Sr. Manager, IM Security and Compliance
By providing a foundation for all operations company wide, BioMarin’s General and Administrative teams support our mission of providing first and best in class therapeutics to patients who live with rare diseases. Our teams include groups such as finance, legal, human resources, corporate compliance and ethics, and information technology. Come join our team and make a meaningful impact on patients’ lives.
The Sr. Manager of IM Security and Compliance will be a hands-on manager responsible for executing and leading the Governance, Risk, and Compliance (GRC) program within the CyberSecurity team. The primary functions of the position include management of client responses, policy & standards, vendor risk program management, vulnerability management program, security awareness, and controls assurance. The GRC Manager reports to the Director, IM Security & Compliance.
- Ownership of the 3rd Party Security Vendor Risk Management program, management of Information Management SOC2 reporting, and assessments or security requests from clients.
- Lead and maintain the GRC program roadmap, status reporting on initiatives, development of metrics, and the delivery of the program services.
- Management of the vulnerability risk program establishing SLOs, metrics, and partnering with internal and external stakeholder to manage and communicate vulnerability risks.
- Partner with stakeholders in the creation and maintenance of security policies, standards, processes and guidelines. Evaluate exception requests and make approval recommendations to management.
- Mature the security awareness and training program. This includes roadmap development, execution, metric, and the evaluation of cyber training / education courses, methods, and techniques based on organizational needs.
- Manage compliance control testing, issues management (findings, remediation plans, and exception requests), risk register and reporting.
- Analyze and stay current with regulations that impact information security / privacy program.
- Bachelor's degree is preferred
- Security Certifications preferred (CISSP, CEH, CISA, CISM, GIAC, CRISC)
- Seven (7) + years of direct experience (Information Security/Governance) and Four (4) + years of management experience preferred
- Understanding of Security frameworks and technologies such as ISO 27001, NIST, SOC2, SOX
- Strong knowledge of risk management principles and practices is required.
- Prior IT Security experience in the Biotech/Pharma industry experience is preferred.
- Governance, Risk, and Compliance (GRC) tool management is preferred.
- Client focus, including tact and diplomacy is required.
- Interview, gather, and understand content from subject-matter experts
- Ability to perform as primary Security Subject Matter Expert (SME) in a senior or lead capacity.
- Ability to facilitate and lead project and vendor risk assessments with relative independence and provide guidance on secure design and operation.
- Ability to independently complete and assist with vendor security questionnaires and security assessments
- Ability to communicate an effective security awareness message throughout the organization.
- Demonstrate ability to create and maintain security policy, standard, guideline and procedure documents.
- Demonstrate ability to effectively communicate deeply technical topics at an appropriate level of detail to varied audiences - including IT Subject Matter Experts, senior management and non-technical users
- Ability to participate in occasional off-hours handling of security incidents
- Ability to work a flexible schedule based on department and company needs
- Ability to travel as needed (anticipated 5%)
- Broad awareness of and exposure to diverse security tools and their capabilities, including commercial and open-source options in the following areas:
- Security administration and role-based security controls.
- Access/Identity Management technologies.
- Host and network-based anti-malware technologies.
- Authentication technologies such as MFA and VPN and the interactions between diverse authentication platforms, both on-site and remote.
- Client and server firewalling technologies and capabilities
- Security event management (SIEM) technologies
- Data encryption technologies
- Intrusion Detection and Intrusion Prevention
- Web filtering and email SPAM prevention techniques.
- Vulnerability assessment
- Mobile device security and Mobile Device Management solutions.