-Senior Director -Chief Information Security Officer (CISO)

Our Company

It wasn’t so long ago that booking a trip to see the Eiffel Tower, stroll down New York’s iconic Madison Avenue or feel the sand between our toes on Copacabana Beach was simply a matter of a few taps on our smartphone. In fact, that’s what we do at Booking.com. We make it easier for everyone to experience the world. And while that world might feel a little farther away right now, we’re busy preparing for when the world is ready to travel once more. Across our offices worldwide, we continue to innovate. To solve for some of the most complex challenges in travel and technology, and to plan for the exciting developments that lie ahead. With strategic long-term investments into what we believe the future of travel can be, we are opening up new career opportunities that will have a strong impact on our mission.

Job Summary 

Booking.com’s Chief Security Officer (CSO) is searching for a Chief Information Security Officer (CISO). This leader will report to, and work closely with, the Chief Security Officer (CSO) in the direction, management and coordination of Security and Fraud, five Capability Portfolios and Business Unit Security Officers (BUSOs). 

Booking.com continues to grow and expand its service offerings to customers, including the ‘Connected Trip’ and other growth strategies. As the business model and offerings change, the security landscape and needs of the organization will similarly expand. Booking.com seeks a CISO reporting to and partnering with the CSO to deliver a comprehensive Security and Risk Management program inclusive of a broad range of capabilities in the realm of and Cybersecurity and Information Security, Asset Protection and Security Engineering.  

The Chief Information Security Officer specializes in Cybersecurity and IT Risk Management and executes strategy, priorities, and directives consistent with the vision of the CSO. The individual will be a senior member of CSO’s Leadership Team and will work collaboratively with other key stakeholders in the company as well as supporting an increasingly important partnership with its owner, Booking Holdings Corporation. The CISO will be a strong technologist with broad credentials across security architecture, operations, engineering, risk and cyber incident response. The CISO will be required to build trust with customers and regulators, drive product security, further develop a service orientation, and ensure the security team adapts to the dynamics of the business.

 

Job Tasks and Primary Responsibilities 

• Provides leadership, direction, and advocacy so Booking.com may effectively conduct cybersecurity and cyber-risk management work
• Develops strategy and oversees staff, infrastructure, policy enforcement, emergency planning, security awareness, and/or other resources
• Helps define current and future business environments
• Oversees the development of policies and advocates for policy change that will support new initiatives or required changes and enhancements
• Works with the CSO to design cybersecurity strategy that outlines the vision, mission, and goals that align with the business goals and objectives
• Oversees information security program implementation
• Identifies and addresses workforce planning and management issues, such as recruitment, retention, and training
• Applies knowledge of assessment data of identified threats to decision-making processes
• Acquires and manages the necessary resources, including leadership support, financial resources, and key security personnel, to support information technology (IT) security goals, and reduce overall organizational risk
• Advises senior management on risk levels and security posture
• Advises senior management on cost-benefit analysis of information security programs, policies, processes, systems, and elements
• Communicates the value of cybersecurity throughout all levels of the organization's stakeholders
• Collaborates with stakeholders to establish the enterprise continuity of operations program, strategy, and mission assurance
• A key responsibility will be providing support to the re-platforming and strengthening of the technology stack and facilitate the move to the cloud
• Collaborate with the Legal Team through ever-changing global compliance landscapes. 
• Stay abreast of cyber security issues and regulatory changes affecting Booking.com and communicate to leadership on a regular basis about those topics
• Establish quarterly, annual and long-term information security goals, articulate strategies, define metrics, create reporting mechanisms and provide updates to the Audit Committee
• Accountable for Computer Security Incident Response Team (CIRT) and, with the CSO, will act as the senior control point during significant events
• Lead efforts to assess the efficacy of existing cybersecurity controls and programs and recommend enhancements
• Coordinate and track all information technology and security related audits including scope of audits, organizational units involved, timelines, auditing agencies and outcomes
• Develop innovative solutions

 

Knowledge and Skills 

• Results-oriented. Proven ability to prioritize projects and initiatives to align to corporate and product goals
• Resilient. Able to work under high-pressure situations, meet challenging timelines and be the calming, reassuring leader in times of emergency or crisis
• Ability to drive the cybersecurity roadmaps, while still “rolling up your sleeves” and getting involved in the hands-on, day-to-day activities
• Experience working in an online environment and experience with programs such as ISO, SOX, GDPR, CCPA and other related compliance frameworks
• Demonstrated ability to build successful cybersecurity programs
• Expert understanding of cybersecurity concepts, principles and practices.
• Proven ability to be a visionary by creating or adopting new strategies that take into consideration the changing cyber-landscape 
• An expert in computer incident response and general incident management processes; real-world experience is advantageous. 
• An experienced leader that excels at identifying and developing managers, developing individuals in their pursuit of challenging and rewarding career paths within the department or the company
• A True Team Player. Ability to develop and maintain productive relationships across organizations to ensure that security and compliance initiatives are achieved
• Rich network of external connections including industry peers, suppliers and advisors.
• Strong decision-making capabilities, with a proven ability to weigh the relative costs and benefits of potential actions and identify the most appropriate one
• An ability to effectively influence others to modify their opinions, plans, or behaviors
• An understanding of business needs and commitment to delivering high-quality, prompt, and efficient service to the business
• Able to deal with ambiguity and work independently as well as part of a cohesive, global team
• An ability to communicate complex and technical issues to diverse audiences, orally and in writing, in an easily-understood, authoritative, and actionable manner
• Ability to successfully lead, manage, and motivate large, diverse, and complex teams
• An understanding of information security fundamentals and general security technologies
• Excellent presentation skills, especially with senior executive audiences
• Strong knowledge or business experience in other business units or functional areas outside Security
• Excellent conceptual problem-solving skills with demonstrated ability to bring structure to vaguely defined problems, pragmatically scope problems and manage execution 
• Organizational and political agility; developed negotiation and influence skills
• Unquestionable personal code of ethics, integrity, diversity and trust
• Able to successfully navigate within varying degrees of ambiguity in a fast-paced environment
• Skill in de-conflicting cyber operations and activities

 

Knowledge of:

• National and international laws, regulations, policies, and ethics as they relate to cybersecurity
• Risk management processes (e.g., methods for assessing and mitigating risk).
• Computer networking concepts and protocols, and network security methodologies
• Organization's core business/mission processes
• An organization's information classification program and procedures for level information loss
• Disaster recovery and continuity of operations plans
• Information assurance principles used to manage risks related to the use, processing, storage, and transmission of information or data
• Incident response and handling methodologies
• Industry-standard and organizationally accepted analysis principles and methods.
• Information technology (IT) supply chain security and risk management policies, requirements, and procedures

 

Critical Skills – Must Have Skills

• More than five (5) years of senior leadership experience in a demanding environment, including experience in setting the strategic direction, being accountable for and delivering strategic objectives, aligning programs with the organization's strategic direction, and focusing on continuous improvement efforts within a complex technology organization
• Excellent technical skills in the sphere of network security, application development, cloud security
• Experience working in a fast-paced, technology-centric and/or online business
• Proven functional management experience ideally managing large, remediation programs
• Proven accomplishments in Information Technology change agendas
• Handling multiple priorities in a fast-paced environment
• Proven ability to effectively prioritize and execute tasks with competing priorities; strong influencing skills to work with various service owners
• Excellent communication, analytical and planning skills to manage the implementation of information security controls and services
• Demonstrated experience effectively leading and managing collaborative, cybersecurity risk management solutions across disparate functional teams
• Experience successfully delivering programs and/or multiple projects on-time, in scope, on budget and on quality based on agreed business goals
• Capable of anticipating needs and driving clarity on expectations
• A solution-oriented mindset, with the ability to exercise good professional judgment
• Ability to help resolve complex project delivery issues
• Ability to work in a matrix management model
• Knowledge of leading practice incident management processes
• Candidates must be willing to travel >10% as required, including international travel

Education

• Bachelor’s degree in computer science or related field or equivalent experience
• Master’s degree preferred
• Evidence of professional training e.g. CISSP, CISA/M etc. 

Critical Leadership Capabilities:

Leading Change

• Publicly identifies needed changes or directions that need adjustment, challenges assumptions and norms.
• The ability to “think big” and simultaneously understand and appreciate the details necessary to operationalize overarching strategies and goals; The ability to make sense of complex issues and ambiguous situations. 
• Challenges assumptions about “the way things are done”.
• Communicates explicitly what must change, why changes are necessary, and possible outcomes and costs.
• Adjusts communication style to the audience to help them understand and accept the change.
• Encourages people to support and propose changes and ideas.

 

Building relationships, Collaborating and Influencing

• Establishes relationships and enhances the levels of cooperation, collaboration, and trust that exist between people, interacting with others personally, competently, and effectively. Establishes relationships inside and outside of the organization. Fosters a culture that makes people feel valued and respected and leverages even difficult or tense circumstances to enhance relationships.
• Negotiates with a genuine give-and-take approach, where both acts as true peers and decisions are shared.
• Spends time identifying all stakeholders necessary and meets or connects with all of them, neglecting no one to shape a collective consensus.
• Identifies opportunities to build relationships that will help others achieve their objectives and reaches out to those people or new people.

 

Driving Results

• Responds resourcefully, flexibly, and positively when faced with new challenges and demands. Willingly and effectively deals with the stress and complexities of various situations. Moves forward productively under conditions of change or uncertainty
• Demonstrates and fosters a sense of urgency, a “can-do” spirit, a sense of optimism, ownership, and strong commitment to achieving goals and organizational success. Demonstrates a strong sense of ownership and a commitment to achieving meaningful results.   
• Checks work of self and others against required quality standards.
• Reviews performance and progress on a regular basis to ensure team is achieving results.
• Tests to see if goals are sufficiently challenging and implements corrective action based on deviations.

 

What’s in it for you?

• Headquarters located in one of the most vibrant cities in Europe: Amsterdam
• Performance-based company that offers 29 vacation days, career advancement and lucrative compensation, including bonuses and stock potential.
• Training, regular hackathons and opportunities to travel and attend global conferences.
• Discount on Booking.com accommodations with the “Booking Deal” including other perks and benefits.
• Company sponsored family and social activities to help our employees become integrated with each other and Dutch culture.
• Diverse, unique colleagues from every corner of the world.