Cybersecurity GRC Lead

About The Position

Requirements

• 5+ years of experience in cybersecurity, governance, risk management, or regulated technology environments, with strong exposure to medical devices, healthcare technology, life sciences, or similarly regulated products.
• Recognized as a seasoned subject-matter expert in medical device cybersecurity governance, independently owning and driving GRC programs, continuous control monitoring, audit readiness, and customer assurance activities.
• Demonstrated ability to analyze and resolve complex, multi-factor cybersecurity and regulatory issues, applying sound judgment with minimal day-to-day guidance.
• Proven success influencing cross-functional and senior stakeholders (Engineering, Quality, Regulatory, IT, Security, Commercial) to achieve compliant, auditable outcomes without direct authority.
• Extensive experience supporting regulatory inspections, internal and customer audits, and pre‑sale cybersecurity assessments, serving as a credible internal and external representative.
• Track record of managing multiple concurrent initiatives, driving program maturity, and delivering sustained results through scalable processes, metrics, and documentation.
• Bachelor’s degree in Engineering, Computer Science, Cybersecurity, Biomedical Engineering, or a related field.

Responsibilities

• Own and maintain the medical device cybersecurity GRC plan, calendar, and control schedule (monthly, quarterly, and annual activities).
• Ensure cybersecurity roles, responsibilities, RACIs, and escalation paths are defined and functioning across IT, Engineering, and Quality teams.
• Maintain governance documentation, including policies, procedures, standards, control narratives, and work instructions related to medical device cybersecurity.
• Provide regular program status reporting (KPIs/KRIs, control execution status, risk posture, overdue actions) to the CISO and other stakeholders.
• Track cybersecurity requirements from customers, internal stakeholders, and applicable standards and guidance (e.g., FDA expectations, IEC 62304/62443 concepts, NIST-aligned controls) through implementation and evidence completion.
• Coordinate cybersecurity risk assessments and ensure resulting remediation actions are assigned, tracked, and closed by accountable owners (Engineering, IT, suppliers, etc.).
• Maintain the cybersecurity risk register for medical device–related risks impacting products, manufacturing/operations, and supporting systems.
• Serve as the central coordination point between Sales, Engineering, Quality, Regulatory Affairs, IT, and Information Security for cybersecurity compliance deliverables.
• Coordinate with Quality and Regulatory Affairs to ensure pre-sale cybersecurity responses meet regulatory and compliance expectations.
• Escalate and track gaps or risks identified during the pre-sale process to appropriate internal stakeholders.
• Support Quality and Regulatory teams with audit and inspection readiness by ensuring cybersecurity artifacts are current, approved, and readily retrievable (e.g., threat models, vulnerability management evidence, access review records).
• Drive continuous improvement of GRC processes, including templates, checklists, evidence repositories, and dashboards.
• Ensure execution and evidence capture for recurring cybersecurity controls, including:
• Monthly and quarterly user and privileged access reviews for applications, cloud portals,and applicable manufacturing-support systems.
• Vulnerability scanning governance, confirming scans occur on schedule, findings are triaged, and remediation plans are tracked to closure (execution performed by IT, Security Operations, or Engineering).
• Patch and vulnerability remediation tracking, including SLA monitoring, exception handling, compensating controls, and escalation of overdue items.
• Backup, restore, and security monitoring attestations for device-supporting environments, where applicable.
• Supplier and third-party security evidence coordination related to device development or connectivity.
• Govern SBOM accuracy and update cadence by coordinating inputs from Engineering and suppliers and ensuring evidence is maintained for audits and customer requests.
• Coordinate vulnerability intake, triage governance, and coordinated vulnerability disclosure (CVD) processes (with execution performed by product security and engineering teams).
• Lead and coordinate responses to customer cybersecurity questionnaires, risk assessments, and security audits by gathering SME input and ensuring consistent, compliant responses.