Head of Business Information Security Office (BISO)

The Head of Business Information Security Officers (BISO) Team is responsible for leading and managing a team of Business Information Security Officers to ensure the alignment of the company's information security strategy with its business units and subsidiaries where applicable. This leader will play a pivotal role in bridging the gap between the cybersecurity function and the different business units, ensuring that the organization's security policies, procedures, and programs are effectively implemented to support business operations while reducing cyber risks.
This leader will work closely with senior technology leadership and their teams, and business unit executives, to assess cyber risk, communicate the importance of cybersecurity, and promote a strong culture of security awareness. This position requires a blend of strategic leadership, technical expertise, and business acumen to integrate security effectively within the organization's operational context.
Key Responsibilities:
Leadership and Team Management:

• Lead and manage the Business Information Security Officers (BISO) team, providing direction, mentorship, and career development.
• Foster a collaborative environment that emphasizes the integration of security into all aspects of business operations.
• Ensure the BISO team is effectively supporting business units and subsidiaries where applicable in identifying, assessing, mitigating, reporting and escalating cybersecurity risks to the appropriate leaders.
• Monitor and evaluate the performance of the BISO team, aligning their activities with the BISO framework and organizational security objectives and KPIs.

Strategic Planning and Execution:

• Set and own the strategy, in collaboration with cyber security senior leadership team and senior business leaders, for achieving best in class security practices and regulatory requirements.
• Drive and ensure effective implementation of cyber security program policies, standards, and controls across all business units.
• Prioritize cybersecurity initiatives based on business risk and resource availability, ensuring that security efforts are balanced with operational demands.
• Stay abreast of emerging cybersecurity threats, industry trends, and regulatory changes, incorporating relevant insights into the organization's security strategy.
• Cultivate an agile team culture whereby scarce resources are aligned to the highest priorities based on a growing and changing organization and ever-evolving cyber risk landscape.
• Provide holistic cybersecurity risk metrics and reporting to business leadership for providing visibility into cybersecurity posture, enabling proactive risk management and ensuring alignment between security efforts and business objectives.

Risk Management and Compliance:

• Partner with business leaders to understand key business processes, their associated risks, and the security controls required to protect them.
• Oversee risk assessments and security posture reviews for business units, providing tailored recommendations for mitigation. Coordinate with ETX Governance and Risk team to document and track remediation efforts in the eGRC tool.
• Ensure compliance with applicable regulatory and legal requirements (e.g., NYDFS) as well as internal policies and standards, partnering with ETX Governance and Risk team
• Coordinate with audit, legal, and ETX Governance and Risk teams to ensure that the organization is adequately prepared for security-related audits and assessments.
• Support risk reporting teams by helping define business use case requirements to drive tailored persona risk reporting across various sets of stakeholders.

Communication and Collaboration:

• Serve as a key liaison between the cybersecurity team and business units, ensuring effective communication regarding security risks, requirements, and initiatives.
• Communicate and document security risks and strategies to senior business executives and board members in business terms they can understand.
• Promote a culture of security awareness and continuous improvement, ensuring that business units are engaged and proactive in managing cybersecurity risks.
• Collaborate with other functional teams (IT, legal, compliance, and risk management) to drive a unified approach to cybersecurity.
• Ensure BISOs maintain an acceptable level of relationship health across all business areas and stakeholders they are aligned to and support, while working to define and hold accountable both development and role commitments.

Incident Management and Response:

• Ensure that the BISO team actively supports the incident response process by coordinating with business units during security events.
• Participate in the review and analysis of major security incidents, working to identify root causes, lessons learned, and preventive actions.
• Lead the development of business unit-specific incident response plans and ensure alignment with the broader organizational incident response strategy.

Minimum Qualifications:
Experience:

• 10+ years of experience in information security, with at least 5 years in a leadership role managing cross-functional or business-facing security teams.
• Experience working closely with an array of business units, understanding business drivers, and aligning security initiatives with business needs.
• Proven track record of managing security programs and multiple cyber domains in large, complex organizations with diverse business operations.
• Experience in conducting risk assessments, managing security incidents, and ensuring compliance with relevant security frameworks and regulations.

Skills:

• Strong leadership and team management skills, with the ability to inspire and guide a diverse team.
• Exceptional communication skills, both verbal and written, with the ability to communicate complex security concepts to non-technical stakeholders.
• Strong analytical and problem-solving skills, with the ability to navigate complex business environments and prioritize competing objectives.
• Deep knowledge of cybersecurity principles, risk management, regulatory compliance, and security frameworks (e.g., NIST CSF, NYDFS).
• Demonstrated ability to develop and execute strategic plans that align security objectives with business goals.

Key Competencies:

• Strategic Thinking: Ability to see the big picture and align security initiatives with the long-term goals of the business.
• Collaboration: Capable of working effectively with business units, executives, and technical teams to drive security initiatives.
• Influence: Skilled in influencing stakeholders at all levels to prioritize security and adopt best practices.
• Risk Awareness: Deep understanding of business risk and the ability to communicate and mitigate security risks effectively.
• Adaptability: Ability to navigate and lead in a rapidly evolving cybersecurity landscape, adapting strategies as needed. Data Driven Decisioning: Ability to effectively collect, process, analyze, and interpret data to derive meaningful insights that inform decision making and resolve problems.
• Education: Bachelor's degree in Information Security, Computer Science, Information Technology, Business Administration, or a related field is required.
• Certifications: One of the following, or related, security certifications: CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), or CISA (Certified Information Systems Auditor).

Ideal Qualifications:
Master's degree in Cybersecurity, Information Systems, Business, or related fields is preferred.
#LI-MC1
MassMutual is an Equal Employment Opportunity employer Minority/Female/Sexual Orientation/Gender Identity/Individual with Disability/Protected Veteran. We welcome all persons to apply. Note: Veterans are welcome to apply, regardless of their discharge status.
If you need an accommodation to complete the application process, please contact us and share the specifics of the assistance you need.
Salary Range: $189,900.00-$249,200.00