Cybersecurity GRC Lead

What You'll Do:

The Cybersecurity GRC Lead - Medical Devices (Continuous Control Monitoring Lead) is responsible for overseeing and coordinating cybersecurity governance, risk, and compliance (GRC) activities supporting medical devices produced and supported internationally. This role ensures that cybersecurity "run-the-business" controls and evidence-producing activities-such as access reviews, vulnerability scanning cadence, patch tracking, SBOM governance, and audit readiness-are properly planned, executed by the appropriate teams, and documented.

This is a coordination, governance, and assurance role rather than a hands-on technical execution role. The position partners closely with Engineering/R&D, Quality, Regulatory Affairs, IT, and Information Security to maintain compliance with applicable standards and regulatory guidance and to ensure customer and regulatory cybersecurity requirements are tracked through completion.

Governance & Program Oversight

• Own and maintain the medical device cybersecurity GRC plan, calendar, and control schedule (monthly, quarterly, and annual activities).
• Ensure cybersecurity roles, responsibilities, RACIs, and escalation paths are defined and functioning across IT, Engineering, and Quality teams.
• Maintain governance documentation, including policies, procedures, standards, control narratives, and work instructions related to medical device cybersecurity.
• Provide regular program status reporting (KPIs/KRIs, control execution status, risk posture, overdue actions) to the CISO and other stakeholders.

Risk Management & Requirements Tracking

• Track cybersecurity requirements from customers, internal stakeholders, and applicable standards and guidance (e.g., FDA expectations, IEC 62304/62443 concepts, NIST-aligned controls) through implementation and evidence completion.
• Coordinate cybersecurity risk assessments and ensure resulting remediation actions are assigned, tracked, and closed by accountable owners (Engineering, IT, suppliers, etc.).
• Maintain the cybersecurity risk register for medical device-related risks impacting products, manufacturing/operations, and supporting systems.

Cross-Functional Coordination & Audit / Inspection Readiness

• Serve as the central coordination point between Sales, Engineering, Quality, Regulatory Affairs, IT, and Information Security for cybersecurity compliance deliverables.
• Coordinate with Quality and Regulatory Affairs to ensure pre-sale cybersecurity responses meet regulatory and compliance expectations.
• Escalate and track gaps or risks identified during the pre-sale process to appropriate internal stakeholders.
• Support Quality and Regulatory teams with audit and inspection readiness by ensuring cybersecurity artifacts are current, approved, and readily retrievable (e.g., threat models, vulnerability management evidence, access review records).
• Drive continuous improvement of GRC processes, including templates, checklists, evidence repositories, and dashboards.

Control Assurance

• Ensure execution and evidence capture for recurring cybersecurity controls, including:
• Monthly and quarterly user and privileged access reviews for applications, cloud portals,and applicable manufacturing-support systems.
• Vulnerability scanning governance, confirming scans occur on schedule, findings are triaged, and remediation plans are tracked to closure (execution performed by IT, Security Operations, or Engineering).
• Patch and vulnerability remediation tracking, including SLA monitoring, exception handling, compensating controls, and escalation of overdue items.
• Backup, restore, and security monitoring attestations for device-supporting environments, where applicable.
• Supplier and third-party security evidence coordination related to device development or connectivity.
• SBOM, Vulnerability Disclosure & Customer Assurance
• Govern SBOM accuracy and update cadence by coordinating inputs from Engineering and suppliers and ensuring evidence is maintained for audits and customer requests.
• Coordinate vulnerability intake, triage governance, and coordinated vulnerability disclosure (CVD) processes (with execution performed by product security and engineering teams).
• Lead and coordinate responses to customer cybersecurity questionnaires, risk assessments, and security audits by gathering SME input and ensuring consistent, compliant responses.

How You'll Get There:

• 5+ years of experience in cybersecurity, governance, risk management, or regulated technology environments, with strong exposure to medical devices, healthcare technology, life sciences, or similarly regulated products.
• Recognized as a seasoned subject-matter expert in medical device cybersecurity governance, independently owning and driving GRC programs, continuous control monitoring, audit readiness, and customer assurance activities.
• Demonstrated ability to analyze and resolve complex, multi-factor cybersecurity and regulatory issues, applying sound judgment with minimal day-to-day guidance.
• Proven success influencing cross-functional and senior stakeholders (Engineering, Quality, Regulatory, IT, Security, Commercial) to achieve compliant, auditable outcomes without direct authority.
• Extensive experience supporting regulatory inspections, internal and customer audits, and pre sale cybersecurity assessments, serving as a credible internal and external representative.
• Track record of managing multiple concurrent initiatives, driving program maturity, and delivering sustained results through scalable processes, metrics, and documentation.
• Bachelor's degree in Engineering, Computer Science, Cybersecurity, Biomedical Engineering, or a related field.