Technology NEW YORK, New York, USA

Chief Information Security Officer

Company Intro

Booking Holdings (NASDAQ: BKNG) is the world leader in online travel and related services, provided to customers and partners in over 220 countries and territories through six primary consumer-facing brands – Booking.com, KAYAK, priceline, agoda.com, Rentalcars.com, and OpenTable. The mission of Booking Holdings is to make it easier for everyone to experience the world. 

Booking Holdings Financial Services (hereinafter “BHFS”) provides financial services in the form of payment services and e-money products across all the brands. BHFS is committed to conducting its business in compliance with applicable laws, regulations and guidelines, with integrity and to the highest ethical standards

Job Summary

The CISO will be tasked with setting up the Information Security program  for BHFS US, develop security framework to comply with all regulatory requirements in each US state, and deliver security readiness and ongoing security improvement and enhancement programs for BHFS US. The CISO will be part of  the BHFS US Leadership team and report to the Managing Director of BHFS US.

Responsibilities and Duties

  • Develop Security Framework for BHFSUS ensuring compliance with money transmission and money service business regulatory requirements in each state and federal level.

  • Ensure security readiness for each US state through analysis of requirements and implementation of security controls to meet requirements and best practice.

  • Localize security policy and processes to ensure adherence to requirements and also corporate standards.

  •  Lead the implementation of security policies and operationalize for BHFSUS

  • Monitor compliance on an ongoing basis, execute risk assessments and address risks and issues in a timely manner.

  • Report on emerging new threats and provide solutions and education accordingly

  • Enforce strong security adherence across the BHFSUS organization, develop and deliver training and security awareness programmes. Communicate the value of cybersecurity throughout all levels of the organization's stakeholders.

  • Collaborate with stakeholders to establish the enterprise continuity of operations program, strategy, and mission assurance.

  • Work at local level and across the Brands to enhance and implement security standards.

  • Respond to incidents, establish appropriate standards and controls. Report to Exec Team, ensuring awareness of current and emerging threats.

  • Specify and oversee the implementation of IT security measures.

  • Organize penetration testing.

  • Execute external and internal IT vulnerability assessments and own the delivery of remediation.

  • Be the ‘go to’ expert for BHFSUS on all matters relating to IT security

  • Provide regular reports to CPTO and Exec Team of BHFS. Advise senior management on risk levels and security posture.

  • Advise senior management on cost-benefit analysis of information security programs, policies, processes, systems and elements.

  •  Provide expert support on business and IT projects to ensure all comply with security policy and best practice.

  • Own and run IT security audits and the implementation of the security programme for BHFSUS

  • Collaborate with the Legal, Data Protection and Compliance teams through changing compliance landscapes.

  • Stay abreast of cyber security issues and regulatory changes affecting BHFSUS and own the delivery of any related changes.

  • Establish quarterly, annual and long term information security goals, articulate strategies, define and implement metrics, create reporting mechanisms and provide updates to relevant stakeholders including Audit Committee.

Education & Qualifications

  • Bachelor’s degree or equivalent program in Computer Science, Business Information Systems, Information Security or Information Technology

  • Relevant Professional certification essential:  CISSP, CISA, CISM or CRISC

  • Minimum 8 years in a Senior Information Security or similar role.

  • Experience in setting up and managing information security in a regulated financial entity.

  • Experience working in a fast-paced, technology-centric and/or online business

  • Excellent knowledge and experience of ISO27001,  ISO27002 and NIST

  • Knowledge of national and international laws, regulations, policies and ethics as they relate to cybersecurity.

  • Knowledge of Risk Management Processes ( eg methods for assessing and mitigating risk)

  • Experience in managing PCI-DSS certifications

  • Candidates must be willing to travel as required, including international travel.

Skills and Experience

  • Experience in working in regulated financial entities and specifically in the payments business is essential.

  •  In depth understanding of payments and payments products.

  •  Experience in working in large international organizations is an advantage.

  • Results oriented. Proven ability to prioritize projects and initiatives and align to corporate and product goals.

  • Ability to drive the cybersecurity roadmaps, while still “rolling up your sleeves” and getting involved in the hands-on, day-to-day activities

  • Experience working in an online environment and experience with programs such as ISO, SOX, GDPR, CCPA and other related compliance frameworks

  • Demonstrated ability to build successful cybersecurity programs

  • Expert understanding of cybersecurity concepts, principles and practices.

  • Strong decision-making capabilities, with a proven ability to weigh the relative costs and benefits of potential actions and identify the most appropriate one

  • An ability to effectively influence others to modify their opinions, plans, or behavior

  • An understanding of business needs and commitment to delivering high-quality, prompt, and efficient service to the business

  • Able to deal with ambiguity and work independently as well as part of a cohesive team

  • An ability to communicate complex and technical issues to diverse audiences, orally and in writing, in an easily-understood, authoritative, and actionable manner

  • Excellent presentation skills, especially with senior executive audiences

  • Excellent conceptual problem-solving skills with demonstrated ability to bring structure to vaguely defined problems, pragmatically scope problems and manage execution 

  • Organizational and political agility; developed negotiation and influence skills

  •  Unquestionable personal code of ethics, integrity, diversity and trust

  • Able to successfully navigate within varying degrees of ambiguity in a fast-paced environment

  • Experience of formal risk assessment methodologies.

  • In depth understanding of networks, databases and business applications as they relate to security. Excellent understanding of computer networking concepts and protocols, and network security methodologies.

  • Excellent interpersonal skills and ability to influence and negotiate with senior stakeholders.

  • Succinct Communicator – ability to break down complex issues and communicate at all levels in the organization.

  • Ability to work in a cross-functional matrix environment

  • Excellent understanding of vulnerability management and associated tools and solutions.

  • Keeps up to date on all matters pertaining to IT security.

  • Resilient  Ability to work under high-pressure, meet challenging timelines and remain calm under pressure or in times of emergency or crisis.

  • A True Team Player. Ability to develop and maintain productive relationships across organizations to ensure that security and compliance initiatives are achieved

  • Knowledge of leading practice incident management processes.

  • Solution driven with demonstrated ability to meet deadlines and deliver results.

  • Strong knowledge of PSD2 and GDPR

Our Brands