Job Description

The Estée Lauder Companies is the global leader in prestige beauty — delighting consumers with transformative products and experiences, inspiring them to express their individual beauty. We are the only company focused solely on prestige makeup, skin care, fragrance, and hair care with a diverse portfolio of 25+ brands sold in approximately 150 countries and territories. Infused throughout our organization is a passion for creativity and imagination — a desire to push the boundaries and invent the unexpected — as we continue the bold work of our founder Estée Lauder.

Who We Are

Do you want to be part of the team catalyzing digital innovation, harnessing the power of data, and transforming the fabric of security across the world’s most prestigious beauty, skincare, and luxury fragrance brands? Then join the information security and technology team, Enterprise Cybersecurity & Risk (ECR) at Estée Lauder Companies (ELC). The ECR team fuels cyber-defense, technology excellence, risk and compliance, and global resilience. We stay on the forefront of cyber threats to deliver fit for purpose tools, technologies, and processes that protect ELC’s business operations and empower secure strategic growth. If you thrive in change rich entrepreneurial environments, then this is the team for you. From our fast-paced delivery plans to our global team expansion, this is an exciting time to join us!

What You’ll Do

The ECR Manager, Risk and Compliance will drive Compliance initiatives, including evaluation of IT-related risks, assessment of control effectiveness, and control owner achievement of effective control environments for continued compliance. This role necessarily deals with highly confidential and sensitive information, and the role is expected to both define appropriate handling of such information for the enterprise and to implement best handling practices.

You will be responsible for:

• Partner with TPRM program key stakeholders to ensure the appropriate due diligence is conducted based on global and regional compliance requirements.
• Ability to understand details of vendor’s cybersecurity program and identify where gaps exist with internal company policy requirements.
• Cybersecurity technical expertise to review vendor attestations (e.g., SOC1/SOC2, Vulnerability Scan, Penetration Testing, PCI DSS, ISO 27001, etc.) and identify potential gaps or control weaknesses.
• Familiarity with China Privacy Laws and Cybersecurity regulations such as Personal Information Protection Law (PIPL), Data Security Law (DSL), Multi-Level Protection Scheme (MLPS) 2.0, and Cybersecurity Law of China (CSL).
• Familiarity with Frameworks such as NIST CSF, OWASP10, ISO, ITIL and CMMI.
• Familiarity with SaaS and COTS based applications and the unique risks associated with each use case.
• Awareness of emerging cybersecurity threats including zero-day vulnerabilities, supply chain, and iOT related risks
• Ability to clearly articulate the potential implications of cybersecurity risks to less technical users.
• Update IT policies, standards, and Standard Operating Procedures.
• Ability to triage use cases and prioritize due diligence activities based on the vendor’s inherent risk profile.
• Ability to effectively communicate (verbal and written) technical subject matter clearly and succinctly in both Chinese and English
• Produce risk assessment reports and effectively communicate and collaborate with vendors to implement remediation responses.
• Effectively collaborate with cross-functional, interdisciplinary teams, such as Procurement, Supply Chain, R&D, Legal and Privacy to conceptualize and require contract security provisions for remediation of risk identified in vendor assessments specific use cases and third-party engagements.
• Experience with industry-recognized Cybersecurity and Governance, Risk and Compliance (GRC) systems and applications such as Process Unity, CyberGRX, BitSight and Recorded Future along with familiarity with Shared Assessment methodology.
• Able to develop effective, collaborative relationships with all levels of internal and external stakeholders.

Who You Are

• Practical experience in technology risk and control or IT audit, including experience in project governance/management and understanding of business processes, key IT risk/controls, organizations, markets, retail, and/or manufacturing.
• Strong communication skills, influence/negotiation skills, attention to detail, conflict management experience, analytical skills, and measurement/visualization ideas.  Ability to problem-solve, think creatively, challenge the status quo, and manage ambiguity.
• Ability to communicate complicated or technical information to executives, including proven ability to work both independently and as part of a team, with stakeholders at all levels. 
• Proficient in Microsoft Suite of products including Visio, Excel, Word, and PowerPoint.  Proficient in English as a business language.
• Experience handling, securing, and communicating highly confidential and sensitive information.

Job Requirements