Information Security Program Lead

ABOUT SOTHEBY'S

Established in 1744, Sotheby’s is the world’s premier destination for art and luxury. Synonymous with innovation, Sotheby’s promotes access, connoisseurship and preservation of fine art and rare objects through auctions, private sales and retail locations. Our trusted global marketplace is supported by a network of specialists spanning 40 countries and 50 categories, which include Contemporary Art, Modern and Impressionist Art, Old Masters, Chinese Works of Art, Jewelry, Watches, Wine and Spirits, and Interiors, among many others.

THE ROLE

Sotheby’s Information Security team is undergoing an exciting and strategic transformation and we are looking for a dynamic program lead to join the team. The Information Security team is challenging the industry status quo and is not satisfied doing things “the way they’ve always been done.” 

This position will work very closely within Information Security as well as Cross Functional teams in ensuring the success of the first ever information security program at Sotheby’s. The Program Lead is accountable for the implementation of OKRs, KRIs to track the implementation of the Information Security policy framework and processes that will protect Sotheby’s data.

RESPONSIBILITIES

You will serve as a central point of contact for Information Security & IT and ensure operations and strategy are working as planned. Your main function will be to work with the primary stakeholders and help develop and implement programs that will mature Sotheby’s Information Security and IT Programs. You'll collaborate with product, engineering, and business operations teams to prioritize and manage security & IT initiatives, coordinate work, create new processes and mature existing workflows.

What You Get To Do Every Day:

• Provide support with strategic planning and daily initiatives.
• Act as a key point of contact with IT management, information security management and business unit stakeholders for cybersecurity and IT related projects.
• Assist with program roadmaps and communications disseminated throughout the organization.
• Work in tandem with the CISO and other technology leaders on financial planning and analysis, and additional fiduciary responsibilities.
• Monitor all information security and IT projects and procurement from inception to successful completion, fully understanding the purpose of projects, technologies and their value-add to the organization.
• Work with information security management to help define key performance indicators (KPIs) and metrics that align with business initiatives and deliver to non-technical individuals.
• Support security governance process across the business in conjunction with an information security steering committee and advisory board.
• Provide effective, hands-on technical program management to drive completion of initiatives across multiple business functions

IDEAL EXPERIENCE & COMPETENCIES

• 5+ years of relevant work experience in Information Security, or Information Risk project/program management
• Bachelor’s Degree
• Experience with SAP, cloud platforms (AWS, Azure, GCP, Salesforce), SaaS, SSO (Okta, OAuth, etc), CASB, DLP, vulnerability management software
• Prior experience with technical business applications, knowledge of IT infrastructure and IT risks and controls preferred
• Knowledge of IT regulatory and compliance requirements strongly preferred
• Desired certifications, one or more of the following: CISSP, CISM, CISA, CIA, CRISC.

Preferred Experience:

• Has knowledge of information security frameworks, best practices, and regulations (GDPR, PCI, CIS, NIST CSF, etc.)
• Possesses one or more information Security certifications (CISSP, ISA, ISACA, SANS, etc.)
• Has public cloud (AWS/Azure/GCP) information security experience
• Leads with a growth mindset and question the information security status-quo & ‘security theater’ that may be found elsewhere
• Has one or more relevant professional certifications (CISSP, SANS, CISM, or other) and will continue to grow and achieve professional goals.
• Has demonstrated successful experience in a related area, such as security engineering or operations, management consulting, or management and has the ability to discuss and articulate more technical and complex security topics (in addition to risk management concepts and the process of risk assessments).
• Has confidence in their expertise, but also knows who to look to for help. Achieving greater skill sets and expanding their understanding of security control techniques should be an on-going goal.
• Understands they must gain experience in other areas of technical or operational engineering. Ongoing education to maintain their certs and challenge their expertise will motivate this person.
• Understands workload management including understanding and seeking help prioritizing. They help others on the team that may need their leadership, but their leadership qualities enable them to also lead people outside of their team or department.
• Is able to communicate reports to coworkers in any department and help them understand proper information security controls, especially to non-technical team mates
• They help coworkers figure out good security controls without compromising ethics or introducing unacceptable risk. 

To view our Candidate Privacy Notice for the US, please click here.

To view our Candidate Privacy Notice for the UK, Hong Kong, France and Switzerland, please click here.

The Company is an equal opportunity employer and considers all applicants for employment without regard to race (including, without limitation, traits historically associated with race, such as natural hair, hair texture, and protective and treated or untreated hairstyles), color, creed, religion, sex, sexual orientation, marital or civil partnership/union status, national origin, age, disability, pregnancy, genetic predisposition, genetic information, reproductive health decision, sexual orientation, gender identity or expression, alienage or citizenship status, domestic violence victim status, military or veteran status, or any other characteristic protected by federal, state/province or local law. The Company complies with applicable state and local laws prohibiting discrimination in employment in every jurisdiction in which it operates.