Group Chief Information Security Officer

Barnes & Noble•New York, NY

11h

About The Position

The Chief Information Security Officer (CISO) will lead and oversee the Information Security program across the entire organization. The role will be responsible for developing, implementing, and maintaining a unified enterprise security strategy that ensures the confidentiality, integrity, and availability of the company’s information assets, platforms, infrastructure, and customer data across all business operations. As the organization continues to modernize its retail, digital, cloud, and enterprise technology platforms, we require a transformational security leader capable of driving the next phase of cybersecurity maturity across the group. This role is significantly broader than traditional cybersecurity operations and compliance management. The CISO will play a critical leadership role in helping the organization securely navigate large-scale technology transformation, AI adoption, cloud modernization, evolving regulatory requirements, and an increasingly sophisticated global threat landscape. The CISO will be responsible for establishing and leading a group-wide cybersecurity strategy across both US and UK operations, driving consistency in governance, policy, standards, risk management, incident response, and operational security practices. This includes developing enterprise security standards, modernizing security architecture, implementing Zero Trust principles, strengthening cloud and identity security, improving business resilience, and reducing legacy technology and operational risk across the environment. Cybersecurity has evolved far beyond traditional perimeter defense and audit-driven compliance programs. We now face a rapidly changing threat environment driven by AI-enabled attacks, ransomware, cloud complexity, third-party supply chain risk, increasing regulatory scrutiny, and growing operational dependence on digital platforms. As a result, the CISO must operate not only as a security leader, but also as a strategic business partner and an agent for transformation. This role will require close collaboration with executive leadership, technology teams, legal, compliance, operations, and external partners to ensure security is embedded into the organization’s strategy and business operations. Given the strategic importance of cybersecurity and enterprise risk management to the organization, the CISO role will maintain a regular reporting cadence with the Board Risk Committee and will be responsible for providing ongoing updates related to cybersecurity posture, operational risk, regulatory compliance, major initiatives, emerging threats, and overall enterprise resilience.

Requirements

Bachelor’s degree in Information Security, Computer Science, Engineering, or a related field; advanced degree (e.g., MS in Cybersecurity) preferred.
15+ years of experience in Information Security, with at least 7 years in a senior or executive leadership role overseeing enterprise-scale security programs.
Proven success leading global cybersecurity initiatives across multi-national or multi-brand organizations.
Deep understanding of information security frameworks, technologies, and architectures, including Zero Trust, cloud security, and identity management.
Strong knowledge of regulatory requirements across U.S. and European jurisdictions, including GDPR, CCPA, and other privacy/security regulations.
Demonstrated ability to balance security risk management with business enablement, ensuring security strategies are aligned with business objectives.
Experience in incident response, crisis management, and executive-level communications during security incidents.
Recognized as a strategic cybersecurity leader who can inspire trust and confidence at board, executive, and operational levels.
Strong executive presence, with the ability to communicate complex technical concepts in clear, business-relevant terms.
Proven capability to build, mentor, and lead high-performing security teams and encourage collaboration across geographies and business functions.

Nice To Haves

CISSP, CISM, CISA, CRISC, CCISO, or equivalent industry-recognized credentials.

Responsibilities

Define and execute a unified cybersecurity strategy that supports the business objectives of both B&N and Waterstones.
Lead the development and implementation of security policies, standards, and procedures that align with local regulations and best practices.
Serve as a trusted advisor to executive leadership and Board of Directors for both organizations.
Lead the enterprise cybersecurity incident response and crisis management program, coordinating cross-functional response activities during major cyber incidents, ransomware events, operational disruptions, and data breaches.
Act as the primary technical contact with external crisis response agencies, cyber insurance providers, legal counsel, forensic investigators, regulators, and law enforcement agencies during significant cybersecurity incidents.
Drive the continuous maturation of the organization’s cyber resilience capabilities, including incident response planning, ransomware preparedness, disaster recovery, business continuity, tabletop exercises, and enterprise recovery strategies.
Establish and maintain enterprise-wide cyber incident response standards, escalation procedures, communication protocols, and post-incident review processes to improve organizational readiness and operational resilience.
Direct 24/7 global security operations, including monitoring, detection, and response to security incidents.
Leverage AI to improve detection, response, and scale.
Ensure security is embedded in infrastructure, applications, cloud environments, and software platforms.
Drive Zero Trust adoption, identity and access management, and secure data handling practices across both organizations.
Oversee regular penetration testing, vulnerability assessments, and third-party risk management.
Lead and foster collaboration between the B&N and Waterstones Information Security teams.
Recruit, mentor, and retain top cybersecurity talent.
Directs work and ensures appropriate performance levels of all Security team members across Waterstones and B&N, working together with the senior leadership team to create a performance-based culture.
Partner with IT, Legal, Risk, HR, and other business units to ensure a holistic approach to Information Security.
Serve as a visible and influential cybersecurity leader across both organizations, representing the Information Security function internally and externally.
Champion a strong culture of security awareness at all levels of the organization and across both businesses.
Act as the public and internal face of the cybersecurity function, partnering with executive leadership, board members, auditors, and external partners to communicate the organization’s security vision and maturity.
Automate incident triage and response (SOAR + AI).
Enhance phishing and fraud detection using ML models.
Collaborate with HR and Legal to define AI security policies and acceptable use standards.
Classify and approve AI tools and vendors.
Align with emerging regulatory frameworks (EU AI Act, etc.).
Prevent data leakage into external AI platforms.
Enforce data classification and masking for AI use.
Monitor environment for unauthorized use of enterprise data in AI tools.
Assess AI capabilities in vendor platforms.
Prepare for and defend against: AI-generated phishing (highly personalized), Deepfake-based social engineering, Automated vulnerability discovery by attackers.
Update training and awareness programs accordingly.
Utilize AI to reduce reliance on manual Tier 1/2 SOC work.
Shift talent toward engineering, threat hunting, and strategy.
Integrate AI into security tooling stack (SIEM, EDR, XDR).
Define and enforce enterprise data security standards, policies, and controls to ensure the confidentiality, integrity, and availability of corporate and customer data.
Establish data classification standards and ensure data is appropriately categorized, protected, retained, archived, and disposed of based on business and regulatory requirements.
Oversee encryption standards and key management practices for data at rest, in transit, and within cloud environments.
Ensure appropriate access controls, and privilege security models are implemented across enterprise platforms and data repositories.
Partner with Legal, Compliance, and technology teams to ensure adherence to data privacy and regulatory requirements, including GDPR, PCI-DSS, SOX, CCPA, and other relevant industry standards.
Develop and maintain Data Loss Prevention (DLP) strategies and monitoring capabilities to reduce the risk of unauthorized disclosure or exfiltration of sensitive information.
Support the development of enterprise-wide awareness and training programs related to data handling, privacy, cybersecurity, and acceptable AI usage practices.
Establish third-party cybersecurity risk management program to assess, monitor, and mitigate risks associated with vendors, cloud providers, SaaS platforms, outsourced service providers, and strategic technology partners.
Define security governance standards and due diligence processes for vendor onboarding, contract reviews, system integrations, and vendor risk assessments.
Oversee continuous monitoring and risk evaluation of critical third-party providers, including incident response coordination, security assessments, penetration testing, and remediation monitoring if needed.
Develop governance frameworks and contingency strategies to reduce operational, financial, and reputational risk associated with third-party cyber incidents, software supply chain compromise, and critical vendor outages.
Lead the information security compliance program to ensure alignment with applicable regulatory, legal, and industry requirements across the organization, including SOX or equivalent, PCI-DSS, GDPR, UK GDPR, data privacy regulations, and other applicable corporate and retail compliance obligations.