Director, IT Cybersecurity

Job Description Summary: The Director of Cybersecurity within Information Technology is entrusted with the crucial task of safeguarding our global IT infrastructure from potential threats and vulnerabilities. Holding a senior position, this role has the responsibility of strategically implementing and managing security tools, policies, and processes to effectively reduce organizational risk. With a global team and responsibilities that span both on-prem and cloud infrastructures, the Director ensures that the organization is always prepared to detect, respond to, and recover from any cybersecurity events.

Education:

·         Bachelor’s degree in Information Technology, Cybersecurity, Computer Science, or a related field. A Master's degree is preferred.

·         Relevant certifications such as CISSP, CISM, CISA, or related credentials are beneficial.

Skills and Experience:

·         Minimum of 10 years in IT security roles, with at least 5 years in a leadership capacity.

·         Proven experience in managing and leading global IT security teams.

·         Deep understanding of current cybersecurity threats, technologies, and best practices.

·         Familiarity with both on-prem and cloud-based security architectures and solutions.

·         Proven track record of implementing security tools, policies, and processes to effectively mitigate risks.

·         Strong experience in incident response planning and execution.

·         Ideal candidate will have detailed experience working within a CDMO, Pharmaceutical or Biopharma, or relevant manufacturing industry

Impact

·         Safeguards IP, CDMO proprietary processes, client data & regulated workflows

·         Ensures resilience against cyber threats that could disrupt manufacturing batches, client timelines or regulatory filings

·         Ensures secure collaboration with clients & 3rd-party vendors, building trust & supporting sales where cybersecurity posture is a client selection factor

Duties and Responsibilities:

·         Develop & lead comprehensive cybersecurity strategy aligned with business & compliance objectives including protection of digital assets, customer data, batch records & manufacturing IT/OT systems

·         Serve as primary advisor to senior leadership on digital risk, incident response, and regulatory obligations

·         Oversee risk management processes, conduct regular system vulnerability assessments & ensure BC/DR 

·         Ensure all CDMO workflows are protected including technology & data interfaces through coordinated governance and secure vendor management

·         Develop, implement, and maintain a strategic cybersecurity roadmap that addresses current and future threat landscapes.

·         Oversee the deployment and management of security tools, ensuring optimal configuration for detection, monitoring, and response to threats.

·         Establish and enforce security policies and procedures that protect the organization from potential threats without impeding business operations.

·         Collaborate with other IT and business leaders to ensure a holistic, integrated approach to security throughout the organization.

·         Lead incident response efforts, ensuring timely detection, mitigation, and recovery from security events.

·         Regularly review and assess security infrastructure, making recommendations for enhancements or changes.

·         Manage the financial aspects of the IT security function, including budgeting, forecasting, and strategic investments.

·         Lead cybersecurity training & awareness programs and promote a culture of security awareness throughout the organization, ensuring that staff is educated on the importance of cybersecurity and their role in maintaining it.

Key Competencies:

·         Strategic Leadership: Ability to set, drive, and execute a comprehensive IT security vision in alignment with organizational objectives.

·         Risk Management: Deep understanding of organizational risk and the ability to make informed decisions to minimize potential threats.

·         Technical Proficiency: Staying updated on the latest cybersecurity technologies, threats, and best practices.

·         Incident Management: Skills in leading the response to security incidents, ensuring timely detection, mitigation, and recovery.

·         Stakeholder Engagement: Building relationships with other leaders and teams to foster a collaborative approach to security.

·         Policy and Process Design: Ability to create and implement effective security policies and procedures.

·         Team Management: Proven ability in leading, motivating, and managing large, diverse global teams.

·         Communication: Exceptional verbal and written communication skills, with the ability to convey security concepts to a broad audience from end user communications to Executive-level briefings

Key Deliverables:

·         Information Security Strategy & Roadmap: A multi-year Information Security Strategy that includes vision, goals, key initiatives, timelines, alignment with business objectives updated annually or as business strategy changes

·         Information Security Policies and Standards: A Security Policy Framework that includes Information Security Policy, Acceptable Use Policy, Access Control Policy, Data Classification & Handling Policy, Incident Response Policy, Vendor Security Policy updated annually or with regulatory/tech changes

·         Risk Assessment & Risk Register:  Creation and maintenance of an Enterprise Risk Assessment Report that includes identified risks, risk ratings, mitigation plans, residual risk updated Quarterly or bi-annually

·         Security Metrics and Dashboards:  Develop and maintain a Security KPIs/KRIs Report that includes, at a minimum, Incident response times, Phishing simulation results, Patch management stats, Vulnerability remediation timelines update monthly for an Executive target audience.

·         Incident Response Plan (IRP):  Develop and maintain a formal IRP Document that includes procedures for detection, containment, eradication, recovery, and lessons learned and defines Roles, responsibilities, communication plans.  The plan should be updated annually or after each major incident and tested at least annually.

·         Security Awareness & Training Program:  Create and maintain an Annual Security Awareness Plan that includes training modules, Phishing campaigns, Metrics/reporting measured by completion rates, assessment scores, simulated phishing response

·         Business Continuity & Disaster Recovery (BC/DR) Security Input: Ensure that all Security Requirements are defined and addressed in BC/DR Plans including security controls during recovery

·         Security Architecture and Technical Standards:  Develop and maintain a Security Architecture Blueprint that includes secure design principles, approved technologies, reference architectures, cloud security controls, network segmentation, encryption standards

·         Third-Party / Vendor Risk Assessments:  Lead Vendor Security Assessments and Reporting including the initial and ongoing assessments of vendors’ security postures

·         Compliance & Audit Assessments and Reports:  Act as primary point of contact for all security related Compliance Audit Assessments and Reports including evidence of compliance (e.g., ISO 27001, SOC 2, HIPAA, PCI-DSS) and findings and remediations

·         Security Budget & Resource Plan:  Develop and present an Annual Security Budget Proposal that includes staffing, tools, training, services, projects

·         Security Maturity Assessment:  Adopt and leverage a standard security maturity assessment framework to measure progress over time of our Cybersecurity posture (e.g., using NIST, CSF, or CIS Controls)

KBI Biopharma, Inc. is an EEO/AA employer and actively seeks to diversify its work force. Therefore, all qualified applicants, regardless of race, color, national origin, religion, gender, gender identity, sexual orientation, age, disability or veteran status, are strongly encouraged to apply.

I understand that neither the completion of this application nor any other part of my consideration for employment establishes any obligation for KBI Biopharma, Inc. to hire me. If I am hired, I understand that either KBI Biopharma, Inc. or I can terminate my employment at any time and for any reason, with or without cause and without prior notice. I understand that no representative of KBI Biopharma, Inc. has the authority to make any assurance to the contrary.

I attest with my signature below that I have given to KBI Biopharma, Inc. true and complete information on this application. No requested information has been concealed. I authorize KBI Biopharma, Inc. to contact references provided for employment reference checks. If any information I have provided is untrue, or if I have concealed material information, I understand that this will constitute cause for the denial of employment or immediate dismissal.