Job Description

Fueled by a fundamental belief that having access to financial services creates opportunity, PayPal (NASDAQ: PYPL) is committed to democratizing financial services and empowering people and businesses to join and thrive in the global economy. Our open digital payments platform gives PayPal’s 305 million active account holders the confidence to connect and transact in new and powerful ways, whether they are online, on a mobile device, in an app, or in person. Through a combination of technological innovation and strategic partnerships, PayPal creates better ways to manage and move money, and offers choice and flexibility when sending payments, paying or getting paid. Available in more than 200 markets around the world, the PayPal platform, including Braintree, Venmo and Xoom enables consumers and merchants to receive money in more than 100 currencies, withdraw funds in 56 currencies and hold balances in their PayPal accounts in 25 currencies.

The Information Security Officer (ISO) is a performance-driven and risk-oriented role. Acting as a Second-Line-Of-Defense (SLOD) control function, the ISO provides oversight across Information Security strategy, risk, compliance and governance for PayPal Europe.

The Information Security Officer (ISO) is a performance-driven and risk-oriented role. Acting as a Second-Line-Of-Defense (SLOD) control function, the ISO provides oversight across Information Security strategy, risk, compliance and governance for PayPal Europe.

The Information Security Officer role has the following responsibilities:

Key responsibilities

• Ensure information assets are under proper control from an information security point of view
• Actively participate in regulated entity office governance activities
• Represent the Information Security function per reporting (and first-line Security representation through SLA management)
• Ensure expertise and active contribution to regulatory landscape 
• Inform and update global information security team on regional changes
• Participate, coordinate and deliver on key business projects and initiatives
• Be part of regional business activities and priorities
• Mature and report key Information security disciplines relevant to regional business in alignment with global information security objectives

Deliverables and key activities

Sustain the governance and operations of the regional entity

• Maintain robust internal governance arrangements for information security, which include clear organizational structures, effective processes and sound risk management.
• Develop and execute the regional information security strategy aligned with business objectives, regulatory requirements and closely coordinated with the global information security strategy.
• Define regional policies and processes in support of security principles to address risk and compliance obligations.
• Facilitate appropriate resource allocation and increase the maturity of the information security program in cooperation with the leadership team of the global information security capability.
• Verify that the global information security policies and procedures adequately address regional regulatory and risk requirements.
• Actively participate in regional governance bodies to represent information security function and act as subject matter expert (SME) to permit informed decisions.
• Develop business-relevant metrics to measure the efficiency and effectiveness of information security controls that are consistent with the global governance framework.
• Ensure information security awareness and training initiatives are implemented in the region as part of the global information security awareness program to educate the workforce.

Manage and oversee Information Security risks

• Support regional risk management activities in cooperation with the regional RCO and the global information security team.
• Define and monitor key risk indicators (KRI), report and communicate about risk to enable authorized management to take informed decisions.
• Advise Authorized Management on development of risk appetite, prioritization of controls and development of risk responses.
• Monitor information security trends, understand potential threats, vulnerabilities and control techniques to ensure the risk management framework remains effective.
• Validate that information security risk management framework is properly documented and updated. Re-evaluate effectiveness of the risk management framework after major changes.
• Escalate security issues to appropriate level of management up to the Board.
• Oversee known information security issues and monitor remediation progress.
• Participate in development, review and test of Business Continuity Plans and Disaster Recovery Plans from security perspective.
• Coordinate with the global crisis management capability during events impacting the confidentiality, integrity or availability of the regional information assets.
• Provide the Authorized Management with subject matter expertise in information security to support their decision processes in case a crisis contingency eventuates.

Maintain regulatory compliance and regulatory engagement

• Ensure conformity with information security policies and regulatory obligations.
• Ensure that information security policy and strategy enforce the regional regulatory requirements. Where necessary, define regional information security policies, procedures and processes to address regulatory obligations.
• Monitor and assess emerging regulations with the support of legal, compliance and global information security teams.
• Support the GR’s and Compliance teams in their relationship with regional regulators on information security matters including reporting of security risks and incidents.
• Support the audits of the regional entity on information security matters.

Oversee outsourcing arrangements on information security

• Act as the service recipient in internal and external outsourcing arrangements regarding information security.
• Define information security service descriptions, required service level agreement metrics (SLA) and negotiate SLA targets with the service provider.
• Monitor and ensure delivery of information security services in line with service level agreements.
• Verify that regional risk and regulatory requirements are addressed, and security controls are effectively enforced while outsourcing.
• Steer the security due diligence process on information security for new service providers/sub-contractors of regional entity.

Test and validate the control framework

• Verify that the controls in place to detect and prevent the emergence of IT security related risks are properly documented and monitored by the information security operational teams.
• Participate in development of the global security testing plan to ensure coverage of regional requirements. Where necessary, design, plan and perform security testing using regional resources.
• Evaluate and report on control effectiveness and coverage based on the security testing results.
• Validate/approve adequacy of control remediation plans and evidence to close remediation actions.

Enable key business initiatives and projects

• Participate, coordinate and deliver on key business projects and initiatives as SME on information security.
• Ensure that there is a robust due diligence process to adequately address information security requirements in projects.
• Support the security due diligence process for all M&A involving the regional entity.
• Monitor information security related developments in the region to advise Authorized Management on business expansion and product development initiatives.
• Participate in regional product development and launch efforts to ensure that InfoSec requirements are identified and addressed.

Profile

• Bachelor’s degree.
• 8+ years of experience in IT/Technology/Information Security Internal Audit, ERM, or consultancy.
• Utilize a deep understanding of risk management methodologies, frameworks, and principles (e.g. ISO, COBIT, NIST, ITIL, PCI, PSD2, GDPR, etc.).
• Technical knowledge of security technologies and architecture in multiple security domains.
• Possess strong oral and written communication skills along with refined presentation skills to communicate information security-related concepts to technical and non-technical audiences, including senior leadership.
• Strong influencing, negotiation, and relationship building skills.
• Critical thinker with strong problem-solving skills with strong ability to work with minimum direction and possess a high drive for results.
• Ability to work with geographically distributed cross-functional/matrix team structures in different time zones.
• Holding relevant professional certificates (e.g. CISSP, CISM, CISA, CRISC, CCSP, PCI, etc.) is preferred.

We're a purpose-driven company whose beliefs are the foundation for how we conduct business every day. We hold ourselves to our One Team Behaviors which demand that we hold the highest ethical standards, to empower an open and diverse workplace, and strive to treat everyone who is touched by our business with dignity and respect. Our employees challenge the status quo, ask questions, and find solutions. We want to break down barriers to financial empowerment. Join us as we change the way the world defines financial freedom.

PayPal provides equal employment opportunity (EEO) to all persons regardless of age, color, national origin, citizenship status, physical or mental disability, race, religion, creed, gender, sex, pregnancy, sexual orientation, gender identity and/or expression, genetic information, marital status, status with regard to public assistance, veteran status, or any other characteristic protected by federal, state or local law. In addition, PayPal will provide reasonable accommodations for qualified individuals with disabilities. If you are unable to submit an application because of incompatible assistive technology or a disability, please contact us at paypalglobaltalentacquisition@paypal.com.

R0055288