VP, Head of Cybersecurity, Compliance and Risk

at CSL Behring
Location King of Prussia, PA
Date Posted January 13, 2021
Category Default
Job Type Full-time


About CSL

With operations in 35+ nations and ~27,000 employees worldwide, CSL is driven to develop and deliver a broad range of lifesaving therapies to treat disorders such as hemophilia and primary immune deficiencies, and vaccines to prevent influenza. Our therapies are also used in cardiac surgery, organ transplantation and burn treatment.

CSL is the parent company of CSL Behring and Seqirus. CSL Behring is a global leader in the protein biotherapeutics industry, focused on bringing to market biotherapies used to treat serious and often rare conditions. CSL Behring operates CSL Plasma, one of the world's largest collectors of human plasma, which is used to create CSL’s therapies. Seqirus is one of the largest influenza vaccine companies in the world and is a transcontinental partner in pandemic preparedness and a major contributor to the prevention and control of influenza globally.

We invite you to take a look at the many career possibilities available around the globe and consider building your promising future at CSL by becoming a member of our team!

Job Description

Secure access to information assets is critical to achieve business objectives. CSL Behring is looking for an experienced Head of IT Security, Risk and Compliance in the Biopharma industry with the passion and creativity. The Head of ITSRC is responsible for establishing and maintaining the information security program to ensure that information assets and associated technology, applications, systems, infrastructure and processes are adequately protected in the CSL Behring ecosystem in which we operate. The Head of ITSRC is responsible for identifying, evaluating and reporting on legal and regulatory, IT, and cybersecurity risk to information assets, while supporting and advancing business objectives.

The Head of ITSRC position requires a leader with sound knowledge of business management and a working knowledge of cybersecurity technologies covering the corporate network as well as the broader digital ecosystem. The Head of ITSRC will proactively work with business units and ecosystem partners to implement practices that meet agreed-on policies and standards for information security. He or she should understand IT and must oversee a variety of cyber security, risk management and compliance activities related to IT to ensure the achievement of business outcomes where the business process is dependent on technology. The Head of ITSRC will be responsible for implementing and running the enterprise information security program.

The Head of ITSRC should understand and articulate the impact of cybersecurity on business outcomes and be able to communicate this to the board of directors and other senior stakeholders. The Head of ITSRC understands that securing information assets and associated technology, applications, systems and processes in the wider ecosystem in which the organization operates is as important as protecting information within the organization's perimeter. A key element of the Head of ITSRC's role is working with executive management to determine acceptable levels of risk for the organization.

This role is responsible for managing all aspects of Information Security, Data Privacy, IT Compliance and IT Risk Management within CSL Behring.

Principal Accountabilities: 

  • Responsible for developing, directing and maintaining an enterprise wide information security and data privacy program to ensure that information assets are adequately protected.
  • Lead the information security function across the company to ensure consistent and high-quality information security management in support of the business goals.
  • Provide regular reporting on the current status of the information security program to enterprise risk teams, senior business leaders and the board of directors as part of a strategic enterprise risk management program, thus supporting business outcomes;
  • Constantly update the cyber security strategy to leverage new technology and threat information
  • Work with legal and procurement to ensure that information security requirements are included in contracts;
  • Maintain a current understanding the IT threat landscape for the industry;
  • Direct the identification, evaluation and reporting on information security and data privacy risks in a manner that meets industry compliance and regulatory requirements.
  • Work with technical leads to develop and implement appropriate security solutions. Create clear and concise functional requirements and operational procedure documentations.
  • Ensure that disaster recovery plans and program are in place and tested;
  • Review and approve security policies, controls and cyber incident response planning;
  • Provide clear risk mitigating directives for projects with components in IT, including the mandatory application of controls (GDPR, GxP, etc);
  • Review investigations after breaches or incidents, including impact analysis and recommendations for avoiding similar vulnerabilities;
  • Schedule periodic security audits and provide support to respond to external and internal compliance audits
  • Create and manage a targeted information security awareness training program for all employees, contractors and approved system users, and establish metrics to measure the effectiveness of this security training program for the different audiences;
  • Manage the cost-efficient information security organization, consisting of direct reports and dotted line reports (such as individuals in business continuity and IT operations). This includes hiring, training, staff development, performance management and annual performance reviews.
  • Communicate best practices and risks to all parts of the business, outside IT.
  • Create and manage a unified and flexible control framework to integrate and normalize the wide variety and ever-changing requirements resulting from global laws, standards and regulations.
  • Develop and maintain a document framework of continuously up-to-date information security policies, standards and guidelines. Oversee the approval and publication of these information security policies and practices.
  • Build and nurture external networks consisting of industry peers, partners, vendors and other relevant parties to address common trends, findings, incidents and cybersecurity risks.
  • Liaise with external agencies, such as law enforcement and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture and is kept well-abreast of the relevant threats identified by these agencies.
  • Liaise with the enterprise architecture team to build alignment between the security and enterprise (reference) architectures, thus ensuring that information security requirements are implicit in these architectures and security is built in by design.

Position Requirements: 

  • Requires at least 15 years of progressively responsible experience in healthcare Information Systems software/system security and privacy that demonstrates a high level of understanding of the required knowledge, skills and abilities.
  • 10 or more years of experience in IT security, privacy and risk management domains
  • Experience must include demonstrated leadership ability, preferably working as a Director IT or related management position in a healthcare setting.
  • Preferred advanced knowledge of the NIST Risk Management Framework and Cybersecurity Framework.
  • Experience with support of international commercial business operations.
  • Excellent verbal and written communication skills; able to build strong rapport across all functional areas to bring people together and to engage towards a common purpose.
  • Prior project management experience, including successfully setting priorities, meeting schedules, and managing multiple projects simultaneously.
  • Digital leadership skills – capable of empowering and leading an IT security, risk and compliance team to meet business and IT security, risk and compliance goals
  • Solid people management skills – providing direction, monitoring performance, motivating staff and building a positive working environment
  • Ability to adapt to a fast-moving IT landscape and keep pace with latest thinking and new security technologies
  • A passion for technology and security safeguarding with a desire to deliver
  • Thrives on change, showing an impressive ability to drive the IT security, risk and compliance strategy forward
  • Analytical mind capable of managing numerous information sources and providing data analysis reports to senior management
  • Strong customer focus – able to meet the demands of internal and external customers
  • Flexible and adaptable – capable of changing direction where required and showing flexibility to meet new demands
  • Forms business partnerships that help drive the IT security, risk and compliance strategy forward
  • Can make decisions that are well informed and timely
  • Creative thinking – able to look at alternatives and consider new ways of thinking to problem solve
  • Multi-tasking – can manage several concurrent projects and prioritize demands
  • Information Security Certifications (CISM, etc.) or other related security certifications


  • Bachelor of Science in Computer Science or other related Science discipline, or Management Information Systems.

Special Training:

  • Ability to work across a range of countries and cultures