Job Details

Senior Manager, Information Security - Governance Risk and Compliance (CORPORATION)

Palo Alto, CA, United States
  • Employment Type: Direct Hire

Our client, a large publicly traded pharmaceutical company, is seeking a Senior Manager, Information Security - Governance Risk and Compliance to assess, design and implement security controls to help protect the company. The Senior Manager will combine past experience and expertise with industry trends and best practices to bring rigor and repeatability into system and platform security in partnership with third parties. This role will develop, publish, maintain, and enforce comprehensive organization-wide information security risk assessment framework, plans, policies, procedures, guidelines and controls that are aligned with the organization’s business needs. The ideal candidate will have several years of relevant IT security experience, one or more relevant certifications (i.e. CISSP, CISM, CCSK) and a firm understanding of third party vendor and technology assessment frameworks. Must have experience assessing cloud cybersecurity, leading global cross-functional project teams, and with access control operations along with strong technical expertise and working knowledge of industry standards—NIST Cybersecurity Framework, NIST SP 800-53, ISO 27001/2, Cloud Security Alliance or Privacy Shield. Send resumes to [email protected].

Job Responsibilities and Requirements:

The Senior Manager will combine past experience and expertise with industry trends and best practices to bring rigor and repeatability into system and platform security in partnership with third parties. This role will help mature the discipline of cybersecurity best practices and will evangelize the value of such discipline to the broader IT organization. 

Specific Responsibilities:

  • Develops, publishes, maintains, and enforces comprehensive organization-wide information security risk assessment framework, plans, policies, procedures, guidelines and controls that are aligned with the organization’s business needs
  • Evangelizes and provides SME knowledge of Information policies, guidance and procedures 
  • Develops and provides regular Information Security Reports including KRIs, KPIs & KCIs
  • Supports and manages Action Plans including exceptions to closure; including working with Risk owners to develop sustainable action plans that address technology, process and organizational risk areas
  • Provides technical assistance in evaluating, developing and executing Risk-related Action Plans that meet business requirements and are sustainable
  • Manages relationships and relevant information sharing with members of the Information Security Team, broader IT Team as well as Lines of Business
  • Acts as an internal consultant within IT and business groups for Information Security Risk Assessments
  • Helps develop an effective Information Security Strategy by aligning Risk Management & Information Security Governance efforts with Information Security Technology Strategy and Information Security Threats
  • Performs security audits and assessments of internal systems and third parties and recommend actions to mitigate risks through a review of efficiency, effectiveness and compliance of operational and security policies, processes and practices
  • Performs technical security assessment of solutions and recommends/reviews security designs and controls
  • Oversees and performs operational execution of the third party cyber risk management processes
  • Provides written and verbal reports of audit findings and assessment observations
  • Acts as primary trusted security advisor on projects to ensure that information security risks are managed, and risk assessment process is followed including when interacting with third parties
  • Supports periodic audit activities as they relate to the IT cyber security domain (e.g., quarterly SOX audits for privileged access, GxP audits for information integrity, security and availability)
  • Maintains broad understanding of emerging security technologies and their relevance/applicability to our organization especially as they relate to third party partners
  • Provides hands-on security expertise during design, development, implementation and testing of solutions for integrating new technologies
  • Ensures security coherence across the services developed by our engineering and application teams, as well as encouraging security best practices
  • Provides clear direction and mobilize others to act on priorities

Qualifications:

  • Excellent written and verbal communication skills; ability to convey security concepts to non-technical audiences (e.g. senior and executive management, internal customers)
  • Firm understanding of third party vendor and technology assessment frameworks; experience performing assessments historically
  • Advanced interview skills to tailor the types of questions based on responses provided by internal business partners and vendors
  • Understanding of business processes, external control risk management, IT controls, and how they interact together
  • Sufficient understanding of cybersecurity technology to perform technology assessments; example technology domains would be access management, network security, vulnerability management and physical security, etc.
  • Relevant experience and one or more relevant certifications (i.e. CISSP, CISM, CCSK)
  • Experience implementing security controls
  • Working knowledge of industry standards—NIST Cybersecurity Framework, NIST SP 800-53, ISO 27001/2, Cloud Security Alliance or Privacy Shield
  • Experience assessing cloud cybersecurity, leading global cross-functional project teams, and with access control operations along with strong technical expertise are highly desirable
  • Strong analytical, problem-solving and critical thinking skills and the ability to support decisions that balance cybersecurity with ease-of-use required
  • Demonstrated service delivery mind-set with experience implementing result-oriented service delivery initiatives
  • Demonstrated experience leading security project through influence, collaboration, and coalition-building; comfort in situations requiring constrained creativity to ensure the securing of business systems and data
  • Strong presentation and communication skills with ability to engage and influence senior level staff
  • Demonstrated vendor relationship management skills, with the ability to build strong rapport
  • Must be a self-starter who understands and owns every vital detail as second nature

Additional Valuable Skills and Certifications:

  • Experience in pharmaceutical industry 
  • Experience working in environments with high adoption of Cloud technologies
  • Experience in business of rapid change
  • CISSP, CISM, CISA, CRISC Certifications

Interested in this job? Get in touch.

(Accepted file formats are PDF, DOC, DOCX, TXT, RTF and ZIP. File size maximum is 2 MB.)