Position Summary

This role will be responsible for:

Leading the development of cybersecurity strategies, plans, operational blueprints, and implementation roadmaps; safeguarding corporate data, technology assets, and privacy-related data; establishing information security compliance policies and standards; collaborating with the corporate compliance department to ensure compliant information security operations; and enabling the company’s digital transformation and business growth.

Required expertise covers:

IT governance, risk and compliance (GRC), application security, infrastructure and cloud security, data security, privacy protection, vulnerability management, incident response, technical recovery, vendor security, R&D security, manufacturing security, and supply chain security.

Key Responsibilities

• Define and implement enterprise-wide security strategy and implementation measures. Develop the overall enterprise security strategy by combining industry best practices and enterprise characteristics. Embed necessary security controls, best information security, and information compliance practices into the full development life cycle, digital products, technology platforms, and business processes.
• Establish risk strategy and risk programs. Build a comprehensive enterprise risk profile, mitigate or resolve cybersecurity and data risks, conduct digital and IT vendor risk assessments, and perform multiple technology & data security reviews as well as business process reviews.
• Provide information security risk transparency, recommendations, or security requirements. Enable owners/business stakeholders to make risk-informed decisions and action plans, resulting in significant risk reduction.
• Lead strategic security reviews of relevant business processes and the business data held. Resulted in the closure of risk findings and realized long-term risk management by developing "continuous control monitoring."
• Responsible for enterprise Cybersecurity and Incident Management. Provided insights and support for significant cybersecurity incidents requiring senior leadership attention. Acted as an escalation point for general incidents and insider threat reviews, directly supporting highly confidential and compliance investigations.
• Introduced and drove the development of scalable metrics. Strived to achieve data-driven transparency on security performance, decisions, and security investment.
• Co-led the Digital Compliance Program with Privacy. Provided security support and recommendations on strategy, priority, scope, governance structure, working model, and processes. Supported and worked with the team to execute the program, ensuring compliance risks were managed with the appropriate level of priority and resources.
• Responsible for technology risk management, covering business areas such as Pharmaceutical R&D, Clinical Development, Pharmaceutical Manufacturing, and Commercialization. Scope included Infrastructure Security, Application Security, Business Information Security, Technology Recovery, Vendor Security, and Regulatory Inspection.
• Infrastructure Risk Management – Led infrastructure risk initiatives and conducted reviews to ensure risks were appropriately identified, communicated, and mitigated.
• Drove and deliver key initiatives such as relevant enterprise security certifications, Data Leakage Protection (DLP), Infrastructure Privilege Management, and controlled incident response.
• Training and Awareness: Promoted information security / Business Continuity Planning (BCP) awareness and training to business and technology groups.
• Provided Compliance assurance services through the design of control objectives, control activities, and control testing; also conducted IT audits.
• Responsible for infrastructure risk programs to improve security baselines and respond to critical alerts, vulnerabilities, and threats.

Recommended Education and Key Competency

• Bachelor's degree or higher in Information Technology or a related field.
• Hold professional certifications in information security management, such as CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), CISA (Certified Information Systems Auditor), MCSE (Microsoft Certified Solutions Expert), or MCT (Microsoft Certified Trainer).
• Experienced Security Expert with over 10 years of experience in the information security field, including over 5 years within the pharmaceutical industry.
• Solid understanding of information security concepts, frameworks, standards, and best practices, as well as IT infrastructure and application framework architectures.
• In-depth knowledge of the cyber threat landscape, attack methodologies, vulnerabilities, common exploits and mitigation techniques, and relevant local and global regulations and requirements.
• Proven ability to effectively communicate with regulators and other external parties on information security matters.
• Excellent English verbal and written communication skills, with experience in influencing stakeholders at senior organizational levels.
• Strong expertise in security frameworks - including NIST, CIS, ISO 27001, CSA, OWASP, etc. - and legal requirements such as China's Cybersecurity Law, Multi-Level Protection Scheme (MLPS), Data Security Law, and Personal Information Protection Law.
• Client-oriented mindset, results-driven, proactive, and responsive to requests.
• Innovative, with the ability to propose new ideas to optimize processes.