Own and continuously evolve the IT governance framework aligned with COBIT, ITIL, or equivalent standards; set multi-year roadmap for IT GRC maturity.
Establish, maintain, and enforce IT policies, standards, and procedures in alignment with business objectives and regulatory requirements.
Lead the IT Governance Committee; prepare Board-and executive-level reporting on governance posture, KPIs, and strategic risk.
Drive IT portfolio governance to ensure alignment of technology investments with enterprise strategy and risk appetite; partner with Finance on IT spend decisions.
Lead the enterprise IT risk management lifecycle: identification, assessment, treatment, monitoring, and reporting.
Maintain and continuously update the IT risk register; escalate critical risks to senior leadership and the Board, as appropriate.
Partner with business units to conduct risk-based vendor and third-party assessments for critical technology partners and SaaS providers.
Own and manage IT compliance programs across GxP (21 CFR Part 11, Annex 11), SOX ITGCs, HIPAA, NIS2 Directive, and applicable data privacy regulations (GDPR, CCPA, when applicable).
Serve as the primary IT point of contact for internal and external auditors; coordinate IT audit requests, responses, and remediation.
Lead IT General Controls testing and documentation for SOX compliance cycles; partner with Finance and External Audit.
Participate in GxP computer system validation (CSV) oversight in coordination with QA — including URS, IQ/OQ/PQ documentation, and periodic reviews.
Track and drive closure of all IT audit findings, control deficiencies, and corrective and preventative actions (CAPAs).
Develop and maintain the IT policy library; ensure timely review cycles and version control.
Drive an IT compliance awareness culture through training programs, communications, and onboarding curriculum.
Advise IT project teams and technology owners on control requirements during system design and implementation.

Requirements

Required Bachelor's degree in Information Technology, Computer Science, Life Sciences, or a related field; Master's degree strongly preferred.
12+ years of progressive IT GRC, IT audit, or IT compliance experience, with at least 5 years in a biotech, pharmaceutical, or medical device environment.
Minimum 4 years of people management experience, including managing managers or senior individual contributors.
Deep expertise in FDA 21 CFR Part 11, GxP computer system validation (CSV), and SOX IT General Controls.
Proven track record managing IT audit processes and working directly with external auditors (Big 4 preferred) and regulatory agencies.
Strong knowledge of IT risk management frameworks (NIST CSF, ISO 27001/27002, COBIT) and demonstrated ability to set and execute multi-year GRC strategy.
Preferred Master's degree in Information Systems, Business Administration, or a related discipline.
Professional certifications: CISA, CRISC, CGEIT, CISSP, or CIPP.
Experience with cloud GRC platforms (ServiceNow GRC, Archer, Vanta, Drata) and validated cloud environments (AWS, Azure, GCP).
Familiarity with HIPAA/HITECH, NIS2 Directive, GDPR, and CCPA compliance in a clinical or research setting.
Prior experience supporting IND/NDA/BLA submissions or FDA facility inspections.
Experience standing up a GRC function or program from an early-stage maturity baseline.

Applicant Tracking System Keywords

Tip: use these terms in your resume and cover letter to boost ATS matches.

Hard Skills & Tools

IT governance frameworkIT risk managementIT complianceGxP computer system validationSOX IT General ControlsIT audit processesrisk-based vendor assessmentscontrol requirementsmulti-year GRC strategyIT policy development

Soft Skills

leadershipcommunicationorganizational skillsstrategic thinkingcollaborationproblem-solvingtraining and developmentreportingstakeholder managementrisk assessment

Certifications

CISACRISCCGEITCISSPCIPP