Manager, IT Risk & Compliance

About The Position

Requirements

• Risk-to-Business Translation: Exceptional ability to synthesize complex IT, Privacy, and TPRM risks into clear, metrics-based insights that drive informed executive decision-making.
• Cross-Functional Change Management: A "hands-on" leader capable of building consensus across Clinical, Quality, Legal, Finance and Commercial to drive the cultural shift from R&D to a disciplined, public-company environment.
• Scalable Control Design: Skill in designing "right-sized" ITGC and Privacy controls that meet SOX/ISO/GDPR standards without hindering the speed of a scaling biotech firm.
• Audit Defensibility & Rigor: High level of discipline in documentation and evidence collection, ensuring all GRC workflows and vendor assessments are robust enough to withstand external audit.
• Conflict Resolution & Negotiation: Proven success in resolving cross-functional friction and negotiating security remediation plans with critical third-party partners.
• Educational Foundation: Bachelor’s degree in information systems, Computer Science, or a related field. Master’s degree is preferred.
• Core Certifications: CISA, CRISC, CTPRP, or CISM strongly preferred. Note: Candidates without a core certification must be willing to obtain one within 9–12 months of hire.
• Professional Foundation: 4–6 years in IT Risk, Audit, or Compliance; minimum 3 years specifically focused on Information Security domains.
• Public Company & Scaling Expertise: Direct experience implementing or maturing SOX (ITGC) and ISO 27001 frameworks in a regulated environment (Biotech/Life Sciences preferred).
• Stakeholder & Audit Management: Proven track record of serving as a primary liaison for internal/external auditors and collaborating with cross-functional partners (Legal, Quality, Finance).
• Technical Stack: Proficiency with GRC systems (e.g., OneTrust, ServiceNow) and security rating tools (e.g., BitSight, Blackkite).
• Continuous Monitoring: Experience integrating tools like CrowdStrike into a holistic vendor risk lifecycle.
• Stationary Work: Ability to remain in a stationary position for extended periods while operating a computer and standard office equipment.
• High-Volume Communication: Must be able to frequently exchange complex, accurate information with internal stakeholders and external auditors.
• Analytical Focus: Requires sustained mental concentration to analyze risk data and interpret evolving regulatory requirements.
• Travel: Minimal travel required (less than 10%), primarily for occasional on-site vendor audits or team offsites.

Nice To Haves

• Industry Knowledge (Preferred): Understanding of Life Sciences regulations (GxP, 21 CFR Part 11) or Privacy frameworks (GDPR/CCPA) is highly desirable.

Responsibilities

• Third-Party Risk Management (TPRM): Oversee the security risk lifecycle for all IT suppliers and applications (SaaS, On-Prem, Clinical and Commercial systems). Evaluate security attestations (SOC2, ISO 27001), credentials, and evidence to report on the overall risk posture of the supply chain.
• Sustained Compliance (SOX/ISO): Lead the continuous monitoring of IT General Controls (ITGCs) to ensure SOX 404 readiness and ongoing compliance. Partner with Finance, Legal and IT to map controls across ISO and regulatory frameworks, minimizing redundant testing.
• Audit Management & Execution: Serve as the primary lead and point of contact for external and internal IT audit cycles (e.g., Year-end SOX testing). Manage the collection of evidence, coordinate walkthroughs, and ensure timely remediation of any identified deficiencies.
• Data Privacy Liaison: Partner with Legal and Clinical teams to ensure IT systems and third-party vendors comply with global data privacy regulations (GDPR, CCPA/CPRA, HIPAA). Conduct Privacy Impact Assessments (PIAs) for new systems handling sensitive patient or employee data.
• Risk Assessment & Remediation: Perform IT Risk Assessments to identify and remediate threats within internal systems and 3rd-party ecosystems. Maintain the IT Risk Register and track mitigation strategies to completion.
• Policy & Governance: Develop and maintain Information Security policies, standards, and Standard Operating Procedures (SOPs) to ensure consistency in IT service delivery, commercial readiness and audit-readiness.
• Cross-Functional Collaboration: Act as the primary IT GRC liaison to the Quality Management team. Coordinate integrated risk reporting to ensure IT security vetting (ISO/SOC2) complements clinical/GxP quality auditing.