Group Chief Information Security Officer

Group Chief Information Security Officer NY-New York (Union Square) Job Summary The Chief Information Security Officer (CISO) will lead and oversee the Information Security program across the entire organization. The role will be responsible for developing, implementing, and maintaining a unified enterprise security strategy that ensures the confidentiality, integrity, and availability of the company's information assets, platforms, infrastructure, and customer data across all business operations. As the organization continues to modernize its retail, digital, cloud, and enterprise technology platforms, we require a transformational security leader capable of driving the next phase of cybersecurity maturity across the group. This role is significantly broader than traditional cybersecurity operations and compliance management. The CISO will play a critical leadership role in helping the organization securely navigate large-scale technology transformation, AI adoption, cloud modernization, evolving regulatory requirements, and an increasingly sophisticated global threat landscape. The CISO will be responsible for establishing and leading a group-wide cybersecurity strategy across both US and UK operations, driving consistency in governance, policy, standards, risk management, incident response, and operational security practices. This includes developing enterprise security standards, modernizing security architecture, implementing Zero Trust principles, strengthening cloud and identity security, improving business resilience, and reducing legacy technology and operational risk across the environment. Cybersecurity has evolved far beyond traditional perimeter defense and audit-driven compliance programs. We now face a rapidly changing threat environment driven by AI-enabled attacks, ransomware, cloud complexity, third-party supply chain risk, increasing regulatory scrutiny, and growing operational dependence on digital platforms. As a result, the CISO must operate not only as a security leader, but also as a strategic business partner and an agent for transformation. This role will require close collaboration with executive leadership, technology teams, legal, compliance, operations, and external partners to ensure security is embedded into the organization's strategy and business operations. Given the strategic importance of cybersecurity and enterprise risk management to the organization, the CISO role will maintain a regular reporting cadence with the Board Risk Committee and will be responsible for providing ongoing updates related to cybersecurity posture, operational risk, regulatory compliance, major initiatives, emerging threats, and overall enterprise resilience. Benefits for those who are scheduled to work less than 20 hours per week include Employee Discount, EAP and Sick Pay. For those scheduled to work between 20 and 29.99 benefits include Employee Discount, EAP, Sick Pay and Paid Time Off including paid Maternity and Parental Leave, Company Paid Holidays, Transit and 401(k) with Company Match. For those scheduled to work 30 hours or more benefits include Employee Discount, EAP, Sick Pay and Paid Time Off including paid Maternity and Parental Leave, Company Paid Holidays, 401(k) with Company Match, Comprehensive Health Benefits (Medical, Dental and Vision), Healthcare and Dependent Care Spending Accounts, Healthcare Spending Account, Disability Benefits, Life Insurance, Transit, and Tuition Reimbursement. All benefits provided are in accordance with the terms of the current plan and may be subject to future change. Benefits may vary depending on location/state regulations. More information can be received by the recruiter or Human Resources. An employee in this position can expect an annual starting rate between $350,000 - $400,000 depending on experience, seniority, geographic locations, and other factors permitted by law. What You Do Global Security Strategy  Define and execute a unified cybersecurity strategy that supports the business objectives of both B&N and Waterstones.  Lead the development and implementation of security policies, standards, and procedures that align with local regulations and best practices.  Serve as a trusted advisor to executive leadership and Board of Directors for both organizations. Security Operations & Incident Response Leadership  Lead the enterprise cybersecurity incident response and crisis management program, coordinating cross-functional response activities during major cyber incidents, ransomware events, operational disruptions, and data breaches.  Act as the primary technical contact with external crisis response agencies, cyber insurance providers, legal counsel, forensic investigators, regulators, and law enforcement agencies during significant cybersecurity incidents.  Drive the continuous maturation of the organization's cyber resilience capabilities, including incident response planning, ransomware preparedness, disaster recovery, business continuity, tabletop exercises, and enterprise recovery strategies.  Establish and maintain enterprise-wide cyber incident response standards, escalation procedures, communication protocols, and post-incident review processes to improve organizational readiness and operational resilience.  Direct 24/7 global security operations, including monitoring, detection, and response to security incidents. Technology & Infrastructure Security  Leverage AI to improve detection, response, and scale.  Ensure security is embedded in infrastructure, applications, cloud environments, and software platforms.  Drive Zero Trust adoption, identity and access management, and secure data handling practices across both organizations.  Oversee regular penetration testing, vulnerability assessments, and third-party risk management. Team Leadership & Development  Lead and foster collaboration between the B&N and Waterstones Information Security teams.  Recruit, mentor, and retain top cybersecurity talent.  Directs work and ensures appropriate performance levels of all Security team members across Waterstones and B&N, working together with the senior leadership team to create a performance-based culture.  Partner with IT, Legal, Risk, HR, and other business units to ensure a holistic approach to Information Security. Executive Leadership & Cybersecurity Influence  Serve as a visible and influential cybersecurity leader across both organizations, representing the Information Security function internally and externally.  Champion a strong culture of security awareness at all levels of the organization and across both businesses.  Act as the public and internal face of the cybersecurity function, partnering with executive leadership, board members, auditors, and external partners to communicate the organization's security vision and maturity. AI-Enhanced Cyber Defense & Governance  Leverage AI to improve detection, response, and scale.  Automate incident triage and response (SOAR + AI).  Enhance phishing and fraud detection using ML models.  Collaborate with HR and Legal to define AI security policies and acceptable use standards.  Classify and approve AI tools and vendors.  Align with emerging regulatory frameworks (EU AI Act, etc.).  Prevent data leakage into external AI platforms.  Enforce data classification and masking for AI use.  Monitor environment for unauthorized use of enterprise data in AI tools.  Assess AI capabilities in vendor platforms.  Prepare for and defend against: o AI-generated phishing (highly personalized) o Deepfake-based social engineering o Automated vulnerability discovery by attackers  Update training and awareness programs accordingly.  Utilize AI to reduce reliance on manual Tier 1/2 SOC work.  Shift talent toward engineering, threat hunting, and strategy.  Integrate AI into security tooling stack (SIEM, EDR, XDR). Knowledge & Experience Data Security & Protection  Define and enforce enterprise data security standards, policies, and controls to ensure the confidentiality, integrity, and availability of corporate and customer data.  Establish data classification standards and ensure data is appropriately categorized, protected, retained, archived, and disposed of based on business and regulatory requirements.  Oversee encryption standards and key management practices for data at rest, in transit, and within cloud environments.  Ensure appropriate access controls, and privilege security models are implemented across enterprise platforms and data repositories.  Partner with Legal, Compliance, and technology teams to ensure adherence to data privacy and regulatory requirements, including GDPR, PCI-DSS, SOX, CCPA, and other relevant industry standards.  Develop and maintain Data Loss Prevention (DLP) strategies and monitoring capabilities to reduce the risk of unauthorized disclosure or exfiltration of sensitive information.  Support the development of enterprise-wide awareness and training programs related to data handling, privacy, cybersecurity, and acceptable AI usage practices. Third-Party & Supplier Risk Governance  Establish third-party cybersecurity risk management program to assess, monitor, and mitigate risks associated with vendors, cloud providers, SaaS platforms, outsourced service providers, and strategic technology partners.  Define security governance standards and due diligence processes for vendor onboarding, contract reviews, system integrations, and vendor risk assessments.  Oversee continuous monitoring and risk evaluation of critical third-party providers, including incident response coordination, security assessments, penetration testing, and remediation monitoring if needed.  Develop governance frameworks and contingency strategies to reduce operational, financial, and reputational risk associated with third-party cyber incidents, software supply chain compromise, and critical vendor outages. Regulatory & Audit Compliance Responsibilities  Lead the information security compliance program to ensure alignment with applicable regulatory, legal, and industry requirements across the organization, including SOX or equivalent, PCI-DSS, GDPR, UK GDPR, data privacy regulations, and other applicable corporate and retail compliance obligations. Education & Professional Background

• Bachelor's degree in Information Security, Computer Science, Engineering, or a related field; advanced degree (e.g., MS in Cybersecurity) preferred.
• 15+ years of experience in Information Security, with at least 7 years in a senior or executive leadership role overseeing enterprise-scale security programs.
• Proven success leading global cybersecurity initiatives across multi-national or multi-brand organizations. Technical & Strategic Expertise
• Deep understanding of information security frameworks, technologies, and architectures, including Zero Trust, cloud security, and identity management.
• Strong knowledge of regulatory requirements across U.S. and European jurisdictions, including GDPR, CCPA, and other privacy/security regulations.
• Demonstrated ability to balance security risk management with business enablement, ensuring security strategies are aligned with business objectives.
• Experience in incident response, crisis management, and executive-level communications during security incidents. Leadership & Influence
• Recognized as a strategic cybersecurity leader who can inspire trust and confidence at board, executive, and operational levels.
• Strong executive presence, with the ability to communicate complex technical concepts in clear, business-relevant terms.
• Proven capability to build, mentor, and lead high-performing security teams and encourage collaboration across geographies and business functions. Certifications (Preferred)
• CISSP, CISM, CISA, CRISC, CCISO, or equivalent industry-recognized credentials.

Auto req

ID 91431BR

Employment Type Full-Time City New York State New York EEO Statement As an Affirmative Action Employer, Barnes & Noble hires qualified people to perform the many tasks necessary for the success of our business and is committed to diversity in the workplace. An essential part of this policy is providing equal employment opportunity for all. All employment practices and decisions—including those involving application procedures, recruitment or recruitment advertising, hiring, placement, job assignment, transfer, promotion, demotion, training, rates of pay or other forms of compensation, benefits, discipline, leave of absence, layoff, recall, termination and general treatment during employment—will be conducted without regard to age, race, color, ancestry, national origin, citizenship status, military or veteran status, religion, creed, disability, sex, sexual orientation, marital status, medical condition as defined by applicable law, genetic information, gender, gender identity, gender expression (including transgender status), hairstyle, height and/or weight, pregnancy, childbirth and related medical conditions, reproductive health decisions, or any other self-identified, perceived or actual characteristic protected by applicable federal, state, or local laws and ordinances. Please tell us if you require a reasonable accommodation to apply for a job or to perform your job. Examples of reasonable accommodation include making a change to the application process or work procedures, providing documents in an alternate format, using a sign language interpreter, or using specialized equipment. Contact (800) 799-5335. Terms of Use, Copyright, and Privacy Policy © 1997-2024 Barnes & Noble Booksellers, Inc. 33 East 17th Street, New York, NY 10003 Job Category Information Systems & Technology