Lead GRC Specialist
Who We Are
For more than two decades, going our own way has led to countless breakthroughs, bettering the lives of those suffering from rare genetic disease. In 1997 we were founded to make a big difference in small patient populations. Now we seek to make an even greater impact by applying the same science-driven, patient-forward approach that propelled our last 25 years of drug development to larger genetic disorders, as well as genetic subsets of more common conditions. Through our unparalleled expertise in genetics and molecular biology, we will continue to develop targeted therapies that address the root cause of the conditions we seek to treat. Applying our knowledge to make a transformative impact is not just a calling, but an obligation to those who will benefit most. The end goal has always been better lives and now we can reach more.
And the more people we reach, the more our impact can grow. We transform lives through genetic discovery.
Our desire to make a positive impact on our patients extends to our employees and BioMarin is committed to fostering an inclusive environment where every person feels seen, valued, and heard – so employees can thrive in all areas of their lives, in and outside of work. We seek to provide an open, flexible, and friendly work environment to empower people and to provide them with the ability to develop their long-term careers. Ultimately, we want to be an organization where people enjoy coming to work and take pride in our efforts to help patients.
The Lead GRC Specialist of IM Security and Compliance will be a hands-on position responsible for executing and championing the Governance, Risk, and Compliance (GRC) programs. The purpose of this position is to lead the cybersecurity risk management program, manage client responses, establish and maintain enterprise cyber policy & standards, management of cyber metrics, and cyber controls assurance. The Lead GRC Specialist reports to the Director, IM Security & Compliance.
- Implements cybersecurity controls, US NIST Cybersecurity Security (CSF) risk assessment framework, and program that align to BioMarin’s security and privacy policies, applicable regulatory requirements, ensuring documented and sustainable compliance that aligns and advances company’s objectives.
- Evaluates risks and develops security standards, procedures, and controls to manage risks. Perform full range of cyber risk management activities, including risk identification, assessment, reporting and oversight of remediation planning and execution (e.g., third-party, application, database, infrastructure, network penetration testing, etc.)
- Implements processes, such as GRC (governance, risk and compliance), to automate and continuously monitor information security controls, exceptions, risks, testing. Develops reporting metrics, dashboards, and evidence artifacts. Work with stakeholders, including Information Management, Enterprise Risk, Human Resources, Legal, Compliance, and third parties to implement and execute risk planning and mitigation
- Lead cyber security risk assessments, maintain a cyber security risk register for all ongoing efforts, and partnering with stakeholders for risk remediation. Manage compliance control testing, issues management (findings, remediation plans, and exception requests), risk register and reporting
- Performs and investigates internal and external information security risk and exceptions assessments. Assess incidents, vulnerability management, scans, patching status, secure baselines, penetration test result, phishing, and social engineering tests and attacks.
- Documents and reports control failures and gaps to stakeholders. Provides remediation guidance and prepares management reports to track remediation activities.
- Advise on continued integration of cybersecurity into enterprise ERM, including disaster recovery and business continuity programs
- Cyber policy and standard ownership including review and update of policies and strategic plans consistent with cyber risk management objectives
- Building, managing, and reporting of key risk indicators and cyber metrics; review risk and cyber metrics to identify the success of the cyber capabilities
- Establish and maintain a roadmap for security governance, risk, and compliance (GRC) program
- Proactively manage remediation of security and compliance-related issues from issuance to closure.
- Identify and understand regulatory compliance risk associated with business activities; perform root cause analysis; provide recommendations that influence business solutions, action plans, engage stakeholders, and escalate as appropriate.
- Assists with identifying and reviewing control deficiencies and provides recommendations to management action plans in alignment with the company's risk and compliance frameworks.
- Establish and manage the Third-party risk management program.
- Select, implement, and maintain GRC tools, infrastructure, and automation
- Respond to security risk assessment and security due diligence and audit requests
- Review and revise security and privacy terms in contracts and create re-usable contract attachments for use in customer, partner, and vendor agreements.
- Drive compliance with applicable legal and industry risk and compliance frameworks such as ISO 27001/27002, NIST CSF, AICPA SOC2, FDA, HITRUST
- Bachelor's degree in Computer Science, Information Technology is preferred
- Security Certifications preferred (CISSP, CEH, CISA, CISM, GIAC, CRISC)
- 10+ years of direct experience (Information Security/Governance)
- Experience with Implemented one of the GRC tool such as Drata, Vanta, Archer, HyperProof
- Demonstrated experience in developing and managing Information Security Risk Programs including experience in implementing, building, assessing, managing, and reporting against NIST and MITRE attack frameworks
- Ability to independently manage the GRC Program with minimal supervision, multi-task, deal with ambiguity, and to consistently deliver high-quality results in a demanding, highly regulated, and constantly changing corporate environment
- Understanding of Security frameworks and technologies such as ISO 27001, NIST, SOC2, SOX
- Prior IT Security experience in the Biotech/Pharma industry experience is preferred.
- Ability to perform as the primary Security Subject Matter Expert (SME) in a senior or lead capacity.
- Demonstrate ability to effectively communicate technical topics at an appropriate level of detail to varied audiences - including IT Subject Matter Experts, senior management, and business
- Strong interpersonal skills: including excellent communication, written and presentation skills, ability to multi-task effectively, complete projects and perform daily tasks with minimal supervision and ability to set and meet deadlines
- Ability to participate in occasional off-hours handling of security incidents
- Ability to work a flexible schedule based on department and company needs
- Ability to travel as needed (anticipated 5%)
- Broad awareness of and exposure to diverse security tools and their capabilities, including commercial and open-source options in the following areas:
- Security administration and role-based security controls.
- Access/Identity Management technologies.
- Host and network-based anti-malware technologies.
- Authentication technologies such as MFA and VPN and the interactions between diverse authentication platforms, both on-site and remote.
- Client and server firewalling technologies and capabilities
- Security event management (SIEM) technologies
- Data encryption technologies
- Intrusion Detection and Intrusion Prevention
- Web filtering and email SPAM prevention techniques.
- Vulnerability assessment
- Mobile device security and Mobile Device Management solutions.
PLEASE NOTE: Absent a Medical or Religious reason that prohibits vaccinations, all our incoming employees must be vaccinated for COVID-19.
We are an equal opportunity employer and all qualified applicants will receive consideration for employment without regard to race, color, religion, gender, gender identity, sexual orientation, national origin, disability status, protected veteran status, or any other characteristic protected by law.