Business Information Security Officer

**About the Role**:
**Grade Level (for internal use)**: 14
We are looking for a pro-active and forward-thinking Business Information Security Officer that is well versed in information security management principles and comes from a technical hands-on background and can manage multiple parallel projects. This is a leadership position within the S&P Enterprise Data Organization (EDO) focusing on establishing best practices and driving security practices within the business unit.
As the Business Information Security Officer, you will be the Cyber Security & Assurance primary point of contact for the division, responsible for the development, communication, compliance and governance of the divisional security strategy, roadmap and policies that are in alignment with the organization’s overall security objectives.

**Responsibilities**:
Design, implement, and maintain global security policies, standards, and procedures focused on protecting data across all environments, ensuring alignment with business and IT priorities.
Ensure the divisional security strategy aligns with broader organizational goals, particularly data privacy and protection regulations (e.g., GDPR, CCPA).
Own and manage all data-related security risks, performing risk assessments specific to data storage, processing, and transfer.
Identify, assess, and prioritize data security vulnerabilities, ensuring effective remediation plans are in place and executed.
Conduct periodic audits of data security controls to ensure compliance with internal policies and external regulations.
Ensure adherence to data protection laws and implement robust measures for data privacy, security, and retention.
Ensure that data security requirements are incorporated into all phases of technology systems, from design through deployment.
Lead investigations into data security breaches, ensuring proper reporting and communication with senior management during incidents.
Work with the Cyber Incident Response Team (CIRT) to address and mitigate cybersecurity incidents, ensuring appropriate remediation of data breaches.
Develop and deliver targeted security training programs for employees, contractors, and third parties on best practices for data protection.
Implement ongoing data security awareness initiatives, ensuring all stakeholders understand the importance of safeguarding organizational data.
Coordinate with third-party security vendors to conduct vulnerability assessments, penetration tests, and security audits focused on data protection.
Stay current on emerging data security trends, threats, and technologies, recommending updates to security measures as needed.
Establish and maintain a strong data security posture, continuously monitoring the effectiveness of controls and processes.
Represent EDO security to external stakeholders.
Regularly evaluate the organization’s data security safeguards, ensuring they provide robust protection against evolving threats and data-related risks.
**Qualifications & Experience**:
Bachelor’s degree in computer science, Information Systems, Engineering, or a related field (master’s preferred).
CISSP (Certified Information Systems Security Professional) is a MUST (non-expired).
OWASP Membership and CRISC (Certified in Risk and Information Systems Control) preferred.
8- 10+ years of experience in security-focused roles, particularly in technology-heavy industries (e.g., Software, Financial Services).
Prior experience as a software engineer or systems/network engineer.
Proven track record of securing cloud-based services, ensuring scalability, performance, and reliability.
Experience with PII (Personally Identifiable Information) and security compliance regulations.
Strong understanding of NIST security controls frameworks, risk assessment, and risk management.
Experience in secure software design, security testing, and vulnerability remediation.
Familiarity with service control frameworks such as SOC 1 and 2.
Knowledge of threat modeling and risk management practices.
Strong ability to design secure architectures and review security in development processes.
Familiarity with common security testing tools, vulnerability scanners, and security code reviews.
Strong project management skills with experience leading cross-functional teams in large, complex security projects.
Demonstrated ability to mentor and lead security engineers and managers, fostering a culture of high morale and agility.
Experience with usage and Risk around use of AI in the enterprise a definite bonus
S&P Global states that the anticipated base salary range for this position is $152,600 to $285,000. Final base salary for this role will be based on the individual’s geographic location, as well as experience level, skill set, training, licenses and certifications. In addition to base compensation, this role is eligible for an annual incentive plan. This role is eligible to receive additional S&P Global benefits. For more information on the benefits we provide to our em