Director, IS Governance, Risk and Compliance

The Opportunity:

We are seeking an experienced and strategic leader to serve as Director, Information Sciences Governance, Risk & Compliance (IS GRC), reporting directly to the VP, IS Security, Risk, and Compliance. This person will be responsible for leading and maturing the IS GRC program, ensuring that IS governance processes, technology risk management practices, third-party risk management, and compliance activities effectively support business objectives and protect the organization.

As a key leader within Information Sciences, this individual will partner closely with Security, Infrastructure, Enterprise Applications, Data & Analytics, Legal, Privacy, Quality, Finance, HR, Procurement, and other cross-functional stakeholders to establish a scalable and pragmatic IS GRC framework. They will help the organization navigate a dynamic regulatory, technology, and business environment by strengthening controls, driving compliance readiness, improving risk visibility, managing third-party risk, and enabling informed decision-making across IS.

This role is ideal for a leader who can balance strategic program development with operational execution, build trusted partnerships across the organization, and translate regulatory, technical, and control requirements into practical processes that enable the business.

Key Responsibilities:

• IS GRC Program Leadership: Lead and evolve the Information Sciences Governance, Risk & Compliance program, including policies, standards, risk frameworks, compliance processes, and reporting.

• IS Governance: Develop, implement, and maintain governance structures, policies, standards, and procedures to support IS objectives, regulatory obligations, and internal accountability.

• Technology Risk Management: Establish and manage processes to identify, assess, prioritize, track, and report key IS, cybersecurity, data, third-party, and operational risks. Partner with stakeholders to develop mitigation and remediation plans.

• Third-Party Risk Management: Lead and mature the third-party risk management program for Information Sciences, including risk assessment and oversight of vendors, service providers, and technology partners. Partner with Procurement, Legal, Security, Privacy, and business stakeholders to evaluate third-party controls, contractual requirements, and remediation plans to ensure third-party services meet company risk and compliance expectations.

• Compliance Management: Oversee IS compliance initiatives related to applicable laws, regulations, contractual obligations, and internal policies. Coordinate control assessments, compliance reviews, and readiness efforts for audits and inspections.

• Internal Controls: Partner with IS and business teams to design, document, evaluate, and improve IT and IS-related controls and monitor their effectiveness over time.

• Policy and Standards Management: Drive the development, review, communication, and maintenance of IS policies, standards, baselines, and related procedures to ensure consistency, usability, and alignment with company requirements.

• Audit and Assessment Support: Coordinate and support internal and external audits, risk assessments, and evidence requests related to Information Sciences systems, processes, and controls. Track observations and corrective actions through closure.

• Cross-Functional Partnership: Build strong relationships across the business to understand technology risks, compliance obligations, and operational challenges, and to promote a culture of accountability and continuous improvement.

• Metrics and Reporting: Develop meaningful dashboards, metrics, and executive reporting to communicate IS program health, compliance posture, risk trends, and remediation progress to senior leadership.

• Training and Awareness: Promote awareness of IS governance, risk, and compliance responsibilities across Information Sciences and the broader organization through communication, training, and stakeholder engagement.

• Continuous Improvement: Stay informed about emerging regulations, industry trends, and best practices in IT/IS governance, cybersecurity compliance, privacy, and risk management, and incorporate them into program enhancements.

• This person will also coordinate with existing service delivery teams in Information Sciences to ensure that high levels of service and support are maintained.

Required Skills, Experience and Education:

• Bachelor’s degree or equivalent and a minimum of 10+ years of experience in Information Technology, Information Sciences, governance, risk management, compliance, internal audit, cybersecurity compliance, or related functions, including leadership experience in a regulated industry.

• Proven track record of building, managing, and scaling IS or IT GRC programs in complex organizations.

• Experience partnering across IS, security, legal, privacy, quality, procurement, finance, and business teams to drive risk-informed and compliant technology practices.

• Strong understanding of IT governance, technology risk management, internal controls, policy management, third-party risk management, and compliance operations.

• Experience working in regulated environments and with relevant frameworks and requirements such as SOX, GxP, GDPR/CCPA, ISO 27001, HITRUST, cybersecurity, privacy, IT general controls, vendor risk management, and audit readiness, as applicable.

• Experience supporting or leading control design, risk assessments, remediation activities, and audit or certification readiness efforts related to ISO 27001, HITRUST, or other relevant compliance frameworks.

• Ability to translate regulatory, audit, and control requirements into practical, business friendly IS processes, standards, and guidance.

• Entrepreneurial spirit; thrives in a fast-paced, high-growth, midsize company environment.

• Comfortable handling ambiguity and navigating through evolving processes, priorities, and organizational needs.

• Highly organized, with strong attention to detail and accuracy.

• Committed to meeting and exceeding high standards for quality and continuous improvement.

• Builds rapport and credibility as an effective strategic partner.

• Fosters team collaboration, breaks down silos, and is able to influence without authority.

• Skilled at conflict resolution, negotiation, and driving alignment across diverse stakeholder groups.

• Acts with urgency and sound judgment. Enjoys enabling others and solving complex problems.

• Ability to manage multiple initiatives, activities, and priorities simultaneously and autonomously.

• Strong written and verbal communication, presentation, and facilitation skills, with the ability to distill complex information for senior leadership.

Preferred Skills:

• Master’s degree or equivalent in Information Technology, Business, Risk Management, Cybersecurity, or a related field.

• Relevant certifications such as CISA, CISM, CRISC, CISSP, CGEIT, ISO 27001 Lead Implementer, ISO 27001 Lead Auditor, HITRUST CCSFP, or similar are preferred.

• Experience leading or supporting ISO 27001 and/or HITRUST implementation, certification, surveillance, or readiness programs is strongly preferred.

• Experience leading or supporting IT/IS governance, cybersecurity compliance, privacy, audit, or risk programs in the pharmaceutical, biotechnology, life sciences, or other highly regulated industries.

• Experience with third-party risk management, policy governance platforms, GRC tooling, control automation, and audit management solutions is a plus.

• Experience developing and operationalizing IS policies, standards, procedures, and control frameworks across enterprise applications, infrastructure, cloud environments, and data platforms is desirable.

• Experience developing executive-level reporting and dashboards for IT or IS risk and compliance programs is desirable.

• Experience standing up or maturing enterprise IT governance, security governance, third-party risk management, or technology compliance monitoring programs is a plus.

• Experience working with cross-functional stakeholders to align security, privacy, compliance, and business requirements into scalable operational processes is preferred. 

  #LI-Hybrid  #LI-YG1