Director, Security Consulting — Business Information Security Officer (BISO) Commercial IT

At AstraZeneca, we pride ourselves on crafting a collaborative culture that champions knowledge-sharing, ambitious thinking and innovation – ultimately providing employees with the opportunity to work across teams, functions and even the globe.

Recognizing the importance of individualized flexibility, our ways of working allow employees to balance personal and work commitments while ensuring we continue to create a strong culture of collaboration and teamwork by engaging face-to-face in our offices 3 days a week. Our head office and BlueSky Hub in downtown Toronto are purposely designed with collaboration in mind, providing space where teams can come together to strategize, brainstorm and connect on key projects.

Our dedication to sustainability is also central to our culture and part of what makes AstraZeneca a great place to work. We know the health of people, the planet and our business are interconnected which is why we’re taking ambitious action to tackle some of the biggest challenges of our time, from climate change to access to healthcare and disease prevention.

Introduction to role:

Are you ready to shape enterprise security strategy where it matters most—protecting innovation and enabling life-changing medicines to reach patients faster? Do you want to influence VP and executive stakeholders while embedding secure-by-design practices into transformative platforms, AI/ML programs, M&A, and regulated digital products?

As Director, Security Consulting, you will serve as a senior, trusted advisor embedded with product, platform, and business leaders. You will own the strategy, standards, and delivery of security consulting for a complex, global portfolio, translating business goals, threat intelligence, and regulatory obligations into scalable patterns and policy-aligned architectures. Your work will accelerate risk-informed decisions, reduce systemic risk, and improve control effectiveness without slowing innovation.

Based in Gaithersburg and reporting into the Commercial IT BISO, you will operate across a highly matrixed environment to set the guardrails that enable speed with confidence. You will partner closely with architects, engineers, data and AI leaders, and security operations to drive measurable improvements in resilience, audit readiness, and time-to-value.

Accountabilities:

• Strategy and Function Ownership: Own the strategy, operating model, standards, and roadmap for security consulting across the assigned portfolio; align with CISO priorities, product and platform roadmaps, and enterprise architecture, and represent the function in executive governance to drive risk reduction at scale.

• Executive Engagement and Influence: Advise VP/SVP business and technology leaders; translate threat intelligence, regulatory drivers, and commercial strategy into clear, defensible priorities and investment decisions that balance risk, cost, and speed.

• Governance Integration: Embed security into program and product lifecycles with traceable requirements, clear ownership, escalation paths, and measurable outcomes, minimizing friction while maintaining strong control health.

• Secure-by-Design Standards: Define and enforce secure patterns, guardrails, threat models, and reference architectures; champion shift-left practices and continuous security testing integrated into CI/CD.

• Security Consulting and Major Assessments: Lead high-impact assessments across transformative platforms, M&A, AI/ML, major SaaS adoptions, and regulated digital products; document risks, exceptions, and treatments aligned to risk appetite and business objectives.

• Orchestration: Direct deep architecture reviews, red/blue team consultations, and threat modeling accelerators; convert findings into prioritized, funded remediation and durable architectural uplift.

• Program and Portfolio Leadership: Sponsor multi-team security initiatives such as cloud control baselines, AppSec uplift, identity modernization, and third-party assurance; define success metrics and change management to land adoption that lasts.

• Control Assurance and Compliance: Provide executive oversight of control health, testing, and audit readiness across ISO 27001, SOC 2, SOx ITGC, and GxP/GMP where applicable; ensure durable remediation and continuous improvement.

• Third-Party and Supply Chain Security: Set the standard for supplier risk management, security clauses, due diligence, and continuous monitoring; manage concentration and systemic risks and own executive escalations.

• Data, AI, and Privacy Enablement: Partner with data, AI, and privacy leaders to safeguard sensitive and regulated data; enable compliant analytics and AI/ML through classification, encryption, DLP, monitoring, and model-risk controls.

• Incident Preparedness and Response Leadership: Partner with security operations and crisis management to enhance readiness, playbooks, and BCP alignment; sponsor post-incident corrective actions and drive durable control improvements.

• Metrics, Reporting, and Executive Communication: Define and own KPIs, KRIs, and business-centric dashboards; communicate posture and priorities to executives, governance bodies, and where required to Audit Committee and Board-level forums.

• People Leadership and Talent: Lead and develop a team of senior security consultants; build succession, drive performance, and foster a culture of accountability, inclusion, and continuous learning across virtual and matrixed teams.

• Innovation and Emerging Technology: Drive secure adoption of AI/ML including LLMs and agentic systems, IoT/OT, SaaS, and data-centric initiatives; shape enterprise standards for data protection, identity, and zero-trust across hybrid environments.

Essential Skills/Experience:

• Bachelor’s degree in Information Security, Computer Science, Risk Management, or related field

• 12-15 years of progressive experience in information security, including 8+ years leading security consulting, architecture, or BISO functions and influencing senior business and IT executives at VP/SVP level.

• Demonstrated track record of setting enterprise security strategy, standards, and reference architectures in complex, global organizations, and measuring the maturity and business impact of those standards over time.

• Demonstrated ability to apply LLMs and agentic automation to improve cybersecurity and business outcomes, translating use cases into measurable gains (for example faster risk triage, better control evidence, improved detection and response) while protecting sensitive data.

• Deep experience implementing and operationalizing controls defined by NIST CSF, ISO 27001/27002, CIS Controls, and related cybersecurity control frameworks, and demonstrating measurable maturity improvement at enterprise scale.

• Proven ability to design and govern meaningful risk dashboards and metrics (for example in Power BI or equivalent), using actionable data to prioritize remediation, defend investment decisions, and demonstrate risk reduction and resilience improvements.

• Strong understanding of global security operations, incident response, and crisis management; experience as a senior security partner during high-severity events and post-incident reviews.

• Exceptional written and verbal communication skills, with proven ability to present complex technical and risk information to executive, regulatory, and Board-level audiences as well as in-country and business stakeholders.

• Proven ability to manage competing executive-level priorities, operate under time constraints tied to launches, regulatory commitments, and business campaigns, and drive outcomes through influence across a highly matrixed, global organization.

• Demonstrated success building and retaining high-performing security consulting and architecture teams, including senior practitioners, in a global, multicultural environment.

• Proven track record of owning enterprise-wide security consulting, architecture, or risk programs in complex, regulated environments — pharmaceutical, healthcare, life sciences, financial services, or comparable.

• Demonstrated experience setting standards, patterns, and governance that have been adopted enterprise-wide and have produced measurable business and risk outcomes.

• Deep experience with risk assessment methodologies, control frameworks (NIST CSF, ISO 27001, CIS Controls), and global regulatory regimes; experience leading audit and regulator interactions.

• Demonstrated ability to engage, influence, and advise senior executives (VP/SVP and above), translating technical risks into business and strategic language.

• Experience leading and developing cross-functional, geographically distributed teams of senior security professionals; accountable for talent, performance, and succession.

Skills & Competencies:

• Ability to set a multi-year vision, connect security to enterprise strategy, and make defensible trade-offs across risk, cost, speed, and customer experience.

• Deep understanding of cyber risk assessment, risk treatment, and risk monitoring practices; ability to quantify, prioritize, and communicate risk in business and financial terms.

• Strong grounding in cybersecurity architecture, cloud and data security, identity, application security, and zero-trust; ability to set and enforce enterprise-wide patterns.

• Strong program and portfolio management capability, including milestone tracking, RAID management, benefits realization, and executive-level stakeholder reporting.

• Ability to analyze complex security landscapes, identify systemic patterns, and develop strategic mitigation approaches grounded in data.

• Exceptional written and verbal communication; ability to present to executive audiences, governance bodies, regulators, and Board-level forums, and to drive decision-making through influence.

• Proven ability to build trusted, durable relationships with senior business, technology, audit, legal, and regulatory leaders, and to foster a collaborative, inclusive security culture.

• Strong familiarity with pharmaceutical and life-sciences regulations (GxP, FDA 21 CFR Part 11) and global data protection regimes (GDPR, NIS2, HIPAA), and experience translating these into actionable controls.

• Track record of leading, coaching, and retaining senior security talent in a global, matrixed environment; commitment to inclusion, development, and high performance.

Desirable Skills/Experience:

• Master’s degree strongly preferred

• Professional certifications such as CISSP, CISM, or CRISC.

• Additional certifications (CCSP, CGEIT, ISO 27001 Lead Auditor/Implementer, CISA, TOGAF, SABSA).

• Experience working in a global, matrix organization with distributed teams and significant operations in multiple regions, including the US, UK, Sweden, China, Japan, India, and Latin America.

• Direct experience as a BISO, Senior Security Architect Lead, or Head of Security Consulting in a regulated industry.

• Hands-on knowledge of emerging technologies and associated security risks (multi-cloud, AI/ML and agentic systems, IoT/OT, quantum-safe cryptography).

• Understanding of business continuity, disaster recovery, and crisis management at enterprise scale.

• Experience leading security input into M&A due diligence, integration, and divestitures.

• Track record of representing security at Audit Committee or Board-level forums.

Why AstraZeneca:

Join a technology-forward environment where security enables bold science to move faster, safely. Here, unexpected combinations of experts come together to solve hard problems—architects with data scientists, engineers with product strategists—unleashing ideas that translate directly into better outcomes for patients and the business. You will operate with the investment, scale, and executive sponsorship to modernize controls across hybrid cloud, data, and AI, while working in an inclusive culture that values kindness alongside ambition. Your leadership will simplify complex landscapes, build trusted partnerships, and turn cutting-edge concepts into scalable guardrails that raise resilience across a global enterprise.

Call to Action:

If you are ready to lead secure-by-design at enterprise scale and turn strategy into measurable, business-aligned risk reduction, step forward and show us the impact you will deliver!

Great People want to Work with us! Find out why:

Are you interested in working at AZ, apply today!

AstraZeneca is an equal opportunity employer that is committed to diversity and inclusion and providing a workplace that is free from discrimination. AstraZeneca is committed to accommodating persons with disabilities. Such accommodation is available on request in respect of all aspects of the recruitment, assessment and selection process and may be requested by emailing  View email address on careers.astrazeneca.com .

#LI-Hybrid

Date Posted

Closing Date

Our mission is to build an inclusive environment where equal employment opportunities are available to all applicants and employees. In furtherance of that mission, we welcome and consider applications from all qualified candidates, regardless of their protected characteristics. If you have a disability or special need that requires accommodation, please complete the corresponding section in the application form.