Director, Information Security

About The Position

Requirements

• Bachelor's degree in Information Security, Cybersecurity, Computer Science, or related field (or equivalent experience). Advanced degree (MBA, MS in Cybersecurity, etc.) preferred
• 10+ years of progressive experience in Information Security, with at least 5 years in GRC leadership roles. Strong understanding of security frameworks: NIST CSF/800-53, ISO 27001, SOC 2, CIS Controls, COBIT
• Demonstrated experience managing large-scale compliance initiatives and audit processes.
• Expertise in enterprise risk management methodologies and tools.
• Excellent communication and stakeholder-management skills, including presenting to executives and boards.
• Proven ability to build, mentor, and lead high-performing teams.

Nice To Haves

• Professional certifications: CISSP, CISM, CISA, CRISC, CGEIT, ISO 27001 Lead Implementer / Auditor, or similar.
• Experience in life sciences, manufacturing, or highly regulated industries.
• Familiarity with data privacy regulations (GDPR, CCPA) and cloud compliance programs.

Responsibilities

• Develop and lead a comprehensive global GRC strategy aligned with Avantor’s security, technology, and business priorities.
• Advise the CISO and senior leadership on enterprise risk posture, emerging threats, compliance obligations, and security performance.
• Champion a culture of security accountability across the organization.
• Manage the Company’s Information Security Management System (ISMS).
• Establish, maintain, and evolve the Company’s information security policies, standards, and guidelines.
• Ensure consistency and applicability across global operations, systems, and business units.
• Maintain governance boards, steering committees, and reporting mechanisms that support effective oversight.
• Define and drive the enterprise application security strategy, ensuring alignment with business objectives, regulatory requirements (e.g., SOX, PCI, ISO 27001), and risk tolerance.
• Develop and maintain a multi-year roadmap for application security capabilities, including the integration of threat modeling, secure coding standards, and SSDLC automation.
• Serve as the subject matter expert and executive advisor on application security across product, architecture, engineering, DevOps, and compliance teams.
• Lead the design, implementation, and continuous improvement of SSDLC practices, ensuring security requirements are embedded in each phase of the software development lifecycle (requirements, design, coding, testing, release).
• Collaborate with development teams to integrate security tooling (e.g., SAST, DAST, SCA, IaC scanning) into CI/CD pipelines, with measurable guardrails and thresholds.
• Drive adoption of secure coding guidelines, threat modeling, and security design reviews, including training and enablement for engineering teams.
• Develop and oversee a risk-based application vulnerability management program, covering both custom code and third-party/open-source components (e.g., SBOM, CVEs).
• Partner with DevOps and engineering to triage, prioritize, and remediate vulnerabilities, ensuring SLA adherence and measurable risk reduction.
• Lead the implementation and optimization of vulnerability scanning tools and workflows, ensuring visibility, consistency, and centralized reporting across platforms.
• Lead the enterprise cyber risk management program, including risk assessments, risk treatment plans, tracking, and reporting.
• Identify, evaluate, and prioritize risks associated with new systems, technologies, vendors, and business initiatives.
• Improve risk quantification and help business leaders understand security risks in operational and financial terms.
• Own information security components of compliance programs and readiness efforts such as SOX ITGC, PCI, GDPR, ISO 27001, NIST CSF, SOC 2, and other regulatory/industry frameworks.
• Lead internal and external audits, coordinate evidence gathering, manage remediation plans, and ensure consistent control execution.
• Analyze evolving regulations and translate requirements into operational controls.
• Further develop, evolve and oversee the vendor security assessment lifecycle, ensuring appropriate due diligence, control verification, and contractual security expectations based on current and evolving business requirements.
• Collaborate with Procurement, Legal, and business stakeholders on risk mitigation and supplier management and drive process integrations and collaboration in managing third-party risks.
• Continue to drive the evolution of the enterprise-wide awareness and training program to ensure adaptation with current and future risks.
• Partner with IT, Business, HR and Communications to drive enterprise-wide security education and training programs.
• Ensure programs effectively target behaviors that reduce risk and support Avantor’s compliance obligations and the evolving risk landscape.
• Lead application security awareness and training programs for developers, architects, and product owners.
• Develop, maintain and automate security KPIs, KRIs, and dashboards to provide actionable insights to executive leadership and drive change to other areas of risks identified in continuous monitoring processes.
• Ensure accurate, timely reporting on compliance status, risk posture, and audit activities.

Benefits

• Avantor offers a comprehensive benefits package including medical, dental, and vision coverage, wellness programs, health savings and flexible spending accounts, a 401(k) plan with company match, and an employee stock purchase program.
• Employees also receive 11 paid holidays, accrue 18 PTO days annually, are eligible for volunteer time off and 6 weeks of 100% paid parental leave (except in states that offer paid family leave).