Information Security Officer, Director - Remote

The Director, Business Information Security Officer is responsible for providing leadership and operational oversight in safeguarding enterprise information assets. This role is pivotal in delivering the services for information security assurance across third-party suppliers, business applications, cloud platforms and other core technologies, as well as the development and delivery of solutions for the protection of information assets.

As a senior member of the information security team reporting to the CISO, this role leads a team that serves as the key interface between the business, IT, and information security – driving the identification, evaluation and prioritization of information security risks and measuring the progress of the overall information security program through benchmarking and metrics. The position also acts as a trusted representative of the CISO in the delivery of security training & awareness to the organization and contributes to the evolution of the enterprise-wide information security program.

The Director, Business Information Security Officer leads a team in identifying and managing information security risks through assessments and cybersecurity risk management processes and owns services for both security awareness & training and information protection. The Director works with and coordinates across business functions, compliance teams, IT, and shared services groups. The Business Information Security Officer’s core responsibilities include :

Lead cross-functional initiatives to establish and mature cybersecurity risk management processes in collaboration with business and IT colleagues.

Deliver security assurance services for third-party suppliers, cloud services, and business technologies.

Manage and mentor a specialized team focused on cybersecurity risk management, cybersecurity assurance, awareness & training / phishing awareness, and information protection.

Support the CISO in development of an information protection strategy to protect sensitive data from loss, leakage, or unauthorized exfiltration.

Execute against the information protection strategy through implementation and management of services for information protection, leveraging data loss prevention (DLP) and data security posture management technologies in partnership with business, information security, and IT colleagues.

Conduct periodic assessments of information handling practices and work with colleagues to classify and identify vital information and apply controls that mitigate risks.

Monitor emerging threats and regulatory changes related to information / data protection.

Support the CISO in establishing and reporting on metrics for key risk indicators (KRIs) and key performance indicators (KPIs) that measure the effectiveness of the information security program.

Conduct periodic benchmarking to assess information security maturity and recommend enhancements.

Develop and communicate training and awareness on security best practices throughout the organization.

Manage the ongoing delivery of phishing campaigns and responses to phishing alerts in coordination with the cybersecurity operations team.

Remain current on information security frameworks, guidance, best practices, and regulatory requirements impacting the pharmaceutical industry.

Collaborate deeply with peers in Security Operations and Information Security Architecture, taking an integrated approach to managing and reducing cyber risk across the organization.

10+ years of experience within information security or IT GRC organizations; experience in the pharmaceutical / life sciences industry is desirable.

~5+ years of experience in development and management of information security risk assessment processes for applications and third parties.

~5+ years of experience in assessment of systems hosted in company or third-party cloud environments (e.g., AWS, Oracle, Azure).

~ Extensive knowledge of solutions and best practices for information protection / data loss protection, including Microsoft Purview and other solutions.

~ Expert understanding of risk management, compliance, and governance frameworks related to cybersecurity.

~ Ability to think strategically, lead initiatives, and provide leadership in the definition of solutions for risk mitigation.

~ Demonstrated ability to influence through leadership and collaboration - fostering a community of knowledge-sharing, collaboration, and forward-thinking.

~ The capacity to actively learn and apply security domain knowledge, knowledge, and best practices to guide the definition of security requirements in support of business initiatives.

~ Strong skills for critical thinking, analyzing, and assessing problems and implications, identifying patterns, making connections of underlying issues, understanding risks, and developing mitigation strategies, and taking ownership of the outcome.

~ Ability to communicate technical ideas and concepts clearly, verbally and written, to technical and non-technical audiences, especially in articulating technical vision to executive levels.

Bachelor’s degree in computer science, Information Security, or a related field.