Group Chief Information Security Officer

Location NY-New York (Union Square) Classification Full-Time Job Summary The Chief Information Security Officer (CISO) will lead and oversee the Information Security program across the entire organization. The role will be responsible for developing, implementing, and maintaining a unified enterprise security strategy that ensures the confidentiality, integrity, and availability of the company’s information assets, platforms, infrastructure, and customer data across all business operations. As the organization continues to modernize its retail, digital, cloud, and enterprise technology platforms, we require a transformational security leader capable of driving the next phase of cybersecurity maturity across the group. This role is significantly broader than traditional cybersecurity operations and compliance management. The CISO will play a critical leadership role in helping the organization securely navigate large-scale technology transformation, AI adoption, cloud modernization, evolving regulatory requirements, and an increasingly sophisticated global threat landscape. The CISO will be responsible for establishing and leading a group-wide cybersecurity strategy across both US and UK operations, driving consistency in governance, policy, standards, risk management, incident response, and operational security practices. This includes developing enterprise security standards, modernizing security architecture, implementing Zero Trust principles, strengthening cloud and identity security, improving business resilience, and reducing legacy technology and operational risk across the environment. Cybersecurity has evolved far beyond traditional perimeter defense and audit-driven compliance programs. We now face a rapidly changing threat environment driven by AI-enabled attacks, ransomware, cloud complexity, third-party supply chain risk, increasing regulatory scrutiny, and growing operational dependence on digital platforms. As a result, the CISO must operate not only as a security leader, but also as a strategic business partner and an agent for transformation. This role will require close collaboration with executive leadership, technology teams, legal, compliance, operations, and external partners to ensure security is embedded into the organization’s strategy and business operations. Given the strategic importance of cybersecurity and enterprise risk management to the organization, the CISO role will maintain a regular reporting cadence with the Board Risk Committee and will be responsible for providing ongoing updates related to cybersecurity posture, operational risk, regulatory compliance, major initiatives, emerging threats, and overall enterprise resilience. Benefits for those who are scheduled to work less than 20 hours per week include Employee Discount, EAP and Sick Pay. For those scheduled to work between 20 and 29.99 benefits include Employee Discount, EAP, Sick Pay and Paid Time Off including paid Maternity and Parental Leave, Company Paid Holidays, Transit and 401(k) with Company Match. For those scheduled to work 30 hours or more benefits include Employee Discount, EAP, Sick Pay and Paid Time Off including paid Maternity and Parental Leave, Company Paid Holidays, 401(k) with Company Match, Comprehensive Health Benefits (Medical, Dental and Vision), Healthcare and Dependent Care Spending Accounts, Healthcare Spending Account, Disability Benefits, Life Insurance, Transit, and Tuition Reimbursement. All benefits provided are in accordance with the terms of the current plan and may be subject to future change. Benefits may vary depending on location/state regulations. More information can be received by the recruiter or Human Resources. An employee in this position can expect an annual starting rate between $350,000 - $400,000 depending on experience, seniority, geographic locations, and other factors permitted by law. What You Do Global Security Strategy  Define and execute a unified cybersecurity strategy that supports the business objectives of both B&N and Waterstones.  Lead the development and implementation of security policies, standards, and procedures that align with local regulations and best practices.  Serve as a trusted advisor to executive leadership and Board of Directors for both organizations. Security Operations & Incident Response Leadership  Lead the enterprise cybersecurity incident response and crisis management program, coordinating cross-functional response activities during major cyber incidents, ransomware events, operational disruptions, and data breaches.  Act as the primary technical contact with external crisis response agencies, cyber insurance providers, legal counsel, forensic investigators, regulators, and law enforcement agencies during significant cybersecurity incidents.  Drive the continuous maturation of the organization’s cyber resilience capabilities, including incident response planning, ransomware preparedness, disaster recovery, business continuity, tabletop exercises, and enterprise recovery strategies.  Establish and maintain enterprise-wide cyber incident response standards, escalation procedures, communication protocols, and post-incident review processes to improve organizational readiness and operational resilience.  Direct 24/7 global security operations, including monitoring, detection, and response to security incidents. Technology & Infrastructure Security  Leverage AI to improve detection, response, and scale.  Ensure security is embedded in infrastructure, applications, cloud environments, and software platforms.  Drive Zero Trust adoption, identity and access management, and secure data handling practices across both organizations.  Oversee regular penetration testing, vulnerability assessments, and third-party risk management. Team Leadership & Development  Lead and foster collaboration between the B&N and Waterstones Information Security teams.  Recruit, mentor, and retain top cybersecurity talent.  Directs work and ensures appropriate performance levels of all Security team members across Waterstones and B&N, working together with the senior leadership team to create a performance-based culture.  Partner with IT, Legal, Risk, HR, and other business units to ensure a holistic approach to Information Security. Executive Leadership & Cybersecurity Influence  Serve as a visible and influential cybersecurity leader across both organizations, representing the Information Security function internally and externally.  Champion a strong culture of security awareness at all levels of the organization and across both businesses.  Act as the public and internal face of the cybersecurity function, partnering with executive leadership, board members, auditors, and external partners to communicate the organization’s security vision and maturity. AI-Enhanced Cyber Defense & Governance  Leverage AI to improve detection, response, and scale.  Automate incident triage and response (SOAR + AI).  Enhance phishing and fraud detection using ML models.  Collaborate with HR and Legal to define AI security policies and acceptable use standards.  Classify and approve AI tools and vendors.  Align with emerging regulatory frameworks (EU AI Act, etc.).  Prevent data leakage into external AI platforms.  Enforce data classification and masking for AI use.  Monitor environment for unauthorized use of enterprise data in AI tools.  Assess AI capabilities in vendor platforms.  Prepare For And Defend Against • AI-generated phishing (highly personalized) • Deepfake-based social engineering • Automated vulnerability discovery by attackers  Update training and awareness programs accordingly.  Utilize AI to reduce reliance on manual Tier 1/2 SOC work.  Shift talent toward engineering, threat hunting, and strategy.  Integrate AI into security tooling stack (SIEM, EDR, XDR). Knowledge & Experience Data Security & Protection  Define