Elsevier
BISO (Business Information Security officer) (Philadelphia)
Elsevier, Philadelphia, Pennsylvania, United States, 19117
Business Information Security officer (BISO) for TIO (Technology Infrastructure and Operations)
We are not looking to hire a CISO as this BISO role will report to our CISO
Requirements Possess a strong proficiency with AWS services (EC2, S3, IAM, Lambda, CloudTrail, CloudWatch, KMS, GuardDuty, Security Hub, WAF, etc.). Have the ability to design secure, scalable cloud architectures with proper identity, access management, and network segmentation. Experience with AWS Config, AWS Control Tower, or Terraform for compliance automation and infrastructure as code (IaC). Possess an understanding of Kubernetes (EKS), Docker, and container image scanning tools. Hands-on experience integrating security controls into Jenkins, GitHub Actions, or GitLab CI pipelines. Familiarity with code scanning tools (Snyk, SonarQube, Checkmarx, or Veracode) and dependency management. Scripting proficiency (Python, Bash, or PowerShell) to automate security testing and compliance checks. Experience implementing vault solutions (HashiCorp Vault, AWS Secrets Manager). Ability to translate technical risks into business terms for senior stakeholders and non-technical leaders. Experience partnering with IT, Cloud, and Business Units to embed security in strategic initiatives. Leading security programs, tracking KPIs/metrics, and ensuring timely delivery of remediation plans. Designing and delivering cybersecurity awareness programs tailored to business functions.
Responsibilities Driving information, cyber, and infrastructure security governance
across all business and technology units, ensuring alignment with enterprise cybersecurity programs, objectives, and regulatory requirements. Serving as the primary liaison
between Business Units, Cloud Engineering, and the Cyber Security organization to embed security awareness and best practices into AWS cloud operations, CI/CD pipelines, and DevOps workflows. Leading cloud security oversight
for AWS environments, including configuration management, identity and access controls, encryption, and compliance with organizational policies and industry standards (ISO 27001, NIST, SOC 2). Managing and coordinating technical risk assessments
including vulnerability scanning, penetration testing, and application risk reviews
to ensure secure deployment across cloud and hybrid infrastructures. Overseeing the security posture of CI/CD pipelines
(Jenkins, GitHub Actions, or similar), integrating automated scanning tools and secure code validation into build and deployment processes. Collaborating with DevOps and Infrastructure teams
to define and implement secure-by-design practices for containerized workloads, Kubernetes clusters, and AWS-native services (EKS, EC2, S3, Lambda). Defining and executing a risk-based information and infrastructure security strategy , including setting measurable goals, developing security training programs, and creating roadmaps for improving DevSecOps maturity. Developing and report cybersecurity metric scorecards
to track compliance with enterprise standards, vulnerability remediation progress, and adoption of security controls across business and cloud environments. Providing expert guidance on security architecture decisions , evaluating new tools and technologies for impact on cloud environments, automation frameworks, and enterprise security strategy. Leading cross-functional security initiatives
to ensure business innovation aligns with secure architecture principles, risk management standards, and ongoing governance frameworks.
We are not looking to hire a CISO as this BISO role will report to our CISO
Requirements Possess a strong proficiency with AWS services (EC2, S3, IAM, Lambda, CloudTrail, CloudWatch, KMS, GuardDuty, Security Hub, WAF, etc.). Have the ability to design secure, scalable cloud architectures with proper identity, access management, and network segmentation. Experience with AWS Config, AWS Control Tower, or Terraform for compliance automation and infrastructure as code (IaC). Possess an understanding of Kubernetes (EKS), Docker, and container image scanning tools. Hands-on experience integrating security controls into Jenkins, GitHub Actions, or GitLab CI pipelines. Familiarity with code scanning tools (Snyk, SonarQube, Checkmarx, or Veracode) and dependency management. Scripting proficiency (Python, Bash, or PowerShell) to automate security testing and compliance checks. Experience implementing vault solutions (HashiCorp Vault, AWS Secrets Manager). Ability to translate technical risks into business terms for senior stakeholders and non-technical leaders. Experience partnering with IT, Cloud, and Business Units to embed security in strategic initiatives. Leading security programs, tracking KPIs/metrics, and ensuring timely delivery of remediation plans. Designing and delivering cybersecurity awareness programs tailored to business functions.
Responsibilities Driving information, cyber, and infrastructure security governance
across all business and technology units, ensuring alignment with enterprise cybersecurity programs, objectives, and regulatory requirements. Serving as the primary liaison
between Business Units, Cloud Engineering, and the Cyber Security organization to embed security awareness and best practices into AWS cloud operations, CI/CD pipelines, and DevOps workflows. Leading cloud security oversight
for AWS environments, including configuration management, identity and access controls, encryption, and compliance with organizational policies and industry standards (ISO 27001, NIST, SOC 2). Managing and coordinating technical risk assessments
including vulnerability scanning, penetration testing, and application risk reviews
to ensure secure deployment across cloud and hybrid infrastructures. Overseeing the security posture of CI/CD pipelines
(Jenkins, GitHub Actions, or similar), integrating automated scanning tools and secure code validation into build and deployment processes. Collaborating with DevOps and Infrastructure teams
to define and implement secure-by-design practices for containerized workloads, Kubernetes clusters, and AWS-native services (EKS, EC2, S3, Lambda). Defining and executing a risk-based information and infrastructure security strategy , including setting measurable goals, developing security training programs, and creating roadmaps for improving DevSecOps maturity. Developing and report cybersecurity metric scorecards
to track compliance with enterprise standards, vulnerability remediation progress, and adoption of security controls across business and cloud environments. Providing expert guidance on security architecture decisions , evaluating new tools and technologies for impact on cloud environments, automation frameworks, and enterprise security strategy. Leading cross-functional security initiatives
to ensure business innovation aligns with secure architecture principles, risk management standards, and ongoing governance frameworks.