BISO - Manufacturing, Operations & Enabling

Are you ready to safeguard the digital backbone that keeps medicines moving from development to patients? This is your opportunity to be AstraZeneca’s primary strategic cybersecurity partner across two critical portfolios—regulated manufacturing environments and enterprise business applications—where every security decision helps protect product quality, patient safety, financial integrity, and business continuity.

In this customer-facing role, you will represent the CISO and lead engagement, alignment, and delivery of cybersecurity risk and resilience outcomes. You will guide security priorities and long-term posture across operational technology and manufacturing execution systems, as well as enterprise SaaS platforms such as Workday, SAP, Coupa, and Concur. Can you balance the realities of 24/7 production with the pace of cloud/SaaS innovation to achieve measurable, inspection-ready results?

Accountabilities

• Dual-Portfolio Strategic Partnership: Serve as the lead security partner to Manufacturing Operations IT and Enabling Units IT leadership, shaping governance forums to drive risk-based decisions, clear accountability, and visible security outcomes across both portfolios.

• Risk Posture and Architecture: Guide architects to define layered security approaches suited to each environment—industrial security architecture for plants and cloud-native controls for enterprise SaaS—so that controls are effective, pragmatic, and scalable.

• Manufacturing Technology Security: Lead security for operational technology, industrial control systems, and manufacturing execution systems, implementing segmentation, secure remote access, and privileged access practices that respect validation and uptime requirements.

• Enterprise SaaS and Cloud Security: Drive security consulting and risk management for Workday, SAP, Coupa, Concur and other enterprise platforms, covering identity and access management, data protection, integration security, privileged access governance, and vendor assurance.

• Regulatory and Compliance Alignment: Embed controls aligned to GMP/GxP and computerized system validation in manufacturing, financial controls and SOX for Finance, GDPR for employee data, and due diligence requirements for Legal and M&A—demonstrating audit- and inspection-ready evidence.

• Validation-Aware and Change-Controlled Delivery: Ensure security improvements align to validation and change control processes, with impact assessments, documentation, and compensating controls that maintain production continuity and business operations.

• Asset Visibility and Vulnerability Management: Establish comprehensive inventories and risk-based vulnerability management across both manufacturing technology and SaaS/cloud platforms, reducing critical exposures while respecting patching and update constraints.

• Integration and Data Flow Security: Secure data flows from shop-floor to enterprise and across business applications (HR-to-Finance, procurement-to-payment), with strong identity controls, logging, monitoring, and resilience patterns.

• Third-Party and Vendor Risk Management: Strengthen supplier risk management for automation vendors, equipment manufacturers, SaaS providers, cloud platforms, and business service partners through enforceable minimum controls, ongoing assurance, and secure support models.

• Incident Preparedness, Response, and Recovery: Collaborate with security operations and business teams to create environment-specific playbooks, run tabletop exercises, and improve recovery readiness for production-critical and business-critical services.

• Inspection and Audit Readiness: Maintain evidence aligned to GMP expectations and audit requirements for financial controls, SOX, data privacy, and M&A due diligence to ensure continual readiness.

• Metrics and Continuous Improvement: Build risk dashboards and KPIs spanning both portfolios—segmentation coverage, remote access compliance, critical exposure reduction, SaaS posture, identity governance maturity, recovery readiness—and drive measurable improvement over time.

• Culture, Awareness, and Operating Model: Tailor cybersecurity culture and training for operations/engineering/site roles and for Finance, HR, Legal, GBS, and M&A users, enabling role-appropriate security practices and shared ownership of risk.

• Lead and Coach a High-Performing Team: Set clear goals tied to risk reduction and resilience, coach for performance, and create an environment where consultants and analysts thrive and deliver tangible outcomes.

Essential Skills/Experience

• 10+ years of experience in information security positions, with 5+ years' experience overseeing an information security function and influencing senior business/IT stakeholders across diverse technology environments

• Demonstrated experience securing both manufacturing/operational technology environments and enterprise business applications, with ability to translate operational and business realities into effective cybersecurity controls -

• Strong familiarity with multiple regulatory and compliance frameworks including GMP/GxP and computerized system validation (pharmaceutical manufacturing), financial controls and SOX compliance (Finance), data privacy regulations (GDPR), and electronic records/signatures regulations -

• Proven ability to design and operationalize security controls appropriate to diverse environments—industrial security architecture for manufacturing systems and cloud-native security patterns for enterprise SaaS platforms -

• Hands-on experience securing manufacturing technology systems (operational technology, industrial control systems, manufacturing execution systems) including segmentation, secure remote access, and controls appropriate for high-availability production environments -

• Hands-on experience securing enterprise SaaS and cloud platforms, including identity and access management, data protection, integration security, and vendor risk management for major enterprise applications (experience with Workday, SAP, or similar platforms highly desirable) -

• Security standards and frameworks: Working knowledge of relevant industrial control system security standards (ISA/IEC 62443, NIST SP 800-82) and enterprise security frameworks (NIST CSF, ISO 27001/27002, CIS Controls), with ability to apply appropriate controls to each environment - Experience running risk-based vulnerability management across diverse technology stacks—from manufacturing systems with patching constraints to enterprise SaaS platforms with continuous update models -

• Understanding of global incident response processes with experience adapting containment and recovery approaches to both manufacturing constraints (safety, quality, uptime) and business continuity requirements (financial close, payroll, procurement) - Experience managing cyber risk across diverse supplier types including equipment manufacturers, systems integrators, SaaS providers, cloud platforms, and business service providers, including enforceable minimum controls and ongoing assurance -

• M&A security experience: Familiarity with cybersecurity due diligence, integration security planning, and post-merger technology risk management is highly desirable - Demonstrated ability to apply emerging technologies including AI/automation to improve cybersecurity and operational outcomes while protecting sensitive data and maintaining human oversight -

• Strong written and verbal communication skills, with proven ability to present complex technical information to both technical and non-technical audiences, including manufacturing site leaders, finance executives, HR leadership, legal counsel, and global IT -

• Proven ability to manage competing priorities and drive outcomes across multiple business areas with different risk profiles, regulatory obligations, and operational constraints -

• Executive presence and influence: Ability to build trusted relationships and influence decision-making across diverse stakeholder groups with different business priorities and technical maturity levels.

• Bachelor's degree in science or relevant technical field of study;Master'spreferred.

Desirable Skills/Experience

• Professional certifications such as CISSP, CISM, CISA, or equivalent.

• Prior experience in pharmaceutical or other highly regulated manufacturing environments with computerized system validation.

• Experience leading security integration in post-merger environments and large-scale technology transitions - Track record of implementing AI/automation in security operations, policy enforcement, or risk reporting at scale.

When we put unexpected teams in the same room, we unleash bold thinking with the power to encourage life-changing medicines. In-person working gives us the platform we need to connect, work at pace and challenge perceptions. That's why we work, on average, a minimum of three days per week from the office. But that doesn't mean we're not flexible. We balance the expectation of being in the office while respecting individual flexibility. Join us in our unique and ambitious world.

The annual base pay for this position ranges from $190,956.80 - $286,435.20  USD Annual. Hourly and salaried non-exempt employees will also be paid overtime pay when working qualifying overtime hours. Base pay offered may vary depending on multiple individualized factors, including market location, job-related knowledge, skills, and experience. In addition, our positions offer a short-term incentive bonus opportunity; eligibility to participate in our equity-based long-term incentive program (salaried roles), to receive a retirement contribution (hourly roles), and commission payment eligibility (sales roles). Benefits offered included a qualified retirement program [401(k) plan]; paid vacation and holidays; paid leaves; and, health benefits including medical, prescription drug, dental, and vision coverage in accordance with the terms and conditions of the applicable plans. Additional details of participation in these benefit plans will be provided if an employee receives an offer of employment. If hired, employee will be in an “at-will position” and the Company reserves the right to modify base pay (as well as any other discretionary payment or compensation program) at any time, including for reasons related to individual performance, Company or individual department/team performance, and market factors.

Are you ready to bring new insights and fresh thinking to the table? Fantastic! We have one seat available, and we hope it’s yours. Apply today.

AstraZeneca embraces diversity and equality of opportunity. We are committed to building an inclusive and diverse team representing all backgrounds, with as wide a range of perspectives as possible, and harnessing industry-leading skills. We believe that the more inclusive we are, the better our work will be. We welcome and consider applications to join our team from all qualified candidates, regardless of their characteristics. We follow all applicable laws and regulations on non-discrimination in employment (and recruitment), as well as work authorization and employment eligibility verification requirements.

Date Posted

06-May-2026

Closing Date

28-May-2026

Our mission is to build an inclusive environment where equal employment opportunities are available to all applicants and employees. In furtherance of that mission, we welcome and consider applications from all qualified candidates, regardless of their protected characteristics. If you have a disability or special need that requires accommodation, please complete the corresponding section in the application form.

AstraZeneca embraces diversity and equality of opportunity. We are committed to building an inclusive and diverse team representing all backgrounds, with as wide a range of perspectives as possible, and harnessing industry-leading skills. We believe that the more inclusive we are, the better our work will be. We welcome and consider applications to join our team from all qualified candidates, regardless of their characteristics. We comply with all applicable laws and regulations on non-discrimination in employment (and recruitment), as well as work authorisation and employment eligibility verification requirements.