Key Responsibilities:

• Define and lead BMS's enterpriseData Risk and Protection strategy, aligned to the company's risk appetite, regulatory requirements, and broader cybersecurity strategy.
• Design and implement theData Risk and Protection operating model & engagement, including team structure, roles and responsibilities, process workflows, tooling stack, and an integrated engagement model with Cybersecurity Fusion Center, Legal, HR, Compliance, Audit, and key Business Units.
• Establish, maintain, and continuously evolve a comprehensiveData Risk & Protection program, encompassing policy governance, use-case development, monitoring, detection, response, and remediation.
• Develop and execute amulti-year capability roadmapwith clear priorities, milestones, measurable KPIs, and outcome-based risk reduction metrics.
• Lead the scaling and maturation of the Data Risk & Protection function, building specialist capabilities and fostering a high-performing team.
• Provide regular program status reporting and risk posture updates to senior leadership, governance bodies.

Inside Risk & Threat Analysis:

• Establish and operationalizeinsider threat monitoring and behavioral analytics capabilitiesto improve visibility and enable timely response.
• Define and maintaininsider threat personas, use cases, and detection scenarios(e.g., intellectual property theft, clinical trial data exfiltration, fraud, sabotage, negligent data leakage, Generative AI misuse), informed by threat intelligence, business context, and prior incident trends.
• Collaborate with technical teams to design, operate, and continuously refinemonitoring and analytics capabilities, including UEBA, DLP, CASB, endpoint and identity telemetry, cloud security monitoring, and privileged access monitoring, with a focus on improving detection coverage and reducing false positives.
• Oversee theend-to-end insider risk case lifecycle, from alert generation through triage, investigation, response, closure, and lessons learned, coordinating across Cybersecurity Fusion Center, HR, Legal, Compliance, Corporate Security, and Business Units.
• Ensuretimely and proportionate incident responses, applying a risk-based methodology that distinguishes between malicious, negligent, and compromised actors, and driving root-cause analysis to strengthen controls and processes.
• Assess andmitigate data risks associated with Generative AI and emerging technologies, including data leakage via AI tools, model misuse, shadow AI adoption, and unapproved application usage.

Data Loss Prevention (DLP) & Information Protection

• Lead the strategy, design, and operational management of BMS'senterprise DLP program across endpoints, email, cloud, and collaboration platforms (e.g., Microsoft 365, Teams, SharePoint, Copilot, AWS, Google Cloud etc).
• Define and governdata classification policies and standards, ensuring sensitive BMS data including clinical trial data, intellectual property, PII, and regulated data is appropriately labelled, handled, and protected.
• Drive continuoustuning, optimization, and lifecycle managementof DLP rules, policies, and controls to improve accuracy, reduce operational burden, and align with evolving business needs.
• Partner with IT Security Architecture and Engineering teams to ensuredata protection controls are embeddedinto infrastructure, application development, and cloud adoption workflows.
• Establishmetrics and dashboardsto track DLP program effectiveness, data exposure trends, policy violations, and remediation outcomes, and report regularly to senior leadership.

Policy, Governance, Assurance & Culture

• Develop, review, and maintaindata risk and protection policies, standards, and guidelines(e.g., acceptable use, data handling, monitoring, GenAI usage) in close collaboration with Legal, HR, Compliance, and Privacy teams.
• Establish clearescalation paths, decision rights, and documentation standardsfor data-related incidents and insider risk cases, ensuring all activities comply with applicable laws, regulations, and internal policies particularly around privacy, data protection, and employment practices.
• Lead or supportinternal assurance and audit activitieson data risk and protection as directed by the Audit Committee and senior management, including targeted reviews, thematic risk assessments, and deep-dive investigations into control effectiveness.
• Build strong relationships with stakeholders across BMS, and design targeted awareness, education, and training on data protection, insider risk, and responsible use of Generative AI tools, tailored to different roles and risk profiles.
• Foster a culture oftrust, accountability, and security-conscious behavior, balancing deterrence with transparency, and represent BMS in relevant external forums, regulatory engagements, and peer networks to leverage industry best practices.

Qualifications:

Education

• Bachelor's degree requiredin Computer Science, Information Systems, Cybersecurity, Risk Management, Law, Business Administration, or a related discipline.
• Advanced degree (Master's or equivalent) preferred.

Certifications

Relevant professional certifications are strongly preferred, including but not limited to:

• CISSP (Certified Information Systems Security Professional)
• CISM (Certified Information Security Manager)
• CISA (Certified Information Systems Auditor)
• CRISC (Certified in Risk and Information Systems Control)
• CDPSE (Certified Data Privacy Solutions Engineer)
• CFE (Certified Fraud Examiner) or equivalent risk/investigation credentials

Experience & Skills

• 10+ years of progressive experiencein cybersecurity, data risk management, insider risk, information protection, security operations, or related disciplines, with demonstrated experience designing and leading complex, enterprise-scale security or risk programs in large, matrixed organizations preferably in thepharmaceutical, life sciences, or highly regulated industrysector.
• Demonstrable experiencein data loss prevention (DLP), insider threat management, user and entity behavior analytics, or security investigations, including hands-on program ownership in a large enterprise environment.
• Strong technical fluencyin tools and platforms commonly used in data risk and protection programs, including:
  • SIEM, UEBA, DLP, EDR/XDR, CASB(e.g., Microsoft Purview, Symantec DLP, Varonis, Securonix, CrowdStrike, Zscaler, Cisco etc)
  • Identity & Access Management (IAM)andPrivileged Access Management (PAM)
  • Cloud security platforms(Microsoft 365 Security, Azure, AWS) and collaboration security tools
• Familiarity with legal, privacy, employment, and ethical considerationsrelating to employee monitoring, data protection, cross-border data transfers, and applicable regulations (e.g., GDPR, CCPA, HIPAA); prior experience working closely with Legal, HR, and Compliance is required.
• Proven ability tobuild, lead, and scale a multidisciplinary, high-performing organization, including recruiting and developing top talent, defining team operating models, establishing governance frameworks, and driving measurable outcomes through clear performance metrics.
• Experience leading or overseeing complex investigations, including cross-functional coordination with HR, Legal, Compliance, Corporate Security, and, where relevant, external counsel or law enforcement.
• Strong data-driven analytical and problem-solving skills, with demonstrated experience using metrics, dashboards, and risk data to drive decisions, measure program impact, and identify improvements.
• Excellent communication, influencing, and stakeholder management skills, with experience presenting to senior management, governance bodies, and, ideally, Audit Committees or Boards of Directors.
• Ability to balance security, privacy, cultural, and operational considerationsin a pragmatic, risk-based manner appropriate to a global pharmaceutical organization.
• High level of integrity, discretion, and professional judgement, with demonstrated ability to handle sensitive, confidential, and legally privileged information with the utmost care.