Senior Director- Global Cyber Compliance

About The Position

Requirements

• Bachelor's degree in Information Security, Computer Science, Risk Management, Operations Research, or related field
• 12+ years of dynamic experience in cybersecurity compliance, risk management, GRC, or data operations roles within complex, global technology environments.
• Experience designing and operating multi-framework compliance programs that prioritize controls based on risk rather than static regulatory checklists.
• Hands-on experience implementing or operating a modern GRC platform (LogicGate, ServiceNow GRC, Archer) at enterprise scale.
• Experience in highly regulated, multinational environments with demonstrated regulatory engagement, inspection support, and audit management success (FDA, EMA, ISO, NIS2, or equivalent).
• Qualified applicants must be authorized to work in the United States on a full-time basis. Lilly will not provide support for or sponsor work authorization or visas for this role, including but not limited to F-1 CPT, F-1 OPT, F-1 STEM OPT, J-1, H-1B, TN, O-1, E-3, H-1B1, or L-1.
• One or more certifications required or to be obtained within 12 months of hire: CISSP, CISA, CRISC, CISM, or equivalent advanced cybersecurity certification.

Nice To Haves

• Advanced degree (MBA, MS) in a relevant field preferred.
• Working knowledge of how FDA, EMA, NIS2 competent authorities, and ISO certification bodies conduct cybersecurity-related inspections—including documentation expectations, finding classification, and evidence evaluation criteria
• Demonstrated track record redefining a compliance function from reactive and manual to proactive, AI-augmented, and platform-enabled—with measurable efficiency and quality improvements
• Experience performing structured regulatory gap analysis: mapping existing control environments to regulatory requirements, quantifying residual risk, and communicating findings to executive audiences
• Experience operating in multinational pharma, medtech, or life sciences environments across EU, US, and APAC regulatory regimes concurrently
• Familiarity with GxP computer system validation (CSV), 21 CFR Part 11 electronic records/signatures, and audit trail requirements in pharmaceutical or life sciences technology contexts
• Track record of building and presenting executive-ready compliance risk dashboards and reporting
• Knowledge of cybersecurity frameworks and their application to control design and regulatory mapping
• Experience with M&A cybersecurity due diligence and integrating compliance programs across acquired entities at global scale
• Experience with AI/ML governance frameworks and AI risk management (NIST AI RMF, EU AI Act implications for pharma)
• Shown ability to build, develop, and retain high-performing compliance teams—including coaching members through their first regulatory engagement or audit cycle
• Proficiency with GRC automation, workflow configuration, and compliance-as-code concepts; experience with LogicGate Risk Cloud a strong plus
• Advanced proficiency in data analytics tools (Python, R, SQL, Tableau, Power BI) and experience building automated reporting pipelines
• Understanding of OT/ICS security (NIST 800-82, IEC 62443) in pharmaceutical manufacturing or critical infrastructure contexts
• Experience with workflow automation platforms and data pipeline technologies in a compliance or security operations context
• Familiarity with third-party risk management, vendor security assessment programs, and supply chain compliance considerations
• Familiarity with AI self-service advisory tooling or cybersecurity chatbot capabilities in a compliance context

Responsibilities

• Define and lead the global cyber compliance program, establishing a clear approach that transitions the function from reactionary audits and inspections toward continuous, risk-responsive, program-aligned assurance.
• Set the vision and drive execution for AI, automation and GRC platform capabilities to accelerate compliance delivery, reduce manual overhead, and improve compliance outcomes.
• Own and evolve Lilly's multi-framework compliance program spanning FDA 21 CFR Part 11, GxP, ISO 27001, SOC 2, NIS2, HIPAA, CCPA, PIPL/CSL/DSL, and emerging AI/ML governance requirements across global manufacturing, research, and commercial technology environments.
• Develop scope definitions for security controls and regulatory requirements that reduce task-driven overhead through technical innovation including AI and automation.
• Maintain a current-state, executive-ready view of how Lilly's cyber control environment satisfies each applicable regulatory framework, clearly mapping satisfied obligations and characterizing gaps with relevant regulatory risk analysis.
• Drive effort to create and sustain inspection-ready documentation, evidence packages, and response protocols enabling confident engagement with authorities, ISO auditors, and other regulators globally with minimal lead time.
• Develop deep working knowledge of how relevant regulatory bodies operate—their inspection methodologies, documentation expectations, finding classification frameworks, and how cyber evidence is evaluated, so preparation is proactive rather than reactive.
• Translate regulatory gap analysis into prioritized, risk-ranked remediation roadmaps that leadership can act on, with clear articulation of residual risk where full remediation is not immediately feasible.
• Serve as Lilly's primary internal and external subject-matter authority on cyber regulatory interpretation, informing program teams, platform owners, and business leaders on how new initiatives or technology changes affect compliance posture.
• Serve as the service owner for the LogicGate Risk Cloud compliance module, driving object hierarchy design, workflow automation, integration architecture, and adoption.
• Champion and deliver AI-augmented compliance capabilities including policy intelligence, automated evidence collection, and natural language advisory tooling that enables teams to self-serve compliance guidance at speed.
• Define the target state for compliance automation: continuous control testing, automated regulatory change monitoring, and real-time risk dashboards replacing manual audit cycles.
• Design and implement lightweight, scalable compliance processes that eliminate bottlenecks and drive operational efficiency across security and compliance functions.
• Build data pipelines that consolidate compliance, security, and operational metrics from diverse sources into actionable, executive-ready reporting.
• Develop predictive analytics capabilities that forecast compliance risk, resource requirements, and audit readiness posture.
• Implement data governance frameworks ensuring compliance data quality, consistency, and accessibility across global security operations.
• Apply knowledge of Lilly's cyber control environment and established frameworks to validate that control design satisfies applicable regulatory requirements.
• Own and mature exception management processes, documenting control intensity adjustments based on validated compensating controls, risk context, and business justification.
• Collaborate with Cyber service areas including Programs, Platforms, Operations, and M&A Cyber Integration to embed compliance into security operations rather than treating it as a parallel track.
• Define and own outcome-based regulatory effectiveness, operational efficiency, and program maturity, replacing activity metrics with measures that demonstrate business value.
• Communicate compliance posture, regulatory trends, and program effectiveness to executive cyber leadership in clear, concise language.
• Represent Lilly Cybersecurity's compliance function in cross-functional forums and external regulatory interactions, building trust and credibility with partners across Legal, Quality, Finance, and the business.
• Define team structure, roles, and operating model to support delivery across multiple concurrent regulatory frameworks and geographies.
• Drive cross-functional alignment with Legal, Quality, Privacy, Internal Audit, and Regulatory Affairs—ensuring compliance activities are integrated, non-duplicative, and defensible under regulatory and third-party scrutiny.

Benefits

• company bonus (depending, in part, on company and individual performance)
• company-sponsored 401(k)
• pension
• vacation benefits
• medical, dental, vision and prescription drug benefits
• flexible benefits (e.g., healthcare and/or dependent day care flexible spending accounts)
• life insurance and death benefits
• certain time off and leave of absence benefits
• well-being benefits (e.g., employee assistance program, fitness benefits, and employee clubs and activities)