Cybersecurity GRC Lead

Job Description

What You'll Do:

The Cybersecurity GRC Lead - Medical Devices (Continuous Control Monitoring Lead) is responsible for overseeing and coordinating cybersecurity governance, risk, and compliance (GRC) activities supporting medical devices produced and supported internationally. This role ensures that cybersecurity "run-the-business" controls and evidence-producing activities-such as access reviews, vulnerability scanning cadence, patch tracking, SBOM governance, and audit readiness-are properly planned, executed by the appropriate teams, and documented.

This is a coordination, governance, and assurance role rather than a hands-on technical execution role. The position partners closely with Engineering/R&D, Quality, Regulatory Affairs, IT, and Information Security to maintain compliance with applicable standards and regulatory guidance and to ensure customer and regulatory cybersecurity requirements are tracked through completion.

Governance & Program Oversight

• Own and maintain the medical device cybersecurity GRC plan, calendar, and control schedule (monthly, quarterly, and annual activities).
• Ensure cybersecurity roles, responsibilities, RACIs, and escalation paths are defined and functioning across IT, Engineering, and Quality teams.
• Maintain governance documentation, including policies, procedures, standards, control narratives, and work instructions related to medical device cybersecurity.
• Provide regular program status reporting (KPIs/KRIs, control execution status, risk posture, overdue actions) to the CISO and other stakeholders.

Risk Management & Requirements Tracking

• Track cybersecurity requirements from customers, internal stakeholders, and applicable standards and guidance (e.g., FDA expectations, IEC 62304/62443 concepts, NIST-aligned controls) through implementation and evidence completion.
• Coordinate cybersecurity risk assessments and ensure resulting remediation actions are assigned, tracked, and closed by accountable owners (Engineering, IT, suppliers, etc.).
• Maintain the cybersecurity risk register for medical device-related risks impacting products, manufacturing/operations, and supporting systems.

Cross-Functional Coordination & Audit / Inspection Readiness

• Serve as the central coordination point between Sales, Engineering, Quality, Regulatory Affairs, IT, and Information Security for cybersecurity compliance deliverables.
• Coordinate with Quality and Regulatory Affairs to ensure pre-sale cybersecurity responses meet regulatory and compliance expectations.
• Escalate and track gaps or risks identified during the pre-sale process to appropriate internal stakeholders.
• Support Quality and Regulatory teams with audit and inspection readiness by ensuring cybersecurity artifacts are current, approved, and readily retrievable (e.g., threat models, vulnerability management evidence, access review records).
• Drive continuous improvement of GRC processes, including templates, checklists, evidence repositories, and dashboards.

Control Assurance

• Ensure execution and evidence capture for recurring cybersecurity controls, including:
• Monthly and quarterly user and privileged access reviews for applications, cloud portals,and applicable manufacturing-support systems.
• Vulnerability scanning governance, confirming scans occur on schedule, findings are triaged, and remediation plans are tracked to closure (execution performed by IT, Security Operations, or Engineering).
• Patch and vulnerability remediation tracking, including SLA monitoring, exception handling, compensating controls, and escalation of overdue items.
• Backup, restore, and security monitoring attestations for device-supporting environments, where applicable.
• Supplier and third-party security evidence coordination related to device development or connectivity.
• SBOM, Vulnerability Disclosure & Customer Assurance
• Govern SBOM accuracy and update cadence by coordinating inputs from Engineering and suppliers and ensuring evidence is maintained for audits and customer requests.
• Coordinate vulnerability intake, triage governance, and coordinated vulnerability disclosure (CVD) processes (with execution performed by product security and engineering teams).
• Lead and coordinate responses to customer cybersecurity questionnaires, risk assessments, and security audits by gathering SME input and ensuring consistent, compliant responses.

How You'll Get There:

• 5+ years of experience in cybersecurity, governance, risk management, or regulated technology environments, with strong exposure to medical devices, healthcare technology, life sciences, or similarly regulated products.
• Recognized as a seasoned subject-matter expert in medical device cybersecurity governance, independently owning and driving GRC programs, continuous control monitoring, audit readiness, and customer assurance activities.
• Demonstrated ability to analyze and resolve complex, multi-factor cybersecurity and regulatory issues, applying sound judgment with minimal day-to-day guidance.
• Proven success influencing cross-functional and senior stakeholders (Engineering, Quality, Regulatory, IT, Security, Commercial) to achieve compliant, auditable outcomes without direct authority.
• Extensive experience supporting regulatory inspections, internal and customer audits, and pre-sale cybersecurity assessments, serving as a credible internal and external representative.
• Track record of managing multiple concurrent initiatives, driving program maturity, and delivering sustained results through scalable processes, metrics, and documentation.
• Bachelor's degree in Engineering, Computer Science, Cybersecurity, Biomedical Engineering, or a related field.

#GKOSUS

About Us

Generous. Innovative. Leadership-driven. Family-oriented. Socially responsible.

Founded in 1998, Glaukos Corporation is an ophthalmic pharmaceutical and medical technology company focused on developing and commercializing novel therapies for the treatment of glaucoma, corneal disorders, and retinal diseases.

Our mission at Glaukos is to truly transform vision by pioneering novel, dropless therapies that can meaningfully advance the standard of care and improve the lives of patients suffering from chronic, sight-threatening eye diseases.


Innovation is at the core of everything we do, and we are resolute in our commitment to challenge conventional thinking with new treatment alternatives that are supported by real science, robust clinical evidence, and an unrelenting focus on patients.


Our constant pursuit of game-changing technologies that disrupt legacy treatment paradigms is encapsulated in the Glaukos mantra "We'll Go First," which articulates our willingness to take chances, our determination to forge new ground, and our commitment to continuous improvement in all that we do.


Our company completed an initial public offering in June of 2015, and our shares are traded on the New York Stock Exchange under the ticker symbol "GKOS". Our global headquarters is in Aliso Viejo, California with additional locations in San Clemente, California, and Burlington, Massachusetts.

Glaukos Corporation is an Equal Opportunity/Affirmative Action Employer . All qualified applicants will receive consideration for employment without regard to race, color, religion, sex including sexual orientation and gender identity, national origin, disability, protected Veteran Status, or any other characteristic protected by applicable federal, state, or local law.


All offers of employment are contingent upon the successful completion of a background check, including successfully passing a drug screen, based on the position and local regulations.