Director, Cyber Risk Management & Remediation — Business Information Security Officer (BISO), E[...]

Introduction to role:

Are you ready to turn cyber risk into measurable outcomes that protect the platforms powering life‑changing medicines? Based in Guadalajara, this senior leader partners with Enterprise Technology Services to set the cyber risk posture across cloud, networks, identity, endpoints, collaboration, email/M365/Exchange, ITSM operations, service desk, and site IT. Your work will directly safeguard the digital foundation that enables our scientific and commercial breakthroughs for patients worldwide.

You will design the operating model that makes risk transparent and remediation predictable, engaging early on strategic initiatives, translating threats and regulatory drivers into clear priorities, and orchestrating durable control improvements. How would you establish a defensible control baseline and a credible risk narrative that influence VP‑level decisions and accelerate remediation at scale?

Accountabilities:

• Risk Lifecycle Ownership : Own the end‑to‑end risk lifecycle for ETS—identification, assessment, treatment, acceptance, and monitoring; maintain an authoritative risk register and a predictable reporting and escalation cadence to senior stakeholders.
• Executive Engagement and Influence : Advise business and technology leaders across ETS; convert threat intelligence, regulatory expectations, and operational realities into defensible priorities and investment decisions that drive measurable risk reduction.
• Governance and Risk Acceptance : Set and run governance for risk acceptance, exceptions, and waivers; ensure clear ownership, documented residual risk, time‑bound treatments, and escalations aligned to enterprise risk appetite.
• Control Baseline and Framework Mapping : Define and enforce a control baseline across ETS domains; map to NIST CSF, ISO 27001/27002, CIS Controls, and AstraZeneca policies; track control coverage and maturity over time.
• Risk Assessment and Treatment : Lead high‑impact risk assessments for transformative ETS initiatives—cloud migrations, identity modernization, endpoint refresh, collaboration and M365/Exchange evolution, ITSM uplift, and major third‑party/SaaS adoptions; ensure risks, exceptions, and treatments are consistently documented and tied to business outcomes and regulatory commitments.
• Remediation Program Leadership : Sponsor and oversee multi‑team remediation programs (e.g., vulnerability burndown, misconfiguration closure, identity hygiene, privileged access uplift, endpoint hardening, M365 tenant security, network segmentation, third‑party remediation); define milestones, RAID, benefits realization, and change management to land sustained risk reduction.
• Remediation Execution and Orchestration : Drive delivery across ETS service lines; manage dependencies and change controls with service owners; remove blockers and elevate proactively to keep remediation on track.
• Control Assurance and Audit Readiness : Oversee control health and testing for ETS; lead engagements with internal/external auditors and regulators across ISO 27001, SOC 2, SOX ITGC, and GxP/GMP where applicable; ensure evidence is durable, traceable, and audit‑ready.
• Third‑Party and Supply Chain Risk : Set the standard for supplier and SaaS risk management—onboarding patterns, minimum controls, clauses, due diligence, and continuous monitoring; integrate third‑party risks into the register and drive remediation, concentration‑risk management, or exit strategies as needed.
• Data, AI, and Privacy Enablement : Partner with data, AI, and privacy leaders to safeguard sensitive and regulated data on ETS platforms; enable compliant analytics and AI/ML through classification, encryption, DLP, monitoring, and model‑risk controls.
• Incident Preparedness and Response Leadership : Strengthen readiness with operations and crisis teams; align playbooks and BCP for ETS services; sponsor post‑incident corrective actions and embed lessons learned into updated baselines.
• Metrics, Reporting, and Executive Communication : Define KPIs and KRIs for ETS cyber risk (e.g., critical control coverage, assessment before go‑live, repeat‑finding rates, mean time to remediate, maturity trends); communicate posture, trends, and priorities to executives, governance bodies, and where required to Audit Committee and Board‑level forums.
• Stakeholder Management : Build trusted relationships with senior leaders across ETS, enterprise architecture, quality, legal/privacy, internal audit, sourcing, and cybersecurity; influence investment to resolve systemic risks and remove cross‑functional blockers.

Essential Skills/Experience:

• Information Security Leadership: 12–15 years of progressive experience in information security, including 8+ years leading risk management, remediation, BISO, or equivalent functions and influencing senior business and IT executives at VP/SVP level.
• Risk and Remediation Operating Model: Demonstrated track record of designing and operating an enterprise risk lifecycle (identification, assessment, treatment, acceptance, monitoring) and remediation portfolio in complex, global organizations, and measuring risk reduction and control maturity over time.
• AI‑Enabled Security: Demonstrated ability to apply LLMs and agentic automation to improve cybersecurity and business outcomes, translating use cases into measurable gains (for example faster risk triage, better control evidence, improved detection and response) while protecting sensitive data.
• Frameworks and Control Implementation: Deep experience implementing and operationalizing controls defined by NIST CSF, ISO 27001/27002, CIS Controls, and related frameworks across infrastructure, identity, endpoint, collaboration, and SaaS, demonstrating measurable maturity improvement at enterprise scale.
• Risk Dashboarding and Data‑Driven Execution: Proven ability to design and govern meaningful risk dashboards and metrics (for example in Power BI or equivalent), using actionable data to prioritize remediation, defend investment decisions, and demonstrate risk reduction and resilience improvements.
• Audit and Regulatory Engagement: Strong experience leading engagement with internal audit, external auditors, and regulators; track record of producing durable, traceable evidence and converting audit findings into structured remediation that closes on time.
• Incident Response and Crisis Partnership: Strong understanding of global security operations, incident response, and crisis management; experience as a senior risk and remediation partner during high‑severity events and post‑incident reviews, ensuring corrective actions translate into durable control change.
• Executive Communication: Exceptional written and verbal communication skills, with proven ability to present complex technical and risk information to executive, regulatory, and Board‑level audiences as well as in‑country and business stakeholders.
• Execution Under Pressure: Proven ability to manage competing executive‑level priorities, operate under time constraints tied to launches, regulatory commitments, and operational change windows, and drive outcomes through influence across a highly matrixed, global organization.
• Talent and Team Development: Demonstrated success building and retaining high‑performing risk and remediation teams, including senior practitioners, in a global, multicultural environment.
• Education and Certifications: Bachelor's degree in Information Security, Computer Science, Risk Management, or related field (master's degree strongly preferred). Professional certifications such as CISSP, CISM, or CRISC required.

Desirable Skills/Experience:

• Experience working in a global, matrix organization with distributed teams and significant operations in the US, UK, Sweden, China, Japan, India, and Latin America.
• Direct experience as a BISO, Head of Cyber Risk, or Head of Remediation in a regulated industry, with accountability for enterprise infrastructure and operations services.
• Hands‑on knowledge of emerging technologies and associated security risks (multi‑cloud, AI/ML and agentic systems, IoT/OT, quantum‑safe cryptography).
• Understanding of business continuity, disaster recovery, and crisis management at enterprise scale.
• Experience leading security input into M&A due diligence, integration, and divestitures.
• Track record of representing security at Audit Committee or Board‑level forums.
• Additional certifications such as CCSP, CGEIT, ISO 27001 Lead Auditor/Implementer, CISA, TOGAF, SABSA.
• Experience leading risk and remediation for major infrastructure, cloud, identity, endpoint, collaboration, and ITSM transformations.

We balance the expectation of being in the office while respecting individual flexibility. We require an average of three days per week from the office. We remain flexible to accommodate essential remote work.

Why AstraZeneca

Here, technologists and security leaders sit close to the science, enabling breakthroughs that reach patients faster and more safely. You will join a global company investing boldly in digital and data, where modern platforms, AI, and advanced analytics are used to solve high‑stakes problems and scale what works. We back ambition with support—clear priorities, real ownership, and leaders who value kindness alongside high performance—so your decisions translate into resilience for the enterprise and tangible impact for people who rely on our medicines.

AstraZeneca embraces diversity and equality of opportunity. We are committed to building an inclusive and diverse team representing all backgrounds, with as wide a range of perspectives as possible, and harnessing industry‑leading skills. We believe that the more inclusive we are, the better our work will be. We welcome and consider applications to join our team from all qualified candidates, regardless of their characteristics. We comply with all applicable laws and regulations on non‑discrimination in employment (and recruitment), as well as work authorization and employment eligibility verification requirements.