Director, Cybersecurity Governance, Risk, and Compliance

Lantheus is headquartered in Bedford, Massachusetts with offices in New Jersey, Canada, and Sweden. For more than 60 years, Lantheus has been instrumental in pioneering the field of medical imaging and has helped physicians enhance patient care with its broad product portfolio.

Lantheus is an entrepreneurial, agile, growing organization that provides innovative diagnostics, targeted therapeutics, and artificial intelligence (AI) solutions that empower clinicians to find, fight and follow disease. At Lantheus our purpose and values guide our behaviors in all interactions and play a vital role in creating a dynamic environment that contributes to our success. Every employee is crucial to our success; we respect one another and act as one knowing that someone’s health is in our hands. We believe in helping people be their best and are seeking to bring together a diverse group of individuals with different viewpoints and skill sets to be a part of a productive and inclusive team.

The Director of Cybersecurity Governance, Risk, and Compliance will report directly to the Chief Information Security Officer and is tasked with managing and overseeing the Lantheus cybersecurity risk landscape. You’ll be tasked with identifying and assessing cybersecurity risks across business lines, remediating and reporting risk insights to relevant leaders, while providing advice and playing a critical role in Lantheus’ regulatory engagement.

Cybersecurity GRC focuses on strengthening and guarding the firm from the many risks we face while fostering a transparent and risk-aware culture.

Responsibilities Include, But Are Not Limited To

• Develop the operating model and a service-oriented customer engagement model supporting all GRC services and capabilities.
• Operationalize GRC capability areas including policy and exception management, security awareness and training, third-party risk management, security reviews and audits, enterprise security risk management, compliance management, business continuity, disaster recovery
• Establish and provide security metrics and reporting for all GRC services
• Perform risk assessments addressing security threats, changes to systems and/or applications, process improvement initiatives
• Monitor the security risk profiles of our suppliers to objectively determine high risk suppliers that require additional review
• Maintain cybersecurity risk register
• Partner with the Enterprise Risk Management and Compliance organization to achieve corporate strategies and objectives
• Provide oversight and management for the Data Privacy solution and support resources
• Work with various operational and business teams to drive toward a cohesive view of security risk while driving remediation items to closure. Maintain accurate reporting of remediation activities to bring appropriate visibility to stakeholders
• Respond to customer security/compliance questionnaires
• Ensures HIPAA, GDPR, and PCI requirements are adhered to as Globally applicable. Leads annual certification or audit programs associated with achieving compliance with these regulatory requirements. Develops and implements Policies and Processes necessary for the success and support of the GRC program.
• Conducts regular and ongoing Risk Assessments, Global Phishing simulations, Security Controls Analyses, and both Resiliency and Disaster Recovery testing
• Creates and coordinates various Risk Committee(s) to ensure key business/IT initiatives or high-value assets consider and adhere to established risk and Compliance Policies
• Promote a culture of Security, Risk, and Compliance awareness through organization-wise forums, regular communications, and a robust Security/Risk awareness/training program
• Develops and delivers the GRC strategic roadmap and investment plan addressing People, Process, and Technology
  
  

Minimum Requirements

• Bachelor’s or master’s degree in a relevant field of work or equivalent combination of education and work experience
• 10+ years’ experience in cybersecurity with a minimum of 5+ in cybersecurity governance risk and compliance
• 5+ years management/leadership experience; managing people, projects, budgets, and processes
• CISSP preferred, but not required
• Proven track record of promotion and collaboration of risk and compliance policies and practices across IT and organizational business units
• Excellent oral and written communication skills with ability to communicate risks to executive leadership and key stakeholders
• Strong understanding of cybersecurity risk frameworks and ability to lead the execution and implementation of the frameworks as well as articulate their value and purpose
• Understanding of cybersecurity risk management and control principles with a proven ability to anticipate and identify risks and effective mitigating actions
• Strong organizational, project management, multi-tasking and stakeholder management skills with demonstrated ability to manage expectations and deliver results with a high level of professionalism, self-motivation, and integrity
• Ability to determine and set the strategic direction of the Cybersecurity GRC function(s)
• Strong understanding of industry standards and regulations including: NIST, SOX, PCI, ISO, GDPR, CCPA, HITRUST, GxP, and others
• Experience developing, tracking, and reporting key KRIs and KPIs
  
  

Lantheus is committed to equal employment opportunity and non-discrimination for all employees and qualified applicants without regard to a person's race, color, sex, gender identity or expression, age, religion, national origin, ancestry, ethnicity, disability, veteran status, genetic information, sexual orientation, marital status, or any characteristic protected under applicable law. Lantheus is an E-Verify Employer in the United States. Lantheus will make reasonable accommodations for qualified individuals with known disabilities, in accordance with applicable law.

Any applicant requiring an accommodation in connection with the hiring process and/or to perform the essential functions of the position for which the applicant has applied should make a request to the Lantheus Talent Acquisition team at talentacquisition@lantheus.com.