BISO - Commercial IT

About The Position

Requirements

• Information security leadership: 10+ years of experience in information security positions, with 5+ years’ experience overseeing an information security function and influencing senior business/IT stakeholders.
• Commercial pharma domain familiarity: Experience supporting Commercial/Go-to-Market functions in a regulated life sciences environment (marketing operations, sales operations, customer/HCP engagement, digital channels, and in-country execution models).
• SaaS/CRM security depth: Hands-on experience securing Veeva CRM, Veeva Vault, Veeva OCE, and/or Salesforce ecosystems (Service Cloud, Health Cloud, Life Sciences Cloud, Marketing Cloud, Data 360), including identity/access models, connected apps, environment strategy, secure configuration, and operational monitoring.
• Digital experience and marketing technology security: Experience with Adobe Experience Manager, Adobe Analytics, Adobe Target, and Tealium (or equivalent) including tag/consent governance, tracking controls, data-layer integrity, and security considerations for externally facing digital content.
• Data platform and cloud security: Experience securing Databricks and AWS-hosted data platforms, including IAM, network controls, encryption/KMS, logging/telemetry, data governance, and prevention/detection of data exfiltration.
• Integration and API security: Experience with integration platforms such as MuleSoft and SnapLogic, with a strong understanding of API security patterns, OAuth/token hygiene, certificate lifecycle, secrets management, and secure data movement.
• Commercial operations / revenue process awareness: Familiarity with commercial operations platforms such as Model N and the control expectations when systems support pricing, contracting, rebates/chargebacks, and/or interfaces to order booking and revenue processes (including SOX-relevant control considerations).
• Depth of knowledge in Frameworks and control implementation, Vulnerability and security testing management, Risk dashboarding and data-driven execution, Incident response collaboration are key attributes required for this role.
• Stakeholder communication: Strong written and verbal communication skills with proven ability to present complex technical information to both technical and non-technical audiences, including Commercial leadership and in-country stakeholders.
• Execution under pressure: Proven ability to manage competing priorities, operate under time constraints tied to launches or campaigns, and drive outcomes through influence across matrixed teams.
• Bachelor's degree in science or relevant technical field of study

Nice To Haves

• Master's preferred.

Responsibilities

• Act as the Commercial IT security lead and CISO representative.
• Serve as the primary cybersecurity liaison for the commercial IT division and associated business units worldwide.
• Coordinate the security strategy with business objectives and customer-centered, revenue-enhancing outcomes.
• Lead governance and risk-based decision-making by chairing or participating in key forums, ensuring risk visibility, documented risk acceptance and ownership, and translating enterprise security policy into Commercial-ready standards, guardrails, and roadmaps.
• Provide continuous risk advisory and posture management by maintaining awareness of threat trends and regulatory drivers relevant to Commercial operations, proactively advising on priorities, architecture decisions, and long-term security posture.
• Establish SaaS security governance across core Commercial platforms by defining and implementing secure configuration baselines, environment and tenant management, identity, SSO and MFA patterns, logging and monitoring, and continuous control monitoring for Veeva, Salesforce, Adobe Experience Cloud, Tealium, and connected tooling.
• Strengthen digital channel and web experience security by partnering with digital teams to embed secure SDLC and release practices for externally hosted web content and experiences, aligning protections such as WAF, CDN and DDoS where applicable, and mitigating web-layer and brand-abuse risks including impersonation, account takeover, credential stuffing, web skimming and scraping.
• Drive security controls aligned with privacy in marketing and data collection. Ensure consent, tracking governance, and secure handling of healthcare professional and consumer information across digital marketing operations. Follow GDPR and other global privacy rules.
• Improve control maturity for commercial content, records and revenue interfaces by maturing controls for content lifecycle and records (including audit trail and e-signature expectations where applicable) and for financial and ordering interfaces where Commercial platforms touch revenue processes, including SOX-relevant controls.
• Run vulnerability, audit, and testing remediation to closure.
• Facilitate risk assessment and ongoing maintenance across SaaS tenants, web properties, and integrations.
• Drive timely remediation of audit and penetration test findings while reducing repeat issues.
• Enhance incident readiness and response coordination by partnering with enterprise SecOps to build Commercial-relevant playbooks, align crisis and BCP activities, support post-incident reviews, and drive business-centric improvements for scenarios such as SaaS compromise, third-party or agency incidents, data exposure and digital channel compromise.
• Advance third-party and agency risk management by defining onboarding patterns, minimum control requirements and ongoing monitoring for Commercial vendors and agencies (creative, media/AdTech partners, event hosts, SaaS providers), ensuring clear remediation paths and exit strategies.
• Measure and communicate outcomes through KPIs, OKRs, dashboards and reporting that demonstrate risk ownership, remediation throughput, control coverage and resilience improvements over time.
• Champion security culture and targeted awareness by tailoring training and communications for Commercial roles and partner ecosystems on phishing and social engineering, safe SaaS usage, HCP and customer data handling, and reporting obligations.
• Plan and oversee security initiatives and investment by shaping multi-year roadmaps, business cases and resource plans; overseeing delivery of security improvements aligned to Commercial programs including platform changes, integrations and data initiatives.
• Lead and develop the BISO team by directing a group spanning risk reporting and analytics, risk management and remediation, and security consulting tailored to SaaS-heavy international Commercial operating models; setting clear goals tied to measurable risk reduction and resilience outcomes; coaching for high performance.

Benefits

• short-term incentive bonus opportunity
• equity-based long-term incentive program
• retirement contribution
• commission payment eligibility
• qualified retirement program [401(k) plan]
• paid vacation and holidays
• paid leaves
• health benefits including medical, prescription drug, dental, and vision coverage