Senior Director- Global Cyber Compliance

At Lilly, we unite caring with discovery to make life better for people around the world. We are a global healthcare leader headquartered in Indianapolis, Indiana. Our employees around the world work to discover and bring life-changing medicines to those who need them, improve the understanding and management of disease, and give back to our communities through philanthropy and volunteerism. We give our best effort to our work, and we put people first. We're looking for people who are determined to make life better for people around the world.

Lilly is seeking a Senior Director of Global Cyber Compliance to lead the transformation of our compliance function into a high-performing, AI-enabled, risk-responsive program that measurably reduces regulatory risk across Lilly's global technology environment. You will lead the strategy and execution across a complex, multi-framework regulatory landscape-including FDA 21 CFR Part 11, GxP, NIS2, ISO 27001, SOC 2, HIPAA, CCPA, PIPL/CSL/DSL, and emerging AI governance requirements-while ensuring every compliance decision is anchored to Lilly's threat-based cyber program.

You will bring the technical credibility to challenge the status quo, the platform acumen to automate compliance at scale through LogicGate Risk Cloud and AI-augmented workflows, the operational leadership to build and develop a global compliance team.

Four converging forces demand compliance leadership in global pharma:

• Regulatory acceleration - NIS2, FDA cybersecurity guidance for digital health and manufacturing, the CCPA Cybersecurity Audit Rule, the DoJ Data Rule, Chinese regulations (PIPL/CSL/DSL), and emerging AI governance mandates are creating a multi-jurisdictional compliance surface that legacy, manual processes cannot scale to address.
  
• Threat landscape maturity - Pharma IP, clinical trial data, OT/manufacturing systems, and drug supply chains are high-value adversary targets. Compliance not anchored to threats creates false assurance and misallocates resources.
  
• AI and automation imperative - Manual evidence collection, spreadsheet-based control tracking, and static policy inventories are operationally unsustainable. The next-generation compliance function requires AI-augmented workflows, automated control testing, and intelligent risk quantification delivered through a modern GRC platform.
  
• Global scale and complexity - Lilly's operating footprint spans EU, US, and APAC regulatory regimes simultaneously. A single-jurisdiction compliance approach is insufficient; this role requires an strong leader who can orchestrate compliance across manufacturing, research, and commercial technology environments at global scale.
  

What You Will Be Doing:

Global Compliance Strategy & Program Ownership

• Define and lead the global cyber compliance program, establishing a clear approach that transitions the function from reactionary audits and inspections toward continuous, risk-responsive, program-aligned assurance.
  
• Set the vision and drive execution for AI, automation and GRC platform capabilities to accelerate compliance delivery, reduce manual overhead, and improve compliance outcomes.
  
• Own and evolve Lilly's multi-framework compliance program spanning FDA 21 CFR Part 11, GxP, ISO 27001, SOC 2, NIS2, HIPAA, CCPA, PIPL/CSL/DSL, and emerging AI/ML governance requirements across global manufacturing, research, and commercial technology environments.
  
• Develop scope definitions for security controls and regulatory requirements that reduce task-driven overhead through technical innovation including AI and automation.
  

Regulatory Engagement & Inspection Readiness

• Maintain a current-state, executive-ready view of how Lilly's cyber control environment satisfies each applicable regulatory framework, clearly mapping satisfied obligations and characterizing gaps with relevant regulatory risk analysis.
  
• Drive effort to create and sustain inspection-ready documentation, evidence packages, and response protocols enabling confident engagement with authorities, ISO auditors, and other regulators globally with minimal lead time.
  
• Develop deep working knowledge of how relevant regulatory bodies operate-their inspection methodologies, documentation expectations, finding classification frameworks, and how cyber evidence is evaluated, so preparation is proactive rather than reactive.
  
• Translate regulatory gap analysis into prioritized, risk-ranked remediation roadmaps that leadership can act on, with clear articulation of residual risk where full remediation is not immediately feasible.
  
• Serve as Lilly's primary internal and external subject-matter authority on cyber regulatory interpretation, informing program teams, platform owners, and business leaders on how new initiatives or technology changes affect compliance posture.
  

GRC Platform & AI-Enabled Compliance

• Serve as the service owner for the LogicGate Risk Cloud compliance module, driving object hierarchy design, workflow automation, integration architecture, and adoption.
  
• Champion and deliver AI-augmented compliance capabilities including policy intelligence, automated evidence collection, and natural language advisory tooling that enables teams to self-serve compliance guidance at speed.
  
• Define the target state for compliance automation: continuous control testing, automated regulatory change monitoring, and real-time risk dashboards replacing manual audit cycles.
  

Process Optimization & Data Operations

• Design and implement lightweight, scalable compliance processes that eliminate bottlenecks and drive operational efficiency across security and compliance functions.
  
• Build data pipelines that consolidate compliance, security, and operational metrics from diverse sources into actionable, executive-ready reporting.
  
• Develop predictive analytics capabilities that forecast compliance risk, resource requirements, and audit readiness posture.
  
• Implement data governance frameworks ensuring compliance data quality, consistency, and accessibility across global security operations.
  

Cybersecurity Control Optimization

• Apply knowledge of Lilly's cyber control environment and established frameworks to validate that control design satisfies applicable regulatory requirements.
  
• Own and mature exception management processes, documenting control intensity adjustments based on validated compensating controls, risk context, and business justification.
  
• Collaborate with Cyber service areas including Programs, Platforms, Operations, and M&A Cyber Integration to embed compliance into security operations rather than treating it as a parallel track.
  

Communication & Strategic Influence

• Define and own outcome-based regulatory effectiveness, operational efficiency, and program maturity, replacing activity metrics with measures that demonstrate business value.
  
• Communicate compliance posture, regulatory trends, and program effectiveness to executive cyber leadership in clear, concise language.
  
• Represent Lilly Cybersecurity's compliance function in cross-functional forums and external regulatory interactions, building trust and credibility with partners across Legal, Quality, Finance, and the business.
  

Team Leadership & Organizational Development

• Define team structure, roles, and operating model to support delivery across multiple concurrent regulatory frameworks and geographies.
  
• Drive cross-functional alignment with Legal, Quality, Privacy, Internal Audit, and Regulatory Affairs-ensuring compliance activities are integrated, non-duplicative, and defensible under regulatory and third-party scrutiny.
  

How You Will Succeed:

• Lead the view - you maintain a clear, current-state map of which regulatory obligations are satisfied by existing controls and where gaps require attention, so leadership is never surprised by an audit finding or regulatory inquiry.
  
• Lead through transformation - you move the compliance function from reactive and manual to proactive, automated, and data-driven, with measurable gains in efficiency and regulatory quality.
  
• Establish the team - you hire, develop, and retain compliance talent who grow their regulatory expertise, earn partner trust, and deliver outcomes beyond their individual scope.
  
• Drive platform adoption - LogicGate Risk Cloud becomes the system of record for compliance, with teams self-serving compliance data and manual processes deprecated.
  
• Lead with data - you replace activity-based reporting with outcome-based indicators that demonstrate regulatory effectiveness and operational efficiency in business terms.
  
• Instill trust across the enterprise - Legal, Quality, Audit, and business collaborators see Cyber Compliance as a strategic partner that enables speed, not a gatekeeping function that creates friction.
  
• Stay ahead globally - NIS2, FDA cyber guidance, AI governance, DoJ Bulk Data Rule, PIPL/CSL/DSL, and other emerging requirements are anticipated and addressed proactively before they become reactive remediation efforts.
  

Your Basic Qualifications:

• Bachelor's degree in Information Security, Computer Science, Risk Management, Operations Research, or related field
  
• 12+ years of dynamic experience in cybersecurity compliance, risk management, GRC, or data operations roles within complex, global technology environments.
  
• Experience designing and operating multi-framework compliance programs that prioritize controls based on risk rather than static regulatory checklists.
  
• Hands-on experience implementing or operating a modern GRC platform (LogicGate, ServiceNow GRC, Archer) at enterprise scale.
  
• Experience in highly regulated, multinational environments with demonstrated regulatory engagement, inspection support, and audit management success (FDA, EMA, ISO, NIS2, or equivalent).
  
• Qualified applicants must be authorized to work in the United States on a full-time basis. Lilly will not provide support for or sponsor work authorization or visas for this role, including but not limited to F-1 CPT, F-1 OPT, F-1 STEM OPT, J-1, H-1B, TN, O-1, E-3, H-1B1, or L-1.
  

Certifications (Required or Expected Within 12 Months)

• One or more certifications required or to be obtained within 12 months of hire: CISSP, CISA, CRISC, CISM, or equivalent advanced cybersecurity certification.
  

What You Should Bring/ Preferred Qualifications:

• Advanced degree (MBA, MS) in a relevant field preferred.
  
• Working knowledge of how FDA, EMA, NIS2 competent authorities, and ISO certification bodies conduct cybersecurity-related inspections-including documentation expectations, finding classification, and evidence evaluation criteria
  
• Demonstrated track record redefining a compliance function from reactive and manual to proactive, AI-augmented, and platform-enabled-with measurable efficiency and quality improvements
  
• Experience performing structured regulatory gap analysis: mapping existing control environments to regulatory requirements, quantifying residual risk, and communicating findings to executive audiences
  
• Experience operating in multinational pharma, medtech, or life sciences environments across EU, US, and APAC regulatory regimes concurrently
  
• Familiarity with GxP computer system validation (CSV), 21 CFR Part 11 electronic records/signatures, and audit trail requirements in pharmaceutical or life sciences technology contexts
  
• Track record of building and presenting executive-ready compliance risk dashboards and reporting
  
• Knowledge of cybersecurity frameworks and their application to control design and regulatory mapping
  
• Experience with M&A cybersecurity due diligence and integrating compliance programs across acquired entities at global scale
  
• Experience with AI/ML governance frameworks and AI risk management (NIST AI RMF, EU AI Act implications for pharma)
  
• Shown ability to build, develop, and retain high-performing compliance teams-including coaching members through their first regulatory engagement or audit cycle
  
• Proficiency with GRC automation, workflow configuration, and compliance-as-code concepts; experience with LogicGate Risk Cloud a strong plus
  
• Advanced proficiency in data analytics tools (Python, R, SQL, Tableau, Power BI) and experience building automated reporting pipelines
  
• Understanding of OT/ICS security (NIST 800-82, IEC 62443) in pharmaceutical manufacturing or critical infrastructure contexts
  
• Experience with workflow automation platforms and data pipeline technologies in a compliance or security operations context
  
• Familiarity with third-party risk management, vendor security assessment programs, and supply chain compliance considerations
  
• Familiarity with AI self-service advisory tooling or cybersecurity chatbot capabilities in a compliance context
  

Lilly is dedicated to helping individuals with disabilities to actively engage in the workforce, ensuring equal opportunities when vying for positions. If you require accommodation to submit a resume for a position at Lilly, please complete the accommodation request form ( for further assistance. Please note this is for individuals to request an accommodation as part of the application process and any other correspondence will not receive a response.

Lilly is proud to be an EEO Employer and does not discriminate on the basis of age, race, color, religion, gender identity, sex, gender expression, sexual orientation, genetic information, ancestry, national origin, protected veteran status, disability, or any other legally protected status.

Our employee resource groups (ERGs) offer strong support networks for their members and are open to all employees. Our current groups include: Africa, Middle East, Central Asia Network, Black Employees at Lilly, Chinese Culture Network, Japanese International Leadership Network (JILN), Lilly India Network, Organization of Latinx at Lilly (OLA), PRIDE (LGBTQ+ Allies), Veterans Leadership Network (VLN), Women's Initiative for Leading at Lilly (WILL), enAble (for people with disabilities). Learn more about all of our groups.

Actual compensation will depend on a candidate's education, experience, skills, and geographic location. The anticipated wage for this position is
$157,500 - $231,000

Full-time equivalent employees also will be eligible for a company bonus (depending, in part, on company and individual performance). In addition, Lilly offers a comprehensive benefit program to eligible employees, including eligibility to participate in a company-sponsored 401(k); pension; vacation benefits; eligibility for medical, dental, vision and prescription drug benefits; flexible benefits (e.g., healthcare and/or dependent day care flexible spending accounts); life insurance and death benefits; certain time off and leave of absence benefits; and well-being benefits (e.g., employee assistance program, fitness benefits, and employee clubs and activities).Lilly reserves the right to amend, modify, or terminate its compensation and benefit programs in its sole discretion and Lilly's compensation practices and guidelines will apply regarding the details of any promotion or transfer of Lilly employees.

#WeAreLilly