Business Information Security Officer (BISO) - Cyber GRC Associate

Our Team: We protect Bloomberg. The Bloomberg Information Security Office team is dedicated to making our products and technologies as secure as possible through design, development, and operation. We report into the Chief Information Security Office while working closely with regulated businesses, key lines of business, and development/engineering across Bloomberg L.P. Our colleagues depend on us to help design, run, and improve our most important security programs — strengthening our cyber resilience and security posture across an evolving threat landscape.

What’s in it for you: The Bloomberg BISO team focuses on identifying opportunities to improve the security of Bloomberg, our products and services, and the security of our customers’ data. In this role, you will contribute to the development and execution of multiple security and cyber GRC programs, each with unique challenges and in a global setting. You will play a key role in supporting cyber risk governance, evangelizing security and compliance efforts, and helping to shape the direction of Bloomberg L.P.’s business efforts - all in a day’s work.

We’ll trust you to:

• Build a strong understanding of your business domains, staying current with new technologies, the evolving threat landscape, regulatory changes, and industry best practices as you support and contribute to the information security and cyber GRC programs for your lines of business.
• Work with stakeholders to effectively manage cyber risk including supporting the assessment of security controls, risk identification, mitigation strategies, and incident response planning.
• Build cross-functional relationships between teams to improve all aspects of our security program, contributing to a culture of security by design and continuous compliance.
• Support the development of management information, including key risk indicators, program maturity indicators, and key performance indicators to enable data-driven risk reporting.
• Contribute to the review and maintenance of information security policies, standards, and procedures in your line of business - ensuring alignment with the firm’s risk appetite and regulatory obligations.
• Develop into a trusted advisor to management, supporting the reporting of information security programs, cyber risk posture, and GRC maturity to governance forums.
• Support the development and delivery of scenario testing such as Tabletop Exercises and Threat Led Penetration Testing to validate our cyber resilience.
• Support remediation efforts and contribute to transformational change initiatives across the broader organization, including zero trust adoption, third-party risk management, and operational resilience programs.

We’d love to see:

• 3-5 years of experience in information security, cyber GRC, cyber security risk management, data security, or cyber security regulation.
• Demonstrated ability to work effectively with stakeholders across a complex, global, and highly regulated environment.
• Experience contributing to cross-functional projects with a strong attention to detail and follow-through.
• Ability to identify and escape cyber security risks — including third-party and supply chain risk — and support the delivery of services in a secure and compliant way.
• Solid foundational knowledge across key cyber security domains such as cloud security, network security and architecture, application security, secure software development lifecycle (SSDLC), or vulnerability management.
• Familiarity with Threat Led Penetration Testing (TLPT) frameworks such as CBEST or equivalent TLPT regimes.
• Familiarity with key technologies such as Operating Systems, Software Development Build Pipelines and Processes, Security Tooling, O365 Suite, and Business Intelligence Tools.
• Exposure to industry standards and frameworks such as NIST CSF, ISO 27001, or cyber risk quantification methodologies.
• Awareness of regulation pertaining to Information Security such as DORA, Operational Resilience, UK CTP Regime, and GDPR.
• Strong written and oral communication skills, with a desire to develop the ability to translate cyber risk into clear business language.
• Demonstrated ability to perform under pressure and consistently meet deadlines.
• An industry-recognized certification such as CISSP, CISM, CRISC, CompTIA Security+, or ISO 27001 Lead Implementor/Auditor — or working towards one.

If indicated, please note that years of experience are a guide; we will consider applications from all candidates who can demonstrate the skills necessary for the role.