Senior Cybersecurity Compliance Analyst II, Medical Device SME

at Exact Sciences
Published September 19, 2023
Location Harrisburg, PA
Category Default  
Job Type Full-time  


Position Overview

At Exact Sciences, we are cancer fighters. We are united by our mission to change lives by providing earlier, smarter answers. Through advances in cancer detection and treatment guidance, we will help eradicate the disease and the suffering it causes. Exact Sciences' CISO Office supports this mission by defending the millions of digital patient, practitioner, and employee lives within our environments. Defending today and securing tomorrow is no small feat. To help achieve this, the team is in search of a cybersecurity medical device compliance subject matter expert to join our collaborative team comprised of passionate experts.

The Senior Cybersecurity Compliance Analyst II is a newly created role within the CISO Office reporting to the Senior Manager of Cybersecurity Compliance. This role will be responsible for leading the cybersecurity medical device compliance efforts for the enterprise as well as continuing the advancement of the compliance program. This is a multi-dimensional role, requiring extensive security and business integration experience with proven capability in both technical skills and cultural awareness to identify, decipher, monitor, and report cybersecurity risks across the organization.

This position is remote eligible.

Essential Duties

Include, but are not limited to, the following:

  • Lead cybersecurity medical device compliance initiatives for Exact Sciences, including managing the planning and preparation of cybersecurity compliance submissions for Exact Sciences' products to support pre- and post-market requirements.
  • Drive education of security compliance methodology and frameworks, with a focus on medical device cybersecurity compliance, to key business stakeholders.
  • Serve as the medical device cybersecurity compliance subject matter expert, responsible for crafting cybersecurity plans/reports to meet the requirements of regulatory bodies.
  • Provide cybersecurity compliance subject matter expertise and consulting to product development teams.
  • Research and interpret industry insights and best practices, along with interpreting impact of requirements from governing authorities.
  • Assist with the continued advancement of the security & IT compliance program through continual controls environment evaluation, relative to industry best practices and regulatory requirements, in alignment with the risk appetite and business requirements.
  • Collaborate with various stakeholders across the organization to manage the lifecycle of a control, including new controls, modification to existing controls, or retirement of existing controls.
  • Work with leadership to prioritize initiatives to align with business objectives.
  • Act as a source of direction, training, and guidance for less experienced staff.
  • Champion the remediation of visibility and capability gaps and breakdown roadblocks standing in the way of a robust security posture.
  • Enable the maturation of the security program functions within the cybersecurity team and with key business partners.
  • Research and interpret industry insights and best practices, along with interpreting impact of requirements from governing authorities.
  • Uphold company mission and values through accountability, innovation, integrity, quality, and teamwork.
  • Support and comply with the company's Quality Management System policies and procedures.
  • Maintain regular and reliable attendance.
  • Ability to act with an inclusion mindset and model these behaviors for the organization.
  • Ability to travel 10% of working time away from work location, may include overnight/weekend travel.

Minimum Qualifications

  • Bachelor's Degree in field as outlined in the essential duties; or Associate Degree and 2 years of relevant experience as outlined in the essential duties; or High School Diploma or General Education Degree (GED) and 4 years of relevant experience as outlined in the essential duties.
  • 7+ years of progressive professional compliance experience with security and/or privacy authoritative sources (e.g., NIST, ISO, HITRUST, FDA, CAP, CLIA, HIPAA, PCI, GDPR).
  • 2+ years of professional experience driving/advancing cybersecurity medical device compliance efforts.
  • Demonstrated experience with the following:
    • FDA Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.
    • Clinical Laboratory Improvement Amendments of 1988 (CLIA).
    • College of American Pathologists Laboratory General Checklist (CAP).
  • Demonstrated experience crafting cybersecurity plans/reports to meet the requirements of regulatory bodies.
  • Experience assessing control operation and design effectiveness, including risk mitigation, using SOC2 reports, security assessments, penetration testing results, vulnerability assessments, SOX audits, etc.
  • Experience presenting compliance and risk mitigation concepts and controls rationalization to internal and external stakeholders.
  • Able to organize and track compliance requests; strong project management skills a plus.
  • Solid grasp of security governance, risk, and compliance concepts.
  • Customer-centric mindset with the ability to develop and apply complex concepts using strong analytical skills.
  • Technically proficient in performing assigned duties at a high-level of independence under minimal supervision while working within a team environment.
  • Demonstrated leadership skills, ability to drive change in a complex environment, where you may/may not have formal reporting responsibility.
  • Excellent communication skills, appropriately adapting based on audience needs, through all mediums-verbally, written, presentation, and listening.
  • Able to be agile and work with ambiguity.
  • Proficient+ in Microsoft Office programs, such as PowerPoint, Excel, Outlook, and Word.
  • Relevant certification(s) in the field of cybersecurity, risk, audit, or program/project management.
  • Demonstrated ability to perform the essential duties of the position with or without accommodation.
  • Authorization to work in the United States without sponsorship.

Preferred Qualifications

  • Experience with any of the following a plus, expertise plus-plus:
    • FDA Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Draft Guidance for Industry and Food and Drug Administration Staff.
    • Association for the Advancement of Medical Instrumentation (AAMI) TIR57:2016 Principles for Medical Device Security - Risk Management.
    • New York State Department of Health Clinical Laboratory Evaluation Program - Clinical Laboratory Standards of Practice, General Systems Standards (NYDOH).
    • European Union In Vitro Diagnostics Regulation (EU) 2017/746 (EU IVDR).
    • Regulation (EU) 2017/745 (MDR).
    • Medical Device Coordination Group (MDCG) 2019-16: Guidance on Cybersecurity for Medical Devices.
  • Experience with enterprise GRC management platforms (e.g., ServiceNow, OneTrust); implementation experience a plus.
  • Experience in healthcare or biotech industries.

#LI - VZ1

Salary Range:
$105,000.00 - $168,000.00

The annual base salary shown is a national range for this position on a full-time basis and may differ by hiring location. In addition, this position is bonus eligible, and is eligible to receive company stock upon hire as well as annually. Benefits offered include a retirement savings plan, paid vacation, holiday and personal days, paid caregiver/parental leave, and health benefits to include medical, prescription drug, dental and vision coverage in accordance with the terms, conditions, and eligibility requirements of the applicable plans.

If you require a reasonable accommodation with the application process, please email [Click Here to Email Your Resumé].

We are an equal employment opportunity employer. All qualified applicants will receive consideration for employment without regard to age, color, creed, disability, gender identity, national origin, protected veteran status, race, religion, sex, sexual orientation, and any other status protected by applicable local, state or federal law. Applicable portions of the Company's affirmative action program are available to any applicant or employee for inspection upon request.

To view the Right to Work, E-Verify Employer, and Pay Transparency notices and Federal, Federal Contractor, and State employment law posters, refer to this link. These documents summarize important details of the law and provide key points that you have a right know.