A healthier future. It’s what drives us to innovate. To continuously advance science and ensure everyone has access to the healthcare they need today and for generations to come. Creating a world where we all have more time with the people we love. That’s what makes us Roche.

The Program Lead for Third Party Risk and Resilience Management establishes and maintains a robust governance framework for all Offshore Development Centers (ODCs), bridging R&D innovation requirements with Global IT security, infrastructure, and compliance standards. This leader ensures ODCs function as strategic extensions of Roche's R&D engine while maintaining zero major IT compliance breaches, and guides vendors during ODC setup to ensure full compliance with Roche Security standards.

Compliance of all ODC setups and ongoing operations. Ensure alignment on scope, methodologies, processes at the nexus of R&D organization, Global procurement, and IT.  Elimination of governance gaps and friction points between R&D and IT.  Implementation of standardized, global ODC management framework across business units Security risks, incidents, and incident/change/problem management processes at ODC sites Strategic positioning of ODCs as value creators rather than cost centers

The Opportunity

• Determine ODC necessity based on country risk and data sensitivity 

• Initiate new ODC setups, coordinate vendor office space establishment, and guide vendors on Roche Security standards

• Conduct Security Risk Assessment (SRA) and Data Classification Review (DCR) for all services and applications 

• Identify services unsuitable for external business partners and escalate to product/service owners or DSM for remediation 

• Create, review, and maintain ODC Manuals, Impact Assessments, and Security Control Tables 

• Periodically review and update impact assessment documents to remove retired services 

• Ensure compliance with legal requirements (GDPR, CCPA) and Roche security protocols 

• Act as the owner for role-specific training curricula

• Ensure training compliance for all external personnel by verifying mandatory security and role-specific requirements are met prior to system access.

• Accountable for the systematic tracking and enforcement of training completion for vendor resources, leveraging the Roche Training Solution system

• Approve all ODC changes including staff assignments, project onboarding, and service modifications 

• Manage ServiceNow requests for infrastructure (NAS storage, VD/VDI creation/updates, application packaging) 

• Identify VSA requirements and maintain vendor security/privacy capabilities throughout ODC lifecycle 

• Ensure security audits completed prior to service commencement and conduct periodic audits 

• Conduct assessments when major changes occur (new projects with higher security needs)

• Track and remediate audit findings with vendors

• Ensure mandatory notifications are formally integrated into processes (e.g., GSP) for all new vendor collaborations

• Coordinate dedicated VDI planning with Citrix when default environments cannot support daily tasks 

• Optimize virtual desktop and application virtualization to reduce VDI requirements 

• Manage port opening for DIA, RDI, VDIs, and coordinate VDI creation 

• Collaborate with Network, Perimeter, and Citrix teams on connectivity and URL whitelisting 

• Ensure Business Partner Organization (BPO) approvals for applications, systems, URLs, RDP/SSH access 

• Populate and verify application inventories, URLs, and RDP/SSH server lists for Smart Web and virtual environments 

• Add users to ODC groups and implement access restrictions or policies as required 

• Lead ODC Security Incident Management with timely identification, escalation, and resolution 

• Promptly escalate security incidents to Roche IT Security Governance 

• Maintain incident, change, and problem management processes across all ODC operations 

• Participate in security audits and ensure all identified gaps are promptly closed 

• Regular evaluation of ODC setups for necessary updates 

• Document audit findings and track remediation to completion

• Ensure execution of Business Continuity Plans and maintain disaster recovery readiness

• Coordinate vendor selection, onboarding, and performance monitoring of strategic offshore partners 

• Work with vendor ODC managers and PICs on service/project onboarding and offboarding 

• Review periodic ODC compliance reports and resolve conflicts/issues related to readiness 

• Manage ODC user onboarding, offboarding, travel requests, and work-from-home (teleworking) approvals 

• Collaborate with vendors and delivery teams on project details and application access requirements 

• Oversee ODC decommissioning with proper data handling, access revocation, and infrastructure cleanup 

• Provide guidance on virtual desktop, application, and network challenges 

• Participate in technical discussions on Citrix, network infrastructure (WAN, firewalls, clients), security, risk, and governance 

• Coordinate across Vendor ODC managers, Roche IT Security, Network, Perimeter, Citrix, and application teams 

• Address ad-hoc requests and ODC challenges with quality and compliance focus 

• Translate complex technical requirements; articulate constraints and propose viable alternatives 

Who You Are:   

•  You have a Bachelor’s or Advanced degree in a technical or business discipline (Computer Science, Information Security, or related field) 

• You have  8 years in IT/R&D environments

• You have  5 years managing large-scale ODCs or captive centers

• You have experience with Roche (or other large organization within a highly regulated industry) IT Security standards and compliance frameworks 

• You have strong compliance understanding to identify and mitigate risks; knowledge of GDPR, CCPA, and data privacy standards 

• You have experience with regulatory frameworks (GxP, ISO 27001) and audit requirements

• You have experience with risk assessment methodologies and vendor security evaluation

• You have a background in connectivity / network infrastructure: IT networks, cabling, switches, routers, WAN, firewalls 

• You have experience with virtual environments: VDI, Citrix platforms, and application virtualization

• You have IT operations knowledge: thin/thick clients, servers, and technical documentation ServiceNow and IT Service Management tools

• You are familiar with cloud infrastructure (AWS/Azure), DevOps and enterprise security frameworks

• You hare experience with ISMS & ITSM implementation and best practices 

• You have incident management and problem resolution experience

• You have a deep understanding of Software Development Lifecycle (SDLC) and R&D workflows 

• You have an outsourcing engagement models and service delivery operations 

• Pharmaceutical industry standards and R&D innovation processes ( (or other large organization within a highly regulated industry)

Preferred Qualifications: 

•  You have a professional security or risk management credentials—such as CISSP, CISM, CRISC, or equivalent 

Relocation benefits are not available for this posting  

The expected salary range for this position based on the primary location of Tucson, AZ is 106,400-197,600.  Actual pay will be determined based on experience, qualifications, geographic location, and other job-related factors permitted by law.  A discretionary annual bonus may be available based on individual and Company performance.  

This position also qualifies for the benefits detailed at the link provided below.

Benefits