Director, Information Security

📋 Description

• • Lead the development, implementation, and continuous improvement of Avantor’s global Information Security Governance, Risk, and Compliance (GRC) strategy and function, ensuring alignment with business objectives, regulatory requirements, and industry best practices.
• • Define and execute comprehensive programs that ensure adherence to global regulatory mandates, industry standards, and internal policies, effectively managing cybersecurity risk across the enterprise.
• • Serve as a key advisor to the CISO and senior leadership on the organization's enterprise risk posture, emerging threats, compliance obligations, and overall security performance, fostering a proactive and informed security culture.
• • Champion a culture of security accountability throughout the organization, embedding security considerations into daily operations and decision-making processes.
• • Oversee and manage the Company’s Information Security Management System (ISMS), ensuring its effectiveness, scalability, and alignment with evolving business needs and threat landscapes.
• • Establish, maintain, and continuously evolve the Company’s information security policies, standards, and guidelines, ensuring their consistency and applicability across all global operations, systems, and business units.
• • Maintain and optimize governance boards, steering committees, and reporting mechanisms to ensure effective oversight and strategic direction of the information security program.
• • Define and drive the enterprise application security strategy, ensuring it is seamlessly integrated with business objectives, regulatory mandates (such as SOX, PCI, ISO 27001), and the company's defined risk tolerance.
• • Develop and maintain a forward-looking, multi-year roadmap for application security capabilities, focusing on the integration of advanced techniques like threat modeling, secure coding standards, and the automation of the Software Development Lifecycle (SDLC).
• • Act as the primary subject matter expert and executive-level advisor on all aspects of application security, collaborating closely with product, architecture, engineering, DevOps, and compliance teams.
• • Lead the design, implementation, and ongoing enhancement of Secure Software Development Lifecycle (SSDLC) practices, ensuring that security requirements are intrinsically embedded into every phase of the software development process, from initial requirements gathering through design, coding, testing, and release.
• • Collaborate effectively with development teams to integrate critical security tooling, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Software Composition Analysis (SCA), and Infrastructure as Code (IaC) scanning, directly into CI/CD pipelines, establishing measurable guardrails and performance thresholds.
• • Drive the widespread adoption of secure coding guidelines, threat modeling methodologies, and security design reviews, providing comprehensive training and enablement resources to engineering teams to foster a security-first mindset.
• • Develop and oversee a robust, risk-based application vulnerability management program that encompasses both internally developed code and third-party/open-source components, including the management of Software Bill of Materials (SBOM) and Common Vulnerabilities and Exposures (CVEs).
• • Partner closely with DevOps and engineering teams to efficiently triage, prioritize, and remediate identified vulnerabilities, ensuring adherence to Service Level Agreements (SLAs) and demonstrating measurable risk reduction across the application portfolio.
• • Lead the implementation and optimization of vulnerability scanning tools and associated workflows, ensuring comprehensive visibility, consistent application, and centralized reporting across all relevant platforms.
• • Lead the enterprise cyber risk management program, encompassing comprehensive risk assessments, the development and execution of risk treatment plans, and diligent tracking and reporting of risk status.
• • Proactively identify, evaluate, and prioritize risks associated with new systems, emerging technologies, third-party vendors, and strategic business initiatives, ensuring potential security implications are addressed early.
• • Enhance risk quantification methodologies and assist business leaders in understanding security risks in tangible operational and financial terms, facilitating informed decision-making.
• • Own and manage the information security components critical to compliance programs and readiness efforts, including SOX IT General Controls (ITGC), PCI DSS, GDPR, ISO 27001, NIST Cybersecurity Framework (CSF), SOC 2, and other relevant regulatory and industry frameworks.
• • Lead internal and external audit processes, meticulously coordinating evidence gathering, managing remediation plans, and ensuring consistent and effective control execution.
• • Analyze evolving regulatory landscapes and translate complex requirements into actionable operational controls and security measures.
• • Further develop, refine, and oversee the entire vendor security assessment lifecycle, ensuring appropriate due diligence, rigorous control verification, and the establishment of clear contractual security expectations aligned with current and future business needs.
• • Collaborate with Procurement, Legal, and key business stakeholders to effectively mitigate third-party risks and drive process integrations that enhance collaboration in managing supplier-related security risks.
• • Continue to drive the evolution and enhancement of the enterprise-wide security awareness and training program, ensuring its adaptation to current and emerging risks and threats.
• • Partner with IT, Business Units, HR, and Communications departments to effectively drive enterprise-wide security education and training initiatives.
• • Ensure training programs are designed to effectively target and modify behaviors that reduce risk, support Avantor’s compliance obligations, and address the dynamic nature of the risk landscape.
• • Lead specialized application security awareness and training programs tailored for developers, architects, and product owners.
• • Develop, maintain, and automate key security performance indicators (KPIs), key risk indicators (KRIs), and comprehensive dashboards to provide actionable insights to executive leadership and drive necessary changes in response to identified risks through continuous monitoring processes.
• • Ensure the delivery of accurate, timely, and insightful reporting on compliance status, overall risk posture, and ongoing audit activities to relevant stakeholders.