference models that align with enterprise strategy and evolving threat landscapes.
• Evaluate proposed technical designs and system integrations to ensure security requirements are met, providing prescriptive architectural and control recommendations.
• Perform security reviews for operational and architectural changes
• Drive Enterprise Risk Management: Lead and support comprehensive risk assessments — including threat modeling, control gap analysis, compensating control and risk quantification — for complex, high-impact projects and initiatives.
• Support the maintenance of the risk register, ensuring identified risks are documented, assigned ownership is appropriate, tracked through remediation, and reported to leadership.
• Propose and validate risk mitigation and treatment strategies, balancing security requirements with business objectives and risk appetite.
• Support Governance Activities the GRC Program: Support and advance the organization's Governance, Risk, and Compliance (GRC) program, ensuring alignment with regulatory requirements and industry frameworks (e.g., NIST CSF/800-53, ISO 27001/27002, SOC 2, GDPR, HIPAA, CMMC).
• Lead the evidence gathering, control testing, and documentation processes for internal and external audits, regulatory examinations, and certification efforts.
• Develop, refine, and enforce security policies, standards, and guidelines in collaboration with legal, compliance, and business stakeholders.
• Serve as Primary Security Officer & Risk Contact: Act as the authoritative resource for security architecture and risk management across business initiatives, ensuring requirements are understood, prioritized, and implemented effectively.
• Embed security and risk considerations early in the technology and project lifecycle (shift-left approach), partnering with solution architects, engineering, and product teams.
• Communicate & Report on Risk Posture: Translate complex security architecture risks and GRC findings into business terms for project managers, executive leadership, and board-level audiences — highlighting operational, financial, and reputational impacts.
• Drive the development and maintenance of dashboards and reports tracking key risk indicators (KRIs), vulnerability trends, audit findings, control effectiveness, compliance status across assigned domains, etc.
• Present periodic risk and compliance briefings to senior leadership and governance committees.
• Build deep institutional knowledge through continuous engagement with business and IT stakeholders to ensure alignment to information security expectations.
• Support Incident Response & Resilience: Assist in planning and coordinating remediation and recovery efforts during security incidents, with a focus on architectural root-cause analysis and control improvement.
• Incorporate lessons learned from incidents into architecture standards and risk assessments to strengthen the organization's security posture.
• Mentor & Build Organizational Capability: Provide guidance, coaching, and knowledge-sharing to junior architects, BISO staff, and cross-functional team members to elevate organizational security and risk management maturity.
• Foster a risk-aware culture through training, awareness programs, and stakeholder engagement.

Benefits

• medical
• dental
• vision care
• backup dependent care
• adoption assistance
• infertility coverage
• family building support
• behavioral health solutions
• paid parental leave
• paid caregiver leave
• training programs
• professional development resources
• mentorship programs
• employee resource groups
• volunteer activities