Information Security Engineer

ABOUT SOTHEBY'S

Established in 1744, Sotheby’s is the world’s premier destination for art and luxury. Synonymous with innovation, Sotheby’s promotes access, connoisseurship and preservation of fine art and rare objects through auctions, private sales and retail locations. Our trusted global marketplace is supported by a network of specialists spanning 40 countries and 50 categories, which include Contemporary Art, Modern and Impressionist Art, Old Masters, Chinese Works of Art, Jewelry, Watches, Wine and Spirits, and Interiors, among many others.

THE ROLE 

It is Sotheby’s responsibility to maintain the trust and respect of its clients, and in so doing retain the reputation of the Sotheby’s brand.

The Sotheby’s Information Security team is undergoing an exciting and strategic transformation with a major focus on safeguarding client information through our Data Protection Program; designed to introduce controls that limit data loss risk.

If you ever wondered why a security control even exists, and wanted to try and do it differently or better, this is the job opportunity for you. We challenge the current security mindset. We aren’t satisfied with compliance and checkboxes. 

Sotheby’s Information Security Engineer will ensure that information remains in the hands of the right owners and is responsible for analyzing how data flows internally and externally, and will partner to deliver solutions  to reduce real risks..

The Information Security Engineer is accountable for the development, implementation and ongoing support of Sotheby’s Data Loss Prevention Program.

The Information Security Engineer will develop new ventures and work with our industry partners in the core mission of ensuring that Sotheby’s services, applications, and infrastructure are designed and implemented to the highest security standards.

The Information Security Engineer will ensure that key data is monitored and protected.

RESPONSIBILITIES

• Interface with other teams, and take a leadership role in driving internal security and privacy initiatives
• Work with Director of Information Security, Information, Product & Technology teams, and Chief Technology Officer to design and implement network and application security controls
• Conduct quarterly business reviews to present current data security risks and initiatives to Global Compliance Counsel
• Organize strategic initiatives to steer end users on to corporate-managed solutions, limiting shadow IT
• Assist Sotheby’s Legal and Compliance departments with business-related security evaluations
• Create & be a stakeholder in the  incident playbook
• Conduct proof of concepts for data security vendors including establishing requirements, design, testing, global implementation, and post-implementation maintenance
• Improve secure engineering practices in the engineering organization
• Conduct regular security and risk assessments of Sotheby’s applications, infrastructure, and security controls
• Triage incidents by examining violations and partnering with the business to further investigate as needed
• Aid internal business departments in classifying sensitive information in accordance with Information Security Policy
• Assist in developing Learning and Development initiatives to educate users on Information Security concepts
• Interact directly with the security community regarding vulnerabilities and threats
• Assist in the developing Information Security Policies, Standards, and Procedures as a stakeholder and SME.
• Participate in incident response workflows from alert to incident to post-incident review.
• Develop security operations workflows.

IDEAL EXPERIENCE & COMPETENCIES

• Bachelor’s Degree
• 1-3 years of experience working in an information security capacity, with experience  in any of the following Cyber Security disciplines is a plus:
• Data loss prevention
• Vulnerability management
• Cloud security
• Application security
• Incident response
• Identity & access management
• Threat Modeling
• Vendor/Supplier management
• Secure Configurations
• Knowledge of programming and scripting languages
• Excellent communication skills
• Prior experience with technical business applications, knowledge of IT infrastructure and IT risks and controls
• Knowledge of IT regulatory and compliance requirements
• Experience with CASB implementation, data classification, GDPR, and Data Loss Prevention
• Prior experience with technical business applications, knowledge of IT infrastructure and IT risks and controls

Preferred Experience:

• Has knowledge of informaiton security frameworks, best practices, and regulations (GDPR, PCI, CIS, NIST CSF, etc.)
• Possesses one or more information Security certifications (CISSP, ISA, ISACA, SANS, etc.)
• Has public cloud (AWS/Azure/GCP) information security experience
• Experience with Netskope, Splunk, Okta, Crowdstrike, Tableau, Malware Bytes,Scripting (python, powershell, etc) are a plus
• Leans with a growth mindset and question the information security status-quo & ‘security theater’ that may be found elsewhere
• Will have one or more relevant professional certifications (CISSP, SANS, CISM, or other) and will continue to grow and achieve professional goals.
• Has demonstrated successful experience in a related area, such as security engineering or operations, management consulting, or management and has the ability to discuss and articulate more technical and complex security topics (in addition to risk management concepts and the process of risk assessments).
• Has confidence in their expertise, but also knows who to look to for help. Achieving greater skill sets and expanding their understanding of security control techniques should be an on-going goal.
• Understands they must gain experience in other areas of technical or operational engineering. Ongoing education to maintain their certs and challenge their expertise will motivate this person.
• Understands workload management including understanding and seeking help prioritizing. They help others on the team that may need their leadership, but their leadership qualities enable them to also lead people outside of their team or department.
• Is able to communicate reports to coworkers in any department and help them understand proper information security controls, especially to non-technical team mates
• Help coworkers figure out good security controls without compromising ethics or introducing unacceptable risk.

To view our Candidate Privacy Notice for the US, please click here.

To view our Candidate Privacy Notice for the UK, Hong Kong, France and Switzerland, please click here.

The Company is an equal opportunity employer and considers all applicants for employment without regard to race (including, without limitation, traits historically associated with race, such as natural hair, hair texture, and protective and treated or untreated hairstyles), color, creed, religion, sex, sexual orientation, marital or civil partnership/union status, national origin, age, disability, pregnancy, genetic predisposition, genetic information, reproductive health decision, sexual orientation, gender identity or expression, alienage or citizenship status, domestic violence victim status, military or veteran status, or any other characteristic protected by federal, state/province or local law. The Company complies with applicable state and local laws prohibiting discrimination in employment in every jurisdiction in which it operates.