The Chief Information Security Officer is responsible for establishing and maintaining an enterprise level strategy and program ensuring that our physical and digital information assets and technologies are adequately protected. The CISO is responsible for the overall Information Security and Risk Management posture of the company. The CISO should be a strong, knowledgeable cyber-security leader able to provide vision, strategy, broad-based planning, and hands-on responsibility. This position is located on-site at our New York office. B&H will provide relocation assistance for the right candidate. What can you expect? Opportunity to lead security efforts for what Newsweek calls one of “America's Best Online Shops” including multiple data centers, cloud providers, the B&H Superstore, offices, and our 500,000 square foot fulfillment center. Work for a company with a tech savvy CEO that has Cyber Security on the very top of his agenda. Clearly appreciating the risks of the cyber world. Reports to the CIO, will have walk-in access to all company executives. Work with a highly motivated, excited, and active security team. Work with executive leadership, operations, and systems colleagues, and lead the organization in identifying, developing, implementing, and maintaining processes to reduce information technology risks. We will count on you to: The short list: PPP = Practical Pragmatic Pushy: It’s a real problem. It needs real answers. Have clear short- and long-term direction. Keep pushing in the right direction. Always forward. Be in the know! Have a strong sense of how we are doing and where we are objectively in our security posture. Be up to date on security challenges and events. It’s all about the people. Get to know the culture. Make people excited and motivated to move the security agenda forward. The long list: Provide Executive Leadership a clear understanding of the exposure and risks. Provide Executive Leadership a practical strategy, roadmap, and timelines to mitigate and manage the exposure and risk. Report continuous progress, challenges, and risks to executive management. Define policies and processes that enable the company to establish consistent, effective information security practices and minimize risk. The CISO determines projects and priorities for all information security issues and establishes short- and long-range business plans to achieve the security vision defined in the CISO’s strategic plan. Lead the development and implementation of effective and reasonable policies and practices to secure protected and sensitive data and ensure information security and compliance with relevant legislation and legal interpretation. Specifically, regarding PCI, GDPR, CCPA. Work with business colleagues to review RFPs, RFIs etc., and provide security and risk-related input into proposals. Oversee daily cyber security activities for the entire company to manage risk at an appropriate level, ensure effective response to incidents, and secure data access and utilization. Guide the information security team SOC to proactively analyze and directly respond to internal and external threats to system security. Assist in selecting 3rd party security vendors to assist in our data security capabilities. Provide direction for Enterprise Risk Management, Business Continuity and Disaster Recovery Efforts, Policies and Procedures, and Record Retention. Design the architecture for security programs which include: Audit and Compliance functions. Risk Governance.Security Policies and Procedures. Security Awareness Training.Assist in recruiting the Information Security Team.Define and monitor a risk-based process for vendor management, including the assessment of risks that may result from partners and service providers. Take on leadership role to triage and investigate security incidents. Help determine the business impact of the incident. Lead the safe and rapid resolution to the problem. Manage internal communications, partner with B&H communications to manage external communications and when directed, represent B&H in any official inquiry. Lead the Security incidents debrief and own the implementation of lessons learned. What you need to have: Bachelor’s degree in Computer Science or Information Systems Management or equivalent. 15 years in Information Technology or an IT related field (e.g., IT Audit). 10 years in a senior Security IT role. Hands-on experience and extensive knowledge of information security technology. Strong subject matter experience in cloud and on premises environments/technologies/security, application security, vulnerability testing and development of a risk appetite. Risk management experience with proven ability to effectively apply risk principles to challenging business situations. Review Threat and Vulnerability reports and create detailed action plans to address risks. CISSP, CISM, or other equivalent security certification required. CRISC, CISA, CISM preferred. ITIL Certification preferred. Hands-on Technical Experience with Telecommunications, Networking, Security Solutions (Firewalls, IDS/ IPS, SIEM, Vulnerability Assessment Tools), Access Control Systems, Cryptography, Physical Security Systems, and Secure SDLC Methodologies. Ability to maintain the highest standard of confidentiality is required with zero tolerance. Experience performing multifaceted projects in conjunction with regular activities.