Senior Director- Global Cyber Compliance

Job Overview:

Lilly Cybersecurity is seeking a Senior Director of Global Cyber Compliance to lead the transformation of our compliance function into a high-performing, AI-enabled, risk-responsive program that measurably reduces regulatory risk across Lilly's global technology environment. This leader owns strategy and execution across a complex, multi-framework regulatory landscape—including FDA 21 CFR Part 11, GxP, NIS2, ISO 27001, SOC 2, HIPAA, CCPA, PIPL/CSL/DSL, and emerging AI governance requirements—while ensuring every compliance decision is anchored to Lilly's threat-based cyber program.

The successful candidate brings the technical credibility to challenge the status quo, the platform acumen to automate compliance at scale through LogicGate Risk Cloud and AI-augmented workflows, the operational leadership to build and develop a global compliance team, and the communication skills to translate complex compliance posture into clear business language for boards, regulators, and senior leadership alike.

Four converging forces demand compliance leadership in global pharma:

• Regulatory acceleration — NIS2, FDA cybersecurity guidance for digital health and manufacturing, the CCPA Cybersecurity Audit Rule, the DoJ Data Rule, Chinese regulations (PIPL/CSL/DSL), and emerging AI governance mandates are creating a multi-jurisdictional compliance surface that legacy, manual processes cannot scale to address.
• Threat landscape maturity — Pharma IP, clinical trial data, OT/manufacturing systems, and drug supply chains are high-value adversary targets. Compliance not anchored to threats creates false assurance and misallocates resources.
• AI and automation imperative — Manual evidence collection, spreadsheet-based control tracking, and static policy inventories are operationally unsustainable. The next-generation compliance function requires AI-augmented workflows, automated control testing, and intelligent risk quantification delivered through a modern GRC platform.
• Global scale and complexity — Lilly's operating footprint spans EU, US, and APAC regulatory regimes simultaneously. A single-jurisdiction compliance mindset is insufficient; this role requires an strong leader who can orchestrate compliance across manufacturing, research, and commercial technology environments at global scale.

What You Will Be Doing:

Global Compliance Strategy & Program Ownership

• Define and own the global cyber compliance program, establishing a clear approach that transitions the function from reactionary audits and inspections toward continuous, risk-responsive, program-aligned assurance.
• Set the vision and drive execution for AI, automation and GRC platform capabilities to accelerate compliance delivery, reduce manual overhead, and improve compliance outcomes.
• Own and evolve Lilly's multi-framework compliance program spanning FDA 21 CFR Part 11, GxP, ISO 27001, SOC 2, NIS2, HIPAA, CCPA, PIPL/CSL/DSL, and emerging AI/ML governance requirements across global manufacturing, research, and commercial technology environments.
• Develop scope definitions for security controls and regulatory requirements that reduce task-driven overhead through technical innovation including AI and automation.

Regulatory Engagement & Inspection Readiness

• Maintain a current-state, executive-ready view of how Lilly's cyber control environment satisfies each applicable regulatory framework, clearly mapping satisfied obligations and characterizing gaps with meaningful regulatory risk analysis.
• Drive effort to build and sustain inspection-ready documentation, evidence packages, and response protocols enabling confident engagement with authorities, ISO auditors, and other regulators globally with minimal lead time.
• Develop deep working knowledge of how relevant regulatory bodies operate—their inspection methodologies, documentation expectations, finding classification frameworks, and how cyber evidence is evaluated, so preparation is proactive rather than reactive.
• Translate regulatory gap analysis into prioritized, risk-ranked remediation roadmaps that leadership can act on, with clear articulation of residual risk where full remediation is not immediately feasible.
• Serve as Lilly's primary internal and external subject-matter authority on cyber regulatory interpretation, advising program teams, platform owners, and business leaders on how new initiatives or technology changes affect compliance posture.

GRC Platform & AI-Enabled Compliance

• Serve as the service owner for the LogicGate Risk Cloud compliance module, driving object hierarchy design, workflow automation, integration architecture, and adoption.
• Champion and deliver AI-augmented compliance capabilities including policy intelligence, automated evidence collection, and natural language advisory tooling that enables teams to self-serve compliance guidance at speed.
• Define the target state for compliance automation: continuous control testing, automated regulatory change monitoring, and real-time risk dashboards replacing manual audit cycles.

Process Optimization & Data Operations

• Design and implement lightweight, scalable compliance processes that eliminate bottlenecks and drive operational efficiency across security and compliance functions.
• Build and oversee data pipelines that consolidate compliance, security, and operational metrics from diverse sources into actionable, executive-ready reporting.
• Develop predictive analytics capabilities that forecast compliance risk, resource requirements, and audit readiness posture.
• Implement data governance frameworks ensuring compliance data quality, consistency, and accessibility across global security operations.

Cybersecurity Control Optimization

• Apply knowledge of Lilly's cyber control environment and established frameworks to validate that control design satisfies applicable regulatory requirements.
• Own and mature exception management processes, documenting control intensity adjustments based on validated compensating controls, risk context, and business justification.
• Collaborate with Cyber service areas including Programs, Platforms, Operations, and M&A Cyber Integration to embed compliance into security operations rather than treating it as a parallel track.

Communication & Strategic Influence

• Define and own outcome-based regulatory effectiveness, operational efficiency, and program maturity, replacing activity metrics with measures that demonstrate business value.
• Communicate compliance posture, regulatory trends, and program effectiveness to executive cyber leadership in clear, concise language.
• Represent Lilly Cybersecurity's compliance function in cross-functional forums and external regulatory interactions, building trust and credibility with partners across Legal, Quality, Finance, and the business.

Team Leadership & Organizational Development

• Define team structure, roles, and operating model to support delivery across multiple concurrent regulatory frameworks and geographies.
• Drive cross-functional alignment with Legal, Quality, Privacy, Internal Audit, and Regulatory Affairs—ensuring compliance activities are integrated, non-duplicative, and defensible under regulatory and third-party scrutiny.

How You Will Succeed:

• Own the view — you maintain a clear, current-state map of which regulatory obligations are satisfied by existing controls and where gaps require attention, so leadership is never surprised by an audit finding or regulatory inquiry.
• Lead through transformation — you move the compliance function from reactive and manual to proactive, automated, and data-driven, with measurable gains in efficiency and regulatory quality.
• Build the team — you hire, develop, and retain compliance talent who grow their regulatory expertise, earn stakeholder trust, and deliver outcomes beyond their individual scope.
• Drive platform adoption — LogicGate Risk Cloud becomes the system of record for compliance, with teams self-serving compliance data and manual processes deprecated.
• Lead with data — you replace activity-based reporting with outcome-based KPIs that demonstrate regulatory effectiveness and operational efficiency in business terms.
• Build trust across the enterprise — Legal, Quality, Audit, and business stakeholders see Cyber Compliance as a strategic partner that enables speed, not a gatekeeping function that creates friction.
• Stay ahead globally — NIS2, FDA cyber guidance, AI governance, DoJ Bulk Data Rule, PIPL/CSL/DSL, and other emerging requirements are anticipated and addressed proactively before they become reactive remediation efforts.

Your Basic Qualifications:

• Bachelor's degree in Information Security, Computer Science, Risk Management, Operations Research, or related field
• 12+ years of progressive experience in cybersecurity compliance, risk management, GRC, or data operations roles within complex, global technology environments.
• Experience designing and operating multi-framework compliance programs that prioritize controls based on risk rather than static regulatory checklists.
• Hands-on experience implementing or operating a modern GRC platform (LogicGate, ServiceNow GRC, Archer, or equivalent) at enterprise scale.
• Experience in highly regulated, multinational environments with demonstrated regulatory engagement, inspection support, and audit management success (FDA, EMA, ISO, NIS2, or equivalent).
• Qualified applicants must be authorized to work in the United States on a full-time basis. Lilly will not provide support for or sponsor work authorization or visas for this role, including but not limited to F-1 CPT, F-1 OPT, F-1 STEM OPT, J-1, H-1B, TN, O-1, E-3, H-1B1, or L-1.

Certifications (Required or Expected Within 12 Months)

• One or more of the following certifications required or to be obtained within 12 months of hire: CISSP, CISA, CRISC, CISM, or equivalent advanced cybersecurity certification.

What You Should Bring/ Preferred Qualifications:

• Advanced degree (MBA, MS) in a relevant field preferred.
• Working knowledge of how FDA, EMA, NIS2 competent authorities, and ISO certification bodies conduct cybersecurity-related inspections—including documentation expectations, finding classification, and evidence evaluation criteria
• Demonstrated track record transforming a compliance function from reactive and manual to proactive, AI-augmented, and platform-enabled—with measurable efficiency and quality improvements
• Experience performing structured regulatory gap analysis: mapping existing control environments to regulatory requirements, quantifying residual risk, and communicating findings to executive audiences
• Experience operating in multinational pharma, medtech, or life sciences environments across EU, US, and APAC regulatory regimes concurrently
• Familiarity with GxP computer system validation (CSV), 21 CFR Part 11 electronic records/signatures, and audit trail requirements in pharmaceutical or life sciences technology contexts
• Track record of building and presenting executive-ready compliance risk dashboards and reporting
• Knowledge of cybersecurity frameworks and their application to control design and regulatory mapping
• Experience with M&A cybersecurity due diligence and integrating compliance programs across acquired entities at global scale
• Experience with AI/ML governance frameworks and AI risk management (NIST AI RMF, EU AI Act implications for pharma)
• Proven ability to build, develop, and retain high-performing compliance teams—including coaching members through their first regulatory engagement or audit cycle
• Proficiency with GRC automation, workflow configuration, and compliance-as-code concepts; experience with LogicGate Risk Cloud a strong plus
• Advanced proficiency in data analytics tools (Python, R, SQL, Tableau, Power BI) and experience building automated reporting pipelines
• Understanding of OT/ICS security (NIST 800-82, IEC 62443) in pharmaceutical manufacturing or critical infrastructure contexts
• Experience with workflow automation platforms and data pipeline technologies in a compliance or security operations context
• Familiarity with third-party risk management, vendor security assessment programs, and supply chain compliance considerations
• Familiarity with AI self-service advisory tooling or cybersecurity chatbot capabilities in a compliance context