Job Description
New hires in office-based roles in the US & Puerto Rico will be required, subject to applicable law, to demonstrate that they have been fully vaccinated for COVID-19 or qualify for a medical or religious exemption to this vaccination requirement that can be accommodated without an undue burden to the operation. However, subject to applicable law, employees working in roles that the Company determines require routine collaboration with external stakeholders, such as employees in customer facing commercial or research based roles, will be required to be fully vaccinated as a condition of employment.
Our Information Technology (IT) team operates as a business partner proposing ideas and innovative solutions that enable new organizational capabilities. We partner internationally to deliver the services and solutions that help everyone to be more productive and enable innovation.
Our Company's Information Technology division partners with colleagues across the business to help serve our patients and customers around the world. We are a high-energy team of dynamic, innovative individuals dedicated to leveraging information and technology to efficiently drive revenue and productivity, thereby advancing our Company's contribution to global medical innovation.
Our Company's Information Technology Risk Management and Security (ITRMS) organization is overseen by the Chief Information Security Officer and includes several functions: Governance Risk and Compliance (GRC), Strategy & Governance, Cyber Fusion Center (CFC), Cyber Security Engineering, and Information Management, Legal & Compliance IT Services
ITRMS is an essential component of the IT enterprise providing support to the Animal Health, Human Health, Manufacturing, Research & Development, Supply Chain, and Marketing organizations, corporate enabling functions, and global support functions.
The BIRO serves as a business-aligned leader and influencer, highly capable in providing forward-thinking leadership, change management, and vision for the future of cybersecurity, IT risk, and compliance. The BIRO is a strategic advisor to our Company's business and IT executive leaders, helping to accelerate the business strategy and innovation while navigating the evolving risk landscape.
Divisional leaders, ITRMS leadership, and IT customers and stakeholders rely on the BIRO to cultivate a deep understanding of business strategy, key technologies, and potential threats, and to respond with strategies to right-size risk exposure-enabling the business to run fast while protecting against disruption. The BIRO owns the business relationship, ensuring effective engagement of ITRMS services with a relentless focus on customer experience. This position reports to the Head of IT GRC.
In particular, the Manufacturing/Research & Development BIRO will be accountable for covering the our Company's Manufacturing Division and our Company's Research & Development divisions. In this role, Manufacturing/Research & Development BIRO will be the global lead for all division-specific risk, compliance, and cybersecurity activities. The Manufacturing and Research & Development divisions have a higher level of complexity and risk, as compared to other divisions, housing more GxP systems as compared to non-GxP systems and requiring deep regulatory knowledge and experience. Other items that contribute to the complexity of this role include patient safety considerations, a large number of crown jewel systems, significant changes in the pipeline for these businesses such as clinical modernization, platform activities, digitalization and complexity of protecting plan assets/operational technologies.
Responsibilities:

• Leadership, Relationship Management and Strategic Influence
• Cultivate relationships with executive leaders and drive Line of Business (LOB) strategy for IT risk, compliance, and cybersecurity; identify strategic risks, develop responsive mitigation strategies, and oversee effective implementation
• Work with ITRMS leaders and operational excellence team to drive alignment of ITRMS services to customer needs, raise ITRMS's profile within the organization, and ensure that the IT risk management strategy is well-positioned
• Interact with the senior leader network across the organization to increase knowledge and expertise in IT security, compliance, risk, and quality
• Establish and drive an Operational Technology (OT) strategy to reduce cyber risk across labs and manufacturing environments
• Provide regular cybersecurity landscape, trend, and LOB risk updates to the CISO, CIDO, and executive stakeholders
• Support the CISO with preparation of updates, reports, and presentations to the Board of Directors related to the risk and threat landscape trends
• Provide expert guidance on appropriate IT risk posture based on LOB strategy and objectives
• Identity, assess, and prioritize critical IT risks for business leadership; design and orchestrate response strategies to ensure that assets remain protected in line with organizational risk tolerances
• Be the "face" of ITRMS: participate in town hall sessions to provide education and awareness to LOB leaders and workforce around top-of-mind cybersecurity, risk, and compliance topics
• Assemble and lead a high-performing team of IT cybersecurity, risk, and compliance professionals who execute tactical risk mitigation and control implementation programs to achieve strategic objectives
• Own the relationship between the business and ITRMS and develop strategies to optimize service delivery and customer satisfaction
• Participate in leading industry forums and consortiums to represent business interests, gather relevant intelligence, and contribute to setting cybersecurity and info risk management standards/practices

Risk Management

• Develop effective risk management strategy for our Manufacturing and Research & Development divisions critical assets and crown jewel systems
• Maintain a deep understanding of LOB strategy, relevant industry practices, new and emerging technologies, and key suppliers, and identify and assess key risks to the IT environment
• Advise senior leaders based on risk grounded in threat; focus on strategic and proactive opportunities to strengthen our Company's IT risk posture
• Enable the business to be better risk takers by evaluating both upside and downside potential of risk and promote informed decisions based on LOB risk appetite
• Interpret and apply enterprise information risk and security strategies, policies, and procedures that match the organization's priorities and help to achieve its objectives
• Engage ITRMS functions (e.g., Cyber Fusion Center, Cyber Engineering) and IT stakeholders during program formation, risk profiling assets and adapting control policies and standards to enhance speed of execution while ensuring adequate levels of protection
• Appropriately assess IT risk when business decisions are made, demonstrating consideration for the company's reputation and safeguarding our company and its assets by driving compliance with applicable laws, rules, and regulations, adhering to policy, applying sound ethical judgment regarding personal behavior, conduct and business practices, and escalating, managing, and reporting control issues with transparency
• Promote business and ITRMS organizational maturation by ensuring IT risk and security management capabilities are improved year over year
• Drive business adoption of information risk assessment and risk management processes; monitor progress, challenge the status-quo, and provide recommendations for improvement
• Maintain deep understanding of IT controls key to critical LOB value chains and provide input to optimize the risk-based control framework and monitoring processes
• Empower the organization to make effective risk treatment decisions (e.g., mitigation, acceptance) and intervene when additional support is required for critical priorities
• Engage senior business and IT leaders to catalyze and drive risk reduction programs to improve our Company's overall risk posture
• Provide strategic thought leadership and ensure LOB business continuity and disaster recovery plans are comprehensive and ready to be deployed if necessary

Cybersecurity

• Work cross functionally to evaluate and prepare the security, risk, and compliance functions for current and future acquisitions, mergers, and new business ventures
• Aid in developing cybersecurity technology standards for the business and foster culture of cybersecurity to ensure the integrity, confidentiality, and availability of information owned, controlled, and/or processed by the organization
• Provide guidance to cyber teams on high-critical incident response initiatives and provide an escalation path when leadership interaction is deemed necessary
• Ensure the implementation of data protection and privacy standards across the business; understand security processes and partner with ITRMS cyber functions on determining where security enhancements may be required
• Provide strategic direction on a wide variety of IT cybersecurity issues, concerns, and problems, making sure all business processes incorporate adequate information security
• Support development of a risk-based cybersecurity roadmap to strengthen controls across existing technology products
• Conduct research to build and maintain strong, broad understanding of latest cyber, user privacy, and security trends as well as industry threats, and work with IT product teams to develop mitigation plans for relevant cyber risks
• Provide strategic thought leadership and expert guidance on cybersecurity risks related to emerging technologies and concepts such as AI, machine learning, IoT, and blockchain
• Lead delivery of consulting services on current and upcoming projects covering all levels IT security architecture
• Ensure new products, services, applications, third party or client relationships, have appropriate cybersecurity controls embedded and that any identified risks are appropriately addressed
• Serve as cybersecurity subject matter expert and advisor, coordinating and providing multi-disciplinary knowledge, skills, and experience in security architecture, and security management roles and responsibilities
• Collaborate with ITRMS cyber functions to provide strategic direction to prevent future cyber or fraud incidents
• Provide guidance and advocacy regarding the prioritization of LOB investments that impact cybersecurity, risk, and compliance with cybersecurity laws and regulations
• Act as a champion in growing culture of cybersecurity

Compliance and Quality

• Lead development of an annual IT risk and compliance improvement roadmap to support LOB strategic objectives
• Provide key LOB risk insights to ITRMS policy and governance team to bolster development of IT security, risk, and compliance requirements in support of business initiatives
• Oversee and ensure IT control implementation, education, and awareness, and remain informed on LOB control environment performance and effectiveness to aid with decision-making
• Maintain a strong understanding of key regulatory requirements (e.g., GxP, SOX, GDPR, PCI, etc.) and how they impact the organization; develop strategies to appropriately manage risk while reducing cost of compliance
• Prioritize the development and usage of new technologies and methods of automation to drive compliance process efficiencies, self-service, and improved customer experience
• Ensure LOB legal and regulatory IT compliance posture remains closely aligned with organizational risk tolerance; identify potential gaps and develop strategies to correct and prevent disruptive compliance events
• Identify and communicate LOB-specific compliance considerations to ITRMS and key business partners and provide recommendations to drive service alignment to customer needs
• Lead and manage professionals responsible for tactical execution, including triaging compliance requests, working with IT product teams to implement program-level controls, and supporting remediation activities to improve LOB compliance outcomes

Desired Education Level:

• Bachelor's Degree is required. Concentration in Information Technology or related field is preferred.

Required Skills & Experience:

• 18+ years of IT risk management experience in life sciences industry with proven ability to apply risk principles to challenging business issues
• Strong understanding of Operational Technology (OT), Smart Factory, and Laboratory / Supply Chain information risk management concepts
• Knowledge and understanding of IT product model strategy and agile methodology
• Certifications: Information Systems Security Professional (CISSP), Information Security Manager (CISM), Risk and Information Systems Control (CRISC), or similar
• Strong knowledge of information security, risk management, and compliance frameworks and standards (e.g., NIST, GDPR, GxP, SOX) and their effective implementation and management
• Fluent with secure SDLC processes and risk factors from design, testing, and deployment to post-production
• Experience with cybersecurity and risk management practices such as security incident response, BCP/DR, endpoint and data protection, identity and access management, vulnerability management, and infrastructure protection
• Forward-thinking and highly knowledgeable of industry trends, technologies, and emerging threats
• Expertise in assessing IT risk posture against organizational risk tolerance and providing actionable recommendations to close gaps
• Proven success in implementing IT risk management strategies (e.g., cybersecurity, resiliency, etc.)
• Excellent interpersonal and verbal and written communication skills and proven ability to network with internal and external stakeholders, and work effectively with all organizational levels
• Ability to comfortably deliver messages across a wide spectrum of audiences with varying degrees of technical understanding
• Experienced in the design, development, implementation, and/or operational support of mission-critical IT solutions in large-scale environments and organizations
• Strong leadership and team player; diverse experience and demonstrated success in managing global stakeholders and project teams
• Confident, self-motivated, and self-directed at operational management level; ability to think critically and solve ambiguous and/or conflicting problems
• Strong bias for action and initiative; ability to work under little supervision
• Capable of anticipating needs and driving clarity on expectations
• Strong quantitative and analytical abilities; identifies data-driven opportunities to effectively measure performance, progress, and/or risk
• Knowledge of security, risk, and compliance strategies for emerging technologies (e.g., artificial intelligence, machine learning, IoT, blockchain, etc.)
• Understanding of cloud architectures, security tools to monitor and support cloud adoption, and the latest migration tools and methodologies
• IT risk consulting and/or systems engineering/architecture experience a strong plus
• Our Support Functions deliver services and make recommendations about ways to enhance our workplace and the culture of our organization. Our Support Functions include HR, Finance, Information Technology, Legal, Procurement, Administration, Facilities and Security.

Who we are ...
We are known as Merck & Co., Inc., Kenilworth, New Jersey, USA in the United States and Canada and MSD everywhere else. For more than a century, we have been inventing for life, bringing forward medicines and vaccines for many of the world's most challenging diseases. Today, our company continues to be at the forefront of research to deliver innovative health solutions and advance the prevention and treatment of diseases that threaten people and animals around the world.
What we look for ...
Imagine getting up in the morning for a job as important as helping to save and improve lives around the world. Here, you have that opportunity. You can put your empathy, creativity, digital mastery, or scientific genius to work in collaboration with a diverse group of colleagues who pursue and bring hope to countless people who are battling some of the most challenging diseases of our time. Our team is constantly evolving, so if you are among the intellectually curious, join us-and start making your impact today.
NOTICE FOR INTERNAL APPLICANTS
In accordance with Managers' Policy - Job Posting and Employee Placement, all employees subject to this policy are required to have a minimum of twelve (12) months of service in current position prior to applying for open positions.
If you have been offered a separation benefits package, but have not yet reached your separation date and are offered a position within the salary and geographical parameters as set forth in the Summary Plan Description (SPD) of your separation package, then you are no longer eligible for your separation benefits package. To discuss in more detail, please contact your HRBP or Talent Acquisition Advisor.
Current Employees apply HERE
Current Contingent Workers apply HERE
US and Puerto Rico Residents Only:
Our company is committed to inclusion, ensuring that candidates can engage in a hiring process that exhibits their true capabilities. Please click here if you need an accommodation during the application or hiring process.
For more information about personal rights under Equal Employment Opportunity, visit:
EEOC Poster
EEOC GINA Supplement
OFCCP EEO Supplement
Pay Transparency Nondiscrimination
We are proud to be a company that embraces the value of bringing diverse, talented, and committed people together. The fastest way to breakthrough innovation is when diverse ideas come together in an inclusive environment. We encourage our colleagues to respectfully challenge one another's thinking and approach problems collectively. We are an equal opportunity employer, committed to fostering an inclusive and diverse workplace.
Search Firm Representatives Please Read Carefully
Merck & Co., Inc., Rahway, NJ, USA, also known as Merck Sharp & Dohme LLC, Rahway, NJ, USA, does not accept unsolicited assistance from search firms for employment opportunities. All CVs / resumes submitted by search firms to any employee at our company without a valid written search agreement in place for this position will be deemed the sole property of our company. No fee will be paid in the event a candidate is hired by our company as a result of an agency referral where no pre-existing agreement is in place. Where agency agreements are in place, introductions are position specific. Please, no phone calls or emails.
Employee Status:
Regular
Relocation:
Domestic/International
VISA Sponsorship:
Yes
Travel Requirements:
25%
Flexible Work Arrangements:
Not Specified
Shift:
Not Indicated
Valid Driving License:
No
Hazardous Material(s):
Number of Openings:
1
Requisition ID:R173958