Director, IT - Governance, Risk & Compliance

About The Position

Requirements

• Bachelor's degree in Information Technology, Computer Science, Life Sciences, or a related field; Master's degree strongly preferred.
• 12+ years of progressive IT GRC, IT audit, or IT compliance experience, with at least 5 years in a biotech, pharmaceutical, or medical device environment.
• Minimum 4 years of people management experience, including managing managers or senior individual contributors.
• Deep expertise in FDA 21 CFR Part 11, GxP computer system validation (CSV), and SOX IT General Controls.
• Proven track record managing IT audit processes and working directly with external auditors (Big 4 preferred) and regulatory agencies.
• Strong knowledge of IT risk management frameworks (NIST CSF, ISO 27001/27002, COBIT) and demonstrated ability to set and execute multi-year GRC strategy.

Nice To Haves

• Master's degree in Information Systems, Business Administration, or a related discipline.
• Professional certifications: CISA, CRISC, CGEIT, CISSP, or CIPP.
• Experience with cloud GRC platforms (ServiceNow GRC, Archer, Vanta, Drata) and validated cloud environments (AWS, Azure, GCP).
• Familiarity with HIPAA/HITECH, NIS2 Directive, GDPR, and CCPA compliance in a clinical or research setting.
• Prior experience supporting IND/NDA/BLA submissions or FDA facility inspections.
• Experience standing up a GRC function or program from an early-stage maturity baseline.

Responsibilities

• Own and continuously evolve the IT governance framework aligned with COBIT, ITIL, or equivalent standards; set multi-year roadmap for IT GRC maturity.
• Establish, maintain, and enforce IT policies, standards, and procedures in alignment with business objectives and regulatory requirements.
• Lead the IT Governance Committee; prepare Board-and executive-level reporting on governance posture, KPIs, and strategic risk.
• Drive IT portfolio governance to ensure alignment of technology investments with enterprise strategy and risk appetite; partner with Finance on IT spend decisions.
• Contribute to enterprise risk management (ERM) strategy alongside Finance and Legal
• Lead the enterprise IT risk management lifecycle: identification, assessment, treatment, monitoring, and reporting.
• Maintain and continuously update the IT risk register; escalate critical risks to senior leadership and the Board, as appropriate.
• Partner with business units to conduct risk-based vendor and third-party assessments for critical technology partners and SaaS providers.
• Own and manage IT compliance programs across GxP (21 CFR Part 11, Annex 11), SOX ITGCs, HIPAA, NIS2 Directive, and applicable data privacy regulations (GDPR, CCPA, when applicable).
• Serve as the primary IT point of contact for internal and external auditors; coordinate IT audit requests, responses, and remediation.
• Lead IT General Controls testing and documentation for SOX compliance cycles; partner with Finance and External Audit.
• Participate in GxP computer system validation (CSV) oversight in coordination with QA — including URS, IQ/OQ/PQ documentation, and periodic reviews.
• Track and drive closure of all IT audit findings, control deficiencies, and corrective and preventative actions (CAPAs).
• Develop and maintain the IT policy library; ensure timely review cycles and version control.
• Drive an IT compliance awareness culture through training programs, communications, and onboarding curriculum.
• Advise IT project teams and technology owners on control requirements during system design and implementation