Senior Manager, Information Security (Vendor Security Risk)

JOB SUMMARY 

The candidate will be responsible for executing third-party risk assessments, including evaluating vendor control environments, documenting risk findings, and supporting risk-based outcomes. The candidate will also be responsible for supporting the overall security program including security policy, procedures, and standards, assessing the risk of the internal and external IT systems, ensuring Marriott iT documents are compliant with Marriott security policies and procedures, and reviewing documents for accuracy and completeness. 

Conduct periodic reassessments of vendors based on risk tiering and data sensitivity. Review vendor-provided security evidence and identify control gaps and areas of risk. Candidate will also assist in managing relationship with Service Providers who are responsible for the actual delivery of services, managing outcomes and results, and collaborating with stakeholders across IT and business departments to develop strategies for securing company information and assets. Shares responsibility for planning, directing, and coordinating compliance activities pertaining to technology projects for a given business unit. Verifies that project goals are accomplished and in line with business objectives. 

Excellent communication skills are required to effectively communicate (verbally and written) across all levels within the organization. 

Operates effectively in a dynamic environment by managing shifting priorities, balancing multiple concurrent assessments, and adapting to evolving business needs and timelines while engaging stakeholders ranging from individual business owners to senior leadership. 

CANDIDATE PROFILE 

Education and Experience 

Required: 

• Bachelor’s degree in Information Systems or related field or equivalent experience/certification 

• 7+ years of information technology leadership experience including implementing, managing and governing security policies 

• 3+ years direct work experience in third-party Risk Management 

• One or more current information security certifications such as Certified in Risk and Information Systems Controls (CRISC), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or Certified Information Systems Security Professional (CISSP) 

Preferred: 

• A security certification such as GWAPT, GPEN, AWS Associate Architect, AWS Professional Architect, PCI experience. 

• Demonstrated ability to effectively engage stakeholders at multiple levels, from individual contributors and technical SMEs to senior leadership, in a fast-paced, evolving environment 

• Experience executing third-party/vendor risk assessments within a defined framework 

• Experience supporting escalation of high-risk scenarios to leadership, including preparing clear, concise risk summaries and recommended actions 

• Strong ability to analyze control evidence and document risk findings clearly 

• Technical leadership experience in an outsourced environment  

• Excellent communication skills and problem-solving ability  

• Experience with reviewing and assessing security controls of Cloud service providers 

• Experience evaluating SaaS and cloud service providers  

• Knowledge of OWASP Top 10 and SANS 25. 

• Understanding of vulnerability management outputs and ability to assess associated risk 

CORE WORK ACTIVITIES 

Security Risk & Compliance 

• Oversee, evaluate, and support the documentation, and validation processes necessary to assure that associates, information technology systems and business processes meet the organization’s information assurance, security, and privacy requirements.  Ensures appropriate treatment of risk, compliance, and assurance of internal policies and external regulations. 

• Identify and escalate material control deficiencies or elevated risk conditions to management with clear supporting documentation and business impact context  

• Highlight scenarios where vendor risk exceeds acceptable thresholds, including lack of required controls, incomplete remediation, or misalignment with data protection expectations  

• Perform structured security risk assessments of third-party providers by reviewing control evidence, identifying gaps, and documenting risk findings  

• Document clear and defensible control gap analysis and risk assessments  

• Review controls exception requests and provides risk-based input and recommendations  

• Review and interpret security findings provided by vendors or internal sources to determine risk impact 

• Validate completeness of assessment inputs and document findings and risk impact in an audit-ready manner 

• Lead, participate or perform various infrastructure compliance initiatives and projects 

• Monitor compliance to applicable security policies and standards and report related risk issues 

• Manage and administer processes and tools that enable the organization to identify, document, and track third party risks and compliance exceptions 

• Conduct assessments of threats and vulnerabilities, determine deviations from acceptable configurations or enterprise or local policy, assess the level of risk, and develop and/or recommend and operationalize appropriate mitigation countermeasures. 

• Provide sound advice and recommendations to leadership and staff on a variety of relevant topics within the pertinent subject domain. Advocate policy changes and make a case on behalf of the company via a wide range of written and oral work products. 

• Oversee the information assurance (IA) program of an information system in or outside the network environment 

Maintaining Goals 

• Submits reports in a timely manner, ensuring delivery deadlines are met. 

• Promotes the documenting of project progress accurately. 

• Provides input and assistance to other teams regarding projects. 

Managing Work, Projects, and Policies  

• Manages multiple concurrent assessments and deliverables, adjusting priorities as needed to meet changing business demands  

• Coordinates across multiple stakeholders (e.g., business owners, application teams, and supporting technical contacts) to obtain required information and complete assessments 

• Escalates risks and blockers impacting assessment timelines or outcomes, including delays in stakeholder responses, incomplete vendor evidence, or conflicting business priorities 

• Manages and implements work and projects as assigned. 

• Generates and provides accurate and timely results in the form of reports, presentations, etc. 

• Analyzes information and evaluates results to choose the best solution and solve problems. 

• Provides timely, accurate, and detailed status reports as requested. 

Demonstrating and Applying Discipline Knowledge  

• Provides technical expertise and support to persons inside and outside of the department. 

• Demonstrates knowledge of job-relevant issues, products, systems, and processes. 

• Demonstrates knowledge of function-specific procedures. 

• Keeps up-to-date technically and applies new knowledge to job. 

• Uses computers and computer systems (including hardware and software) to enter data and/ or process information. 

Delivering on the Needs of Key Stakeholders 

• Adapts communication style and level of detail based on audience, including working directly with technical SMEs, business owners, and senior leadership stakeholders  

• Engages business owners to gather required information, validate vendor use cases, and progress assessments efficiently  

• Provides clear, concise risk summaries and recommended actions suitable for leadership-level review and decision-making  

• Escalates high-risk vendor scenarios to senior leadership with well-documented context and recommended actions (e.g., significant control gaps identified during assessment, vendors handling sensitive data without required safeguards, or unresolved critical findings nearing go-live timelines)  

• Balances competing stakeholder priorities across multiple engagements while maintaining quality, consistency, and timeliness of deliverables  

• Develops specific goals and plans to prioritize, organize, and accomplish work. 

• Determines priorities, schedules, plans and necessary resources to ensure completion of any projects on schedule. 

• Demonstrates an understanding of business priorities 

Additional Responsibilities  

• Maintains responsiveness and adaptability in fast-paced or ambiguous situations, ensuring timely progression of assessments and deliverables  

• Responds to ad hoc requests requiring leadership visibility, including summarizing vendor risk posture, providing status updates, or supporting time-sensitive decision-making scenarios  

• Provides information to supervisors and co-workers by telephone, in written form, e-mail, or in person in a timely manner. 

• Demonstrates self-confidence, energy and enthusiasm. 

• Informs and/or updates leaders on relevant information in a timely manner. 

• Manages time effectively and conducts activities in an organized manner. 

• Presents ideas, expectations and information in a concise, organized manner. 

• Uses problem solving methodology for decision making and follow up. 

• Performs other reasonable duties as assigned by manager.