Introduction to role:

Are you ready to build the trust layer that powers AI-native development and life-changing science? This role turns secure software into a strategic advantage, ensuring that every application we build, buy, or run is safe, resilient, and provably credible.

As Senior Director, Software Assurance, you will lead a global transformation that embeds secure-by-design practices across our engineering ecosystem, from cloud-native and AI-enabled platforms to validated systems supporting critical business operations. Your work will protect patients and science by reducing enterprise risk, accelerating delivery, and enabling teams to innovate confidently.

Based in the US with up to 20% travel, you will partner with senior technology and business leaders to align software assurance to enterprise risk appetite and measurable outcomes. Can you turn strategy into adoption at scale and deliver demonstrable risk reduction that executives and regulators trust?

Accountabilities:

Strategy and Programme Ownership: Define and be responsible for the enterprise Software Assurance strategy with an 18-24 month execution roadmap and 3-5 year capability targets; drive the evolution of secure-by-design across the full SDLC for both internal and third-party software, aligned to long-term technology and trust objectives.

DevSecOps Enablement and Paved Path Adoption: Integrate security controls, automated scanning, and policy enforcement into CI/CD workflows; mature the Paved Path pipeline so the secure default is also the fastest path to production, raising engineering productivity while reducing risk.

Tooling Leadership and Automation at Scale: Champion and oversee SAST, DAST, SCA, secrets detection, IaC scanning, SBOM generation, and provenance enforcement using platforms such as GitHub Advanced Security, Snyk (Code and Open Source), SonarQube, Burp Suite Enterprise, OWASP ZAP, AWS Inspector, GitGuardian, Checkov, Wiz IaC, tfsec, FOSSA, and Sigstore/SLSA; guide adoption of AI-assisted development and code review with services such as AWS Kiro.

Supply Chain Integrity and Third-Party Assurance: Establish dependency governance, artifact signing, package registry controls, and vendor assurance requirements; extend SBOM and provenance standards across build, deploy, and runtime to defend against supply chain compromise.

Vulnerability Management and Risk Prioritisation: Oversee enterprise vulnerability management for software assets, focusing on exploitability, asset criticality, and business impact; ensure rapid remediation pathways and durable fixes tied to root cause elimination.

Regulatory and Validated Systems Assurance: Ensure robust security assurance for GxP/validated systems, maintaining compliance with FDA 21 CFR Part 11, EMA Annex 11, and related expectations; be audit-ready with evidence-led controls and end-to-end traceability.

Governance, Metrics, and Executive Reporting: Operate a risk and performance framework that provides clear, actionable posture views; brief senior leadership with metrics that show trend, coverage, and outcomes; direct capital allocation for platforms, tooling, and talent.

Incident Leadership and Continuous Improvement: Lead software security incident response and post-incident reviews, driving systemic improvements into standards, tooling, and operating models to prevent recurrence.

Supplier and Ecosystem Management: Own strategic vendor relationships across the assurance tooling landscape; lead commercial negotiations and partnerships to unlock capability, interoperability, and value.

Talent, Culture, and Organisational Development: Build and inspire a high-performing global team; set stretch goals, cultivate psychological safety and deep technical craft; create champion networks and training that shift-left security across engineering communities.

Enterprise Influence and Adoption: Partner with CIO, security leadership, engineering, platform, and risk stakeholders to prioritise the assurance agenda; translate standards and frameworks into practical playbooks that teams adopt at scale.

Essential Skills/Experience:

• Bachelor's degree in Computer Science, Information Security, Software Engineering, or a related technical field; advanced degree desirable.
• Minimum 10 years of relevant experience
• Validated strategic leadership in software assurance, application security, or product security at enterprise scale - with clear accountability for programme delivery and risk outcomes.
• Demonstrated expertise in Secure SDLC frameworks (NIST SP 800-218 SSDF, OWASP SAMM, BSIMM) and their practical application across large, global engineering organisations.
• Hands-on fluency with modern software assurance tooling across SAST, DAST, SCA, secrets management, and supply chain integrity (e.g., GitHub Advanced Security, Snyk, AWS Kiro, SonarQube, Burp Suite Enterprise, Wiz, FOSSA).
• Consistent track record in developing and delivering long-term strategic plans that demonstrably improved an organisation's software security posture.
• Extensive experience reducing cyber risk in large, complex, global enterprises - including regulated environments (pharmaceutical, financial services, or equivalent).
• Experience leading large-scale change initiatives from planning to full implementation across geographically dispersed, matrixed organisations.
• Significant experience leading sizeable teams with direct and indirect reports; skilled at building high-performing engineering and security functions.
• Substantial experience communicating with and influencing diverse internal and external stakeholders - including executive leadership, regulators, and supplier/vendor networks - to drive strategy and outcomes.
• Experience planning and handling multi-million-dollar budgets and resource allocation for a large software or cyber security function.

Desirable Skills/Experience:

• Relevant security certifications: CISSP, CSSLP, CISM, or equivalent (preferred).
• Experience in the pharmaceutical or life sciences sector, with familiarity with GxP software validation requirements and regulatory frameworks.
• Familiarity with AI-assisted development platforms and their associated security implications - including AI code generation, LLM supply chain risk, and specification-driven development tools such as AWS Kiro.
• Experience with cloud-native software security (AWS, Azure, GCP), container/Kubernetes security, and API security posture management.
• Track record of co-working with cross-functional global leadership across Engineering, Architecture, GRC, Legal, and business technology functions.

Call to Action:

If you are ready to build the software assurance backbone that accelerates safe, secure innovation for millions of patients, take the lead and apply today!

Date Posted
26-Jun-2026

Closing Date
10-Jul-2026