DIRECTOR OF CYBER SECURITY GOVERNANCE, RISK, AND COMPLIANCE (GRC) - EVINOVA

Are you ready to be part of the future of healthcare? Can you think big, be bold, and harness the power of digital and AI to tackle longstanding life sciences challenges?  Then Evinova, a new health tech business part of the AstraZeneca Group might be for you!    Transform billions of patients’ lives through technology, data, and innovative ways of working.
You’re disruptive, decisive, and transformative.
Someone excited to use technology to improve patients’ health.
We’re building a new health tech business – Evinova, a fully-owned subsidiary of AstraZeneca Group.
Evinova delivers market-leading digital health solutions that are science-based, evidence-led, and human experience-driven.
Thoughtful risks and quick decisions come together to accelerate innovation across the life sciences sector.
Be part of a diverse team that pushes the boundaries of science by digitally empowering a deeper understanding of the patients we’re helping.
Launch pioneering digital solutions that improve the patients’ experience and deliver better health outcomes.
Together, we have the opportunity to combine deep scientific expertise with digital and artificial intelligence to serve the wider healthcare community and create new standards across the sector.
The Cyber GRC Lead role presents a unique opportunity to join Evinova from the beginning and implement innovative cyber security practices that are designed by industry, for industry.
The Cyber GRC Lead, reporting to the Evinova Head of Cyber Security, will provide hands-on domain expertise to drive the operationalization of the Evinova-wide Information Security Management System (ISMS).
This role is focused on leading and driving relevant cyber security governance and risk management capabilities including Policy Development and Governance, Risk Management, Metrics and Reporting, and Cyber Awareness Training.
The role will provide ample opportunities for program ownership, increased levels of accountability, and significant visibility within the CTO Leadership Team and adjacent business leaders.
Additionally, this role will closely collaborate with globally dispersed technical and product engineering teams – enabling excellent opportunities for professional development across technology domains and international geographies.
Success in this role requires leading by influence, exhibiting strong emotional intelligence, and a natural disposition towards business enablement.
The ideal candidate will think holistically and proactively deliver on opportunities to advance the cyber program and safeguard customer/patient trust.
Key responsibilities include.
Develop and optimize the Evinova cyber security governance framework to ensure continued alignment with leading practices, regulatory obligations, and corporate insurability (e.
., NIST CSF, ISO , EU / UK GDPR, HIPAA / HITRUST, SOC 2 Trust Services Criteria, etc.).
Maintain cyber security policies, procedures, and standards to establish clear and actionable guidelines for cyber security controls, data protection, and incident response protocols.
Additionally, maintain the cyber security Risk Register and Risk Exception handling process.
Partner with the Quality and Compliance Team to ensure the effectiveness of engineering security practices, aligned with relevant standards, and fully documented in policies/procedures.
Tracks and develops remediation strategies to ensure continued compliance with relevant regulations and audit requirements.
Lead the identification, assessment, and mitigation of cyber security risks across Evinova and our digital products.
Additionally, providing advisory-based perspectives to the CTO leadership team on best practices and appropriate technology solutions to align residual risk to the organizational risk appetite.
Assess and manage cyber risks associated with cloud-native environments, including IaaS, PaaS, and SaaS offerings.
Works with product and engineering teams to prioritize risks to applications and infrastructure and develop risk mitigation strategies.
Ultimately ensuring the complete isolation of Evinova’s sensitive customer information from our partner company through physical and logical isolation, policies, and procedures.
Collaborate with internal collaborators to assess and manage cyber security risks associated with third-party vendors and service providers, ensuring contractual obligations and security controls are effectively implemented.
Partner with Legal / Data Privacy to support Privacy Impact Assessments.
Define and implement the Evinova Cyber Security and Awareness education program.
Collaborates across all business functions and contractors to evangelize security best practices and ensure compliance with all Evinova information security policy requirements.
Develop insightful and data-driven dashboard(s) articulating Evinova’s current cyber risk posture through the measurement of relevant Key Risk Indicators (KRIs), Key Performance Indicators (KPIs), and cyber trends (e.
., incidents, emerging risks, external interest areas).
Drive continuous improvement initiatives to enhance the effectiveness and efficiency of the cyber security GRC program, leveraging feedback, metrics, and lessons learned.
Actively collaborate with Evinova and AstraZeneca Group leadership to align and share best practices for cyber security, business continuity, and other related policies and procedures.
Minimum Qualifications.
Bachelor's degree in Technology, Computer Science, Business Administration, or a related field.
8+ years of combined experience in Cyber GRC relevant domains such as Information Security Compliance, IT Risk Management, Third-Party Risk Management, and Information Assurance (preferably in a cloud-native organization).
Prior experience providing GRC-related capabilities at a SaaS/cloud service provider.
Experience in implementing, operating, and assessing GRC programs aligned to the NIST CSF and ISO frameworks.
Hands-on experience with audit readiness, response, and remediation activities in support of external SOC2, and penetration testing-related engagements.
Additionally, experience maintaining cyber-centric Risk Registers and Corrective Action Plans / Plans of Actions and Milestones (POA&Ms).
Well-versed in Business Continuity and Disaster Recovery planning and performing third-party risk management due diligence reviews of technology service providers and external entities with persistent access to internal systems / sensitive data.
Experience articulating the ISMS and supporting processes in the context of responding to third-party risk management questionnaires, and other external entities performing cyber security due diligence-focused inquiries (e.
., regulators, insurance carriers, partner organizations).
Demonstrable experience securing cloud-based custom-developed solutions (e.
., policy development, controls identification and implementation, continuous monitoring, audit response, etc.).
A deep understanding of information security technologies, networking, and network architecture is required – preferably in-depth exposure to Amazon Web Services and Microsoft Azure security concepts/services.
Ability to make pragmatic decisions by analyzing highly complex situations, assessing risks, and balancing strategic and tactical compliance/quality requirements.
Demonstrable experience in delivering outcomes around consulting, consensus building, and business engagement.
Ability to work independently in a fast-paced environment with a demonstrable ability to handle contending priorities.
Excellent written and verbal communication skills, project management, process improvement, attention to detail, and critical thinking skills are highly preferred.
At least one of the following professional certifications.
Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified Cloud Security Professional (CCSP), and/or Certified Information Systems Security Professional (CISSP).
Desired Qualifications.
Master’s degree in computer science, business administration, or similar relevant area of study  Experience in ensuring compliance within a highly regulated sophisticated global business environment, particularly in the healthcare and/or clinical research industry.
A global perspective on privacy, security, and data protection issues and trends (experience with Asia-Pacific data privacy and protection regulations is a strong plus).
Demonstrate initiative, strong customer orientation, and cross-cultural working.
Why Evinova (AstraZeneca)? Evinova draws on AstraZeneca’s deep experience developing novel therapeutics, informed by insights from thousands of patients and clinical researchers.
Together, we can accelerate the delivery of life-changing medicines, improve the design and delivery of clinical trials for better patient experiences and outcomes, and think more holistically about patient care before, during, and after treatment.
We know that regulators, healthcare professionals, and care teams at clinical trial sites do not want a fragmented approach.
They do not want a future where every pharmaceutical company provides its own, different digital solutions.
They want solutions that work across the sector, simplify their workload, and benefit patients broadly.
By bringing our solutions to the wider healthcare community, we can help build more unified approaches to how we all develop and deploy digital technologies, better serving our teams, physicians, and ultimately patients.
Evinova represents a unique opportunity to deliver meaningful outcomes with digital and AI to serve the wider healthcare community and create new standards for the sector.
Join us on our journey of building a new kind of health tech business to reset expectations of what a bio-pharmaceutical company can be.
This means we’re opening new ways to work, pioneering cutting-edge methods, and bringing unexpected teams together.
Interested? Come and join our journey.
So, what’s next? Are you already imagining yourself joining our team? Good, because we can’t wait to hear from you.
Where can I find out more? Our Social Media, Follow AstraZeneca on LinkedIn https://www.
inkedin.
om/company// Follow AstraZeneca on Facebook https://www.
acebook.
om/astrazenecacareers/ Follow AstraZeneca on Instagram https://www.
nstagram.
om/astrazeneca_careers/?hl=en Learn more about Evinova www.
vinova.
om AstraZeneca embraces diversity and equality of opportunity.
We are committed to building an inclusive and diverse team representing all backgrounds, with as wide a range of perspectives as possible, and harnessing industry-leading skills.
We believe that the more inclusive we are, the better our work will be.
We welcome and consider applications to join our team from all qualified candidates, regardless of their characteristics.
We comply with all applicable laws and regulations on non-discrimination in employment (and recruitment), as well as work authorization and employment eligibility verification requirements.
AstraZeneca requires all US employees to be fully vaccinated for COVID-19 but will consider requests for reasonable accommodations as required by applicable law.