Senior Manager, Information Security (Vendor Security Risk)

About The Position

Requirements

• Bachelor’s degree in Information Systems or related field or equivalent experience/certification
• 7+ years of information technology leadership experience including implementing, managing and governing security policies
• 3+ years direct work experience in third-party Risk Management
• One or more current information security certifications such as Certified in Risk and Information Systems Controls (CRISC), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or Certified Information Systems Security Professional (CISSP)

Nice To Haves

• A security certification such as GWAPT, GPEN, AWS Associate Architect, AWS Professional Architect, PCI experience.
• Demonstrated ability to effectively engage stakeholders at multiple levels, from individual contributors and technical SMEs to senior leadership, in a fast-paced, evolving environment
• Experience executing third-party/vendor risk assessments within a defined framework
• Experience supporting escalation of high-risk scenarios to leadership, including preparing clear, concise risk summaries and recommended actions
• Strong ability to analyze control evidence and document risk findings clearly
• Technical leadership experience in an outsourced environment
• Excellent communication skills and problem-solving ability
• Experience with reviewing and assessing security controls of Cloud service providers
• Experience evaluating SaaS and cloud service providers
• Knowledge of OWASP Top 10 and SANS 25.
• Understanding of vulnerability management outputs and ability to assess associated risk

Responsibilities

• Executing third-party risk assessments, including evaluating vendor control environments, documenting risk findings, and supporting risk-based outcomes.
• Supporting the overall security program including security policy, procedures, and standards.
• Assessing the risk of the internal and external IT systems.
• Ensuring Marriott iT documents are compliant with Marriott security policies and procedures.
• Reviewing documents for accuracy and completeness.
• Conducting periodic reassessments of vendors based on risk tiering and data sensitivity.
• Reviewing vendor-provided security evidence and identifying control gaps and areas of risk.
• Assisting in managing relationships with Service Providers who are responsible for the actual delivery of services, managing outcomes and results.
• Collaborating with stakeholders across IT and business departments to develop strategies for securing company information and assets.
• Planning, directing, and coordinating compliance activities pertaining to technology projects for a given business unit.
• Verifying that project goals are accomplished and in line with business objectives.
• Effectively communicating (verbally and written) across all levels within the organization.
• Managing shifting priorities, balancing multiple concurrent assessments, and adapting to evolving business needs and timelines while engaging stakeholders ranging from individual business owners to senior leadership.
• Overseeing, evaluating, and supporting the documentation, and validation processes necessary to assure that associates, information technology systems and business processes meet the organization’s information assurance, security, and privacy requirements.
• Ensuring appropriate treatment of risk, compliance, and assurance of internal policies and external regulations.
• Identifying and escalating material control deficiencies or elevated risk conditions to management with clear supporting documentation and business impact context.
• Highlighting scenarios where vendor risk exceeds acceptable thresholds, including lack of required controls, incomplete remediation, or misalignment with data protection expectations.
• Performing structured security risk assessments of third-party providers by reviewing control evidence, identifying gaps, and documenting risk findings.
• Documenting clear and defensible control gap analysis and risk assessments.
• Reviewing controls exception requests and providing risk-based input and recommendations.
• Reviewing and interpreting security findings provided by vendors or internal sources to determine risk impact.
• Validating completeness of assessment inputs and documenting findings and risk impact in an audit-ready manner.
• Leading, participating or performing various infrastructure compliance initiatives and projects.
• Monitoring compliance to applicable security policies and standards and reporting related risk issues.
• Managing and administering processes and tools that enable the organization to identify, document, and track third party risks and compliance exceptions.
• Conducting assessments of threats and vulnerabilities, determining deviations from acceptable configurations or enterprise or local policy, assessing the level of risk, and developing and/or recommending and operationalizing appropriate mitigation countermeasures.
• Providing sound advice and recommendations to leadership and staff on a variety of relevant topics within the pertinent subject domain.
• Advocating policy changes and making a case on behalf of the company via a wide range of written and oral work products.
• Overseeing the information assurance (IA) program of an information system in or outside the network environment.
• Submitting reports in a timely manner, ensuring delivery deadlines are met.
• Promoting the documenting of project progress accurately.
• Providing input and assistance to other teams regarding projects.
• Managing multiple concurrent assessments and deliverables, adjusting priorities as needed to meet changing business demands.
• Coordinating across multiple stakeholders (e.g., business owners, application teams, and supporting technical contacts) to obtain required information and complete assessments.
• Escalating risks and blockers impacting assessment timelines or outcomes, including delays in stakeholder responses, incomplete vendor evidence, or conflicting business priorities.
• Managing and implementing work and projects as assigned.
• Generating and providing accurate and timely results in the form of reports, presentations, etc.
• Analyzing information and evaluating results to choose the best solution and solve problems.
• Providing timely, accurate, and detailed status reports as requested.
• Providing technical expertise and support to persons inside and outside of the department.
• Keeping up-to-date technically and applying new knowledge to job.
• Using computers and computer systems (including hardware and software) to enter data and/or process information.
• Adapting communication style and level of detail based on audience, including working directly with technical SMEs, business owners, and senior leadership stakeholders.
• Engaging business owners to gather required information, validate vendor use cases, and progress assessments efficiently.
• Providing clear, concise risk summaries and recommended actions suitable for leadership-level review and decision-making.
• Escalating high-risk vendor scenarios to senior leadership with well-documented context and recommended actions (e.g., significant control gaps identified during assessment, vendors handling sensitive data without required safeguards, or unresolved critical findings nearing go-live timelines).
• Balancing competing stakeholder priorities across multiple engagements while maintaining quality, consistency, and timeliness of deliverables.
• Developing specific goals and plans to prioritize, organize, and accomplish work.
• Determining priorities, schedules, plans and necessary resources to ensure completion of any projects on schedule.
• Demonstrating an understanding of business priorities.
• Maintaining responsiveness and adaptability in fast-paced or ambiguous situations, ensuring timely progression of assessments and deliverables.
• Responding to ad hoc requests requiring leadership visibility, including summarizing vendor risk posture, providing status updates, or supporting time-sensitive decision-making scenarios.
• Providing information to supervisors and co-workers by telephone, in written form, e-mail, or in person in a timely manner.
• Demonstrating self-confidence, energy and enthusiasm.
• Informing and/or updating leaders on relevant information in a timely manner.
• Managing time effectively and conducting activities in an organized manner.
• Presenting ideas, expectations and information in a concise, organized manner.
• Using problem solving methodology for decision making and follow up.
• Performing other reasonable duties as assigned by manager.

Benefits

• 401(k) plan
• stock purchase plan
• discounts at Marriott properties
• commuter benefits
• employee assistance plan
• childcare discounts
• medical coverage
• dental coverage
• vision coverage
• health care flexible spending account
• dependent care flexible spending account
• life insurance
• disability insurance
• accident insurance
• adoption expense reimbursements
• paid parental leave
• educational assistance
• paid sick leave
• paid holidays