BISO - RDU

BISO – Rare Disease Unit (RDU)

Summary

Serve as the primary strategic cybersecurity partner to the Rare Disease Unit (RDU) IT organization and associated business areas, representing the CISO by leading cybersecurity engagement, alignment, and delivery of cybersecurity risk and resilience outcomes across AstraZeneca’s rare disease research, clinical development, regulatory, and commercial activities. This customer-facing role will be closely coupled with the RDU IT leadership team and operate as a dotted-line function to the RDU IT VP, supporting the science, technology, and data capabilities that underpin discovery research, translational science, clinical trials, and patient-centered therapy development for rare diseases.

The role provides strategic guidance on cybersecurity risks, priorities, and long-term security posture across the rare disease therapeutic lifecycle and associated technology estate, including research and laboratory informatics, clinical trial systems, electronic data capture, clinical data management, regulatory submission platforms, scientific computing environments, bioinformatics and genomics platforms, real-world data assets, and patient registries. A central focus is enabling RDU to adopt and scale secure-by-design, secure-by-default, and policy-aligned scientific and operational practices while maintaining research velocity, data integrity, system validation, patient safety, and compliance with AstraZeneca’s Security Policy Framework and applicable regulatory obligations (including GxP, GMP, GLP, GCP, 21 CFR Part 11, HIPAA, and GDPR). 

This leader will direct a dedicated team with functional areas including cybersecurity posture reporting and data analysis, risk management and remediation, and security consulting—specifically tailored to the rare disease research, clinical, and commercial functions described. The role will help shape secure scientific and clinical technology patterns, strengthen cyber governance for research, clinical, and regulatory technology decisions, and drive adoption of enterprise security services and controls across the rare disease portfolio. 

Job Description

The Rare Disease Unit Cybersecurity Business Information Security Officer (BISO) will lead a team of senior security specialists and analysts in a business-facing organization. The focus of this team will be embedding risk awareness, risk reduction, and resilience improvement initiatives into the RDU research, clinical, regulatory, and commercial teams while preserving the research agility and patient focus that define the rare disease mission. 

This leader and team will be measured by metrics that indicate RDU progress toward risk ownership and accountability, specifically via data showing reduced risk and improved resilience to cyberattacks. The position is a dedicated cybersecurity resource assigned to the RDU IT leadership team and aligns the global Security Policy Framework to RDU business functions. 

Working directly for the Global Head of Cybersecurity Business Operations, the role is responsible for overseeing the internal information security needs of RDU business functions and providing leadership and support for cyber risk management, policy development, regulatory and validated-systems compliance, third-party assurance, data privacy, and cybersecurity operations as they relate to discovery research, translational science, clinical operations, clinical data management, regulatory affairs, lab informatics, bioinformatics, real-world evidence, and patient-facing digital capabilities. 

Typical Accountabilities

• Strategic partnership and governance: Act as the primary strategic partner and security consultant to RDU IT and business leadership, driving alignment between rare disease research and commercial priorities, regulatory expectations, and the enterprise cybersecurity strategy. Chair or participate in relevant governance forums, ensuring risk-based decision-making, clear accountability, and visibility of cybersecurity outcomes across research, clinical, regulatory, and commercial portfolios. 

• Regulatory compliance and validated systems: Provide cybersecurity leadership across regulated environments, ensuring that security controls, change management, and operational practices align with GxP, GMP, GLP, GCP, 21 CFR Part 11, and other applicable regulatory expectations (FDA, EMA, MHRA, PMDA). Partner with Quality, Validation, and Regulatory Affairs to integrate cybersecurity considerations into computer system validation, periodic review, and audit-readiness activities for systems supporting rare disease research, clinical development, and submissions. 

• Clinical trial and research data security: Guide the security of clinical trial and research data across its lifecycle, including electronic data capture (EDC), clinical trial management systems (CTMS), electronic trial master file (eTMF), randomization and trial supply management, central laboratory data flows, and clinical data management platforms. Ensure protection of patient-identifiable information, study integrity, and trial data provenance from collection through regulatory submission and archival. 

• Lab informatics and scientific computing security: Provide cybersecurity guidance for laboratory and scientific computing environments, including laboratory information management systems (LIMS), electronic lab notebooks (ELN), instrument connectivity, scientific data lakes, bioinformatics and genomics pipelines, and high-performance computing platforms supporting discovery and translational research. Drive secure configuration, segmentation, identity governance, and data protection across these specialized environments. 

• Patient data privacy and protection: Champion the protection of patient and subject data across rare disease research, clinical trials, patient registries, real-world data assets, and patient support programs. Partner with the Data Privacy Office and Legal to ensure controls align with HIPAA, GDPR, and other global privacy regimes; embed privacy-by-design principles into new initiatives; and govern pseudonymization, de-identification, and re-identification risk for sensitive datasets, including small-population rare disease cohorts. 

• Third-party and external collaboration security: Lead a practical approach to third-party cybersecurity risk for the RDU’s extensive ecosystem of Contract Research Organizations (CROs), academic and consortium partners, biotech alliances, technology vendors, central laboratories, and managed service providers. Govern vendor security assessments, contractual controls, ongoing assurance, and secure data exchange patterns that enable scientific collaboration without compromising data confidentiality, integrity, or regulatory standing. 

• Risk management and assurance: Carry out cyber risk assessments and make recommendations to RDU leadership on cybersecurity best practices, control improvements, and appropriate technology solutions. Support security assessments, threat modeling, and design reviews for research platforms, clinical systems, and reusable scientific capabilities. Partner with control owners to ensure security requirements are built into engineering standards, validated-system baselines, and clinical and research operational workflows. 

• Application and infrastructure security: Maintain awareness of RDU application portfolios, CI/CD processes, and infrastructure environments to ensure alignment with application security, secure development, and infrastructure hardening standards. Provide guidance on identity and access governance, API security, data interface protection, and secure configuration across cloud, on-premises, and hybrid environments supporting research and clinical operations. 

• Vulnerability management and continuous improvement: Facilitate vulnerability management, audit and penetration test finding remediation, and implementation of cybersecurity control maturity improvements across the RDU technology estate. Deliver RDU leadership actionable information regarding identity, service account, application, API, data, IT infrastructure, and user device vulnerability management priorities. Identify and lead improvements in cyber processes, engagement models, and operational effectiveness; establish KPIs, OKRs, and feedback loops to measure and optimize outcomes. 

• Risk reporting and metrics: Create an RDU-focused risk dashboard and cybersecurity metrics that translate complex security data into clear, actionable insight for research, clinical, regulatory, and commercial leaders. Coordinate risk profile development and distribution to RDU stakeholder audiences, and use data to drive risk-reduction outcomes and informed prioritization. 

• Incident preparedness and response: Partner with enterprise security operations, infrastructure teams, clinical operations, and research leaders to enhance readiness, playbooks, and crisis alignment for incidents that could affect rare disease research, clinical trials, patient data, or regulatory commitments. Support cyber security assessments and penetration tests, and contribute to post-incident reviews and business-centric improvements. 

• Threat awareness: Maintain significant knowledge of threats relevant to pharmaceutical R&D, clinical research, and patient-facing capabilities, including intellectual property theft, clinical trial disruption, ransomware, supply chain compromise, and targeting of high-value research data. Routinely share insights and practical implications with stakeholders. 

• Stakeholder management: Build trusted relationships with senior leaders across RDU IT, Research, Clinical Development, Regulatory Affairs, Quality, Commercial, and Patient Advocacy functions, and represent RDU cybersecurity needs within the broader Cybersecurity and IT communities. 

• Culture, awareness, and communications: Leverage the cyber culture and awareness team to champion a strong cybersecurity culture tailored to RDU audiences, including researchers, clinicians, data scientists, and external collaborators. Help mature the AstraZeneca cybersecurity awareness and education program and ensure appropriate training for all employees and contractors operating within the rare disease unit. 

• Innovation and emerging technology: Guide secure adoption of modern scientific and clinical technologies, including AI and machine learning in drug discovery, real-world evidence platforms, decentralized and digitally enabled clinical trials, patient-facing digital therapeutics and engagement tools, advanced analytics on genomics and multi-omics data, and next-generation collaboration platforms for cross-institutional research. 

• Lead and coach a high-performing team: Coach for high performance, creating a supportive environment where everyone can fulfil their potential, with clear goals tied to measurable risk reduction, scientific and clinical enablement, regulatory compliance, and security outcomes. Actively participate as a member of the Cybersecurity Business Operations leadership team. 

Essential Skills & Experience Required

• Information security leadership: 10+ years of experience in information security positions, with 5+ years’ experience overseeing an information security function and influencing senior business and IT stakeholders. 

• Pharmaceutical R&D and clinical research familiarity: Strong familiarity with pharmaceutical research and development, including a firm grasp of typical R&D IT infrastructure, applications, and data environments, and an understanding of the clinical development lifecycle from discovery research through regulatory submission and post-marketing activities. 

• Regulated systems and validation expertise: Experience with validated, regulated environments and implementing change controls for GxP, GMP, GLP, GCP, 21 CFR Part 11, and equivalent expectations. Understanding of the interplay between cybersecurity, computer system validation, data integrity, and audit-readiness across research, clinical, and manufacturing-adjacent systems. 

• Frameworks and control implementation: Experience implementing and operationalizing controls defined by NIST CSF, ISO 27001/27002, IEC, and related cybersecurity control frameworks, and applying them pragmatically to research, clinical, regulatory, and commercial technology ecosystems. 

• Data privacy and protection: Familiarity with global perspectives on privacy and data protection issues and trends, including HIPAA, GDPR, and other regional regulations applicable to patient, subject, and employee data. Understanding of the unique privacy considerations associated with small-population rare disease cohorts and the increased re-identification risk they present. 

• Vulnerability and security testing management: Experience managing vulnerability management activities and implementing recurring hygiene efforts across applications, APIs, code repositories, cloud infrastructure, networks, and endpoints; familiarity with penetration testing, application security testing, and risk-based remediation approaches. 

• Risk dashboarding and data analysis: Familiarity with risk dashboarding, data analysis, and leveraging actionable data to achieve risk reduction outcomes, including the ability to translate complex security telemetry into clear business and scientific insight. 

• Threat intelligence and awareness: Significant knowledge of cybersecurity threat vectors and attack methodologies relevant to pharmaceutical research and clinical operations, including intellectual property targeting, clinical trial disruption, ransomware, and supply chain threats. 

• Application and infrastructure security: Understanding of information security technologies, networking and network topology, application and data interfaces, CI/CD best practices, identity and access management, and secure configuration across hybrid and cloud environments. 

• Incident response collaboration: Understanding of global security operations and incident response processes, including scenarios such as research data exfiltration, clinical system disruption, patient data exposure, ransomware, account compromise, and third-party breach affecting trial or research operations. 

• Stakeholder communication: Strong written and verbal communication skills, with proven ability to present complex technical information to both technical and non-technical audiences, including research leadership, clinical operations leaders, regulatory affairs partners, quality leaders, and governance bodies. 

• Execution under pressure: Proven ability to manage competing priorities and work under pressure, operating against time constraints tied to clinical trial milestones, regulatory submissions, and research delivery commitments, and driving outcomes through influence across matrixed teams. 

• Cross-functional collaboration: Experience working collaboratively across IT, scientific, clinical, regulatory, quality, legal, and commercial disciplines, and the ability to integrate cybersecurity considerations into multi-disciplinary decision-making. 

• Problem solving and autonomy: Excellent problem-solving and troubleshooting skills, with proven autonomous working style, clear direction-setting, and the ability to establish and pursue meaningful goals in ambiguous environments. 

Desirable Skills & Experience

• Rare disease and orphan drug experience: Prior experience supporting a rare disease, orphan drug, cell and gene therapy, or specialty therapeutics organization, with awareness of the unique scientific, clinical, regulatory, and patient-community dynamics those programs entail. 

• Clinical trial systems experience: Hands-on familiarity with the security of clinical trial technology, including EDC, CTMS, eTMF, IRT/RTSM, ePRO/eCOA, and decentralized clinical trial platforms, and an understanding of how these systems interconnect across sponsors, CROs, sites, and central laboratories. 

• Lab informatics and bioinformatics security: Experience securing laboratory informatics platforms (LIMS, ELN, SDMS), instrument networks, bioinformatics and genomics pipelines, and scientific high-performance computing environments, including secure handling of multi-omics and other sensitive research datasets. 

• Third-party and supply chain risk management: Experience leading or contributing to third-party cybersecurity risk assessments and vendor security governance programs in a pharmaceutical or life sciences context, particularly for CROs, central laboratories, technology partners, and academic collaborators. 

• Cloud-native security tooling and automation: Practical experience with cloud-native security tools such as cloud security posture management (CSPM), cloud workload protection platforms (CWPP), cloud infrastructure entitlement management (CIEM), and container security solutions across major cloud providers (AWS, Azure, GCP) used in research and clinical computing. 

• Digital identity and access governance: Working knowledge of enterprise identity governance, including identity lifecycle management, role-based and attribute-based access control, federation, single sign-on, conditional access policies, privileged identity management, and identity threat detection across hybrid environments shared with external research partners. 

• Security metrics, reporting, and executive communication: Demonstrated ability to develop and present meaningful cybersecurity metrics, risk dashboards, and executive-level reporting that drives informed decision-making and demonstrates return on security investment to business, scientific, and technology leadership. 

• Certifications: Relevant industry certifications are valued, such as CISSP, CISM, CISA, CRISC, HCISPP, CCSP, CSSLP, ISO 27001 Lead Implementer/Auditor, or equivalent professional qualifications demonstrating breadth across security leadership, risk management, healthcare information privacy, and cloud security disciplines. 

• Business continuity and disaster recovery: Experience contributing to or overseeing business continuity planning and disaster recovery strategies for critical research, clinical, and regulatory systems, including tabletop exercises, recovery testing, and resilience architecture for environments that directly affect patient safety and trial continuity. 

Date Posted

Closing Date

AstraZeneca embraces diversity and equality of opportunity.  We are committed to building an inclusive and diverse team representing all backgrounds, with as wide a range of perspectives as possible, and harnessing industry-leading skills.  We believe that the more inclusive we are, the better our work will be.  We welcome and consider applications to join our team from all qualified candidates, regardless of their characteristics.  We comply with all applicable laws and regulations on non-discrimination in employment (and recruitment), as well as work authorization and employment eligibility verification requirements.