Senior Director - GRC Engineer

About The Position

Requirements

• Bachelor’s degree in Computer Science, Information Systems, Engineering, Cybersecurity, or a related technical field.
• 10+ years of progressive experience in GRC, risk engineering, privacy engineering, or security architecture
• 5+ years of experience focused on control design, implementation, or assurance at an enterprise scale.
• Qualified applicants must be authorized to work in the United States on a full-time basis. Lilly will not provide support for or sponsor work authorization and visas for this role, including but not limited to F-1 CPT, F-1 OPT, F-1 STEM OPT, J-1, H-1B, TN, O-1, E-3, H-1B1, or L-1.

Nice To Haves

• Demonstrated ability to translate regulatory and policy requirements into technical control specifications and implementation guidance.
• Experience influencing senior team members on control design decisions in a matrixed, federated operating model.
• Experience with GRC platforms (ServiceNow IRM preferred) including control configuration, evidence management, and reporting design.
• Deep solid understanding of privacy and AI regulatory frameworks (GDPR, NIST Privacy Framework, NIST AI RMF, EU AI Act, U.S. state privacy laws).
• Experience developing and owning control maturity roadmaps, including defining maturity models, setting progression targets, and aligning investment to risk posture.
• Experience operating within a federated risk model, enabling business control owners rather than implementing controls directly.
• Strong verbal and written communication skills, with demonstrated ability to convey technical control design concepts to non-technical senior leaders.
• Experience in regulated industries—pharmaceutical, healthcare, or life sciences strongly preferred.
• Professional certification in privacy, risk, or security (e.g., CIPP/E, CIPT, CRISC, CISSP, CDPSE).
• Experience with privacy-enhancing technologies (PETs), AI governance tooling, or data classification technologies.
• Familiarity with ISO 27001/27701, SOC 2 controls, or equivalent control frameworks.
• Experience scaling control capabilities across a large, matrixed enterprise with multiple lines of defense.
• Hands-on experience with control automation, including workflow orchestration, API-based evidence collection, or AI-assisted monitoring.
• Prior exposure to 2nd/3rd line of defense coordination (Internal Audit, Enterprise Risk, Quality).
• Track record of partnering with cybersecurity engineering and architecture functions on shared control design.

Responsibilities

• Own end-to-end design of DLO-owned privacy, AI, and data governance controls—translating regulatory obligations, policy requirements, and risk appetite into auditable, repeatable control architectures.
• Define and retain control design specifications for each control in the DLO GRC Framework, including test procedures, evidence requirements, data flows, and automation targets.
• Apply privacy-by-design and AI-by-design principles throughout the control engineering lifecycle, from inception through deployment and ongoing sustainment.
• Lead technical analysis to identify control gaps, design deficiencies, and automation opportunities; propose and drive remediation with appropriate urgency.
• Develop and publish design documentation, technical specifications, and implementation guides that create consistency in how controls are built and validated.
• Design control evidence outputs that directly feed KRI/KPI measurement—ensuring that what gets measured is a function of control design, not manual data collection.
• Be responsible for the DLO control maturity roadmap—a multi-year strategic plan defining how DLO-owned controls will evolve in response to regulatory change, technology advancement, and enterprise risk posture shifts.
• Synthesize inputs from GRC Analysts (risk assessments, control effectiveness ratings, gap analyses) and KRI/KPI performance data to identify where controls are underperforming, immature, or misaligned to risk appetite—and translate those findings into prioritized maturity initiatives.
• Define maturity targets for each control domain (privacy, AI, data governance), establishing clear progression criteria from initial/ad-hoc through optimized/automated states.
• Lead strategic planning processes that translate the roadmap into prioritized, funded, and governed initiatives with clear milestones, owners, and success metrics.
• Anticipate regulatory and technology trends (e.g., EU AI Act enforcement, evolving NIST frameworks, agentic AI) and proactively incorporate their implications into control design direction and maturity targets.
• Partner with GRC Analysts and Service Management to align the control maturity roadmap with the risk assessment calendar and service delivery capacity.
• Engage DLO leadership and senior stakeholders regularly to communicate roadmap progress, emerging risks, and recommended strategic investments in control maturity.
• Serve as the senior technical enablement partner for the DLO Embedded Team, providing control design blueprints, reference architectures, and technical guidance that equip them to work effectively with business control owners.
• Develop reusable control design frameworks, templates, and implementation patterns that business teams can adapt to their specific processes and technology environments.
• Directly engage business control owners on complex or contested control designs—providing the technical authority and credibility required to resolve design disagreements, negotiate evidence requirements, and drive adoption of control standards.
• Provide support and direction on how to translate assessment findings, incidents, and issues into actionable control improvements.
• Triage and advise on sophisticated, ambiguous control scenarios where regulatory guidance, technical constraints, and business priorities must be carefully balanced.
• Build engagement models that create a consistent control design culture across the enterprise—proactively sharing protocols, lessons learned, and design patterns.
• Serve as the DLO’s peer-level liaison to the CISO organization’s Engineering and Security Architecture teams for matters of control design, technical integration, and shared control boundaries.
• Ensure DLO-owned controls are technically coherent with enterprise security architecture—particularly where privacy, AI, and cybersecurity controls share infrastructure, tooling, or evidence sources.
• Partner on control design reviews where DLO and Cyber controls intersect (e.g., data protection controls that serve both privacy and security objectives).
• Evaluate and recommend privacy-enhancing technologies (PETs), AI governance tools, and GRC platform capabilities in coordination with Cyber Architecture’s technology roadmap.
• Coordinate with the AI Strategy & Digital Risk role to present a coherent DLO interface to the CISO organization.
• Partner with Service Management to design control configurations within the GRC platform (ServiceNow IRM), ensuring that what is designed can be operationalized, monitored, and reported against.
• Provide engineering leadership for the automation and AI-enablement of control operations across DLO owned and non-DLO owned controls—identifying where intelligent workflows, AI agents, and tooling can reduce manual effort and improve control reliability.
• Ensure that changes to the regulatory environment or technology landscape trigger appropriate design reviews and service updates, maintaining a living control ecosystem.
• Contribute to the DLO service catalog by ensuring controls are represented as managed services with defined inputs, outputs, SLAs, and continuous improvement mechanisms.

Benefits

• company bonus (depending, in part, on company and individual performance)
• company-sponsored 401(k)
• pension
• vacation benefits
• medical, dental, vision and prescription drug benefits
• flexible benefits (e.g., healthcare and/or dependent day care flexible spending accounts)
• life insurance and death benefits
• certain time off and leave of absence benefits
• well-being benefits (e.g., employee assistance program, fitness benefits, and employee clubs and activities)