This list contains only the countries for which job offers have been published in the selected language (e.g., in the French version, only job offers written in French are displayed, and in the English version, only those in English).
Lead and manage security architecture and engineering in APEC
Performs security accreditation and evaluates the implementation of those controls in order to grant Approval to Operate for a release of new infrastructure, services, applications and processes into Marriott’s Production Environments in regional level
Leverages existing Security Engagement processes and documentation, in conjunction with security compliance tools, to determine control implementation status
Will routinely process ITSM Release and Security Engagement Tasks to document justification for all approvals
Will routinely collaborate with multiple teams, including, but not limited to, Business Release Sponsors, Project Managers, Security Architects, Security Architecture Analysts, and Change Management teams to ensure the Security Processes are followed and completed in order to accredit the engagement or release
Will routinely manage and communicate the status of the tasks assigned in ITSM to thoroughly document the accreditation resulting in granting of Approval to Operate
Understand, communicate, interpret and enforce MI Policies and Security Standards throughout the Certification and Accreditation process
Understand and communicate control objectives in terms of both MI Policy and Standards and Security Best Practice Frameworks, including, but not limited to, NIST RMF, NIST CSF, PCI DSS, GDPR, MPLS, EU Privacy, ISO, as referenced in Marriott’s Common Controls Framework
Will periodically provide status and metrics for the assigned C&A Engagements in order to provide visibility and transparency to GIS Senior Leadership
Works with development teams to review application source code for security and operational risks
Perform manual code reviews of applications that are not compatible with automated SAST tools
Provide detailed security documentation to developers, software engineers and technical personnel when necessary
Provide guidance and recommendation to software architects and engineers on how to correct code related security flaws
Manage security architecture and engineering team in APEC
Participate in peer reviews of security assessments created by other team members
Manage tickets and SLAs associated with security testing efforts
Maintain and contribute to the enterprise SSDLC standard
Coordinates and implements work and projects as assigned
Generates and provides accurate and timely results in the form of reports, presentations, etc.
Analyzes information and evaluates results to choose the best solution and solve problems
Develops specific goals and plans to prioritize, organize, and accomplish work
Sets and tracks goal progress for self and others
Monitors the work of others to ensure it is completed on time and meets expectations
Provides direction and assistance to other organizational units’ policies and procedures, and efficient control and utilization of resources
Creates a team environment that encourages accountability, high standards, and innovation
Leads specific team while assisting with meeting or exceeding department goals
Makes sure others understand performance expectations
Ensures that goals are being translated to the team as they relate to tracking and productivity
Creates and nurtures an environment that emphasizes motivation, empowerment, teamwork, continuous improvement and a passion for providing service
Understands employee and develops plans to address need areas and expand on the strengths
Provides the team with the capabilities needed to meet or exceed expectations
Leads by example demonstrating self-confidence, energy and enthusiasm
Acts proactively when dealing with employee concerns
Extends professionalism and courtesy to employees at all times
Communicates/updates all goals and results with employees
Meets semiannually with staff on a one-to-one basis
Establishes and maintains open, collaborative relationships with employees
Solicits employee feedback
Interviews job candidates and assists in making hiring decisions
Receives hiring recommendations from team supervisors
Ensures orientations for new team members are thorough and completed in a timely fashion
Observes behaviors of employees and provides feedback to individuals
Provides information to supervisors, co-workers, and subordinates by telephone, in written form, e-mail, or in person in a timely manner
Manages group or interpersonal conflict
Informs and/or updates executives, peers, and subordinates on relevant information in a timely manner
Manages time effectively and conducts activities in an organized manner
Presents ideas, expectations and information in a concise, organized manner
Uses problem solving methodology for decision making and follow up
Performs other reasonable duties as assigned by manager
Requirements
Bachelor’s degree in Information Systems, Computer Science or related field or equivalent experience/certification
8+ years’ experience in Information Security with: 3+ years in process-oriented Security Audit/Assurance/Technical Assessment role
2+ years’ team management experience with security technical team members
1-2 years’ experience/exposure to Common Controls Framework
Exposure/functional understanding of NIST RMF
Current and relevant information security certifications such as: CISSP (Certified Information Systems Security Professional), (ISC)2 CGRC certification, ISACA, PCI QSA/ISA, ITIL, IS Certification & Accreditation Professional - ISCAP, GIAC Information Security Professional (GISP)
Nice to have
Strong oral and written communication skills and comfortable with speaking in large groups virtually and in person
Ability to conduct independent security research
Strong understanding of common OWASP flagship projects, Top 10, Cheat Sheets…etc.
Strong understanding of cryptography concepts: hashing, signing, encryption, decryption, tokenization
Strong understanding of SDLC and security integration points
Functional understanding of microservice application architecture
Functional understanding of common application security controls such as WAF, RASP, Intercepting Proxies
Comfortable with the following tools and technologies: GitHub Advanced Security, Postman, Fortify SCA, Jenkins, Artifactory, SonarQube, Docker, JIRA, Confluence, Aqua CSP, Nessus Pro or Tenable.io
Comfortable with technical report writing and crafting security requirements
Basic understanding of network security concepts: DOS, DNS Spoofing, ARP Poisoning, Firewalls, Intrusion Detection, Segmentation
Basic understanding of Vulnerability and Patch Management practices
Basic understanding of endpoint security controls: EDR, Vulnerability Scanning Agents, HIDS, FIM
Basic understanding of Agile Software Development Practices & DevOps
Master’s degree in Computer Science or Software Engineering