Cybersecurity Risk Analyst - Evinova

Job Title: Cyber Security Specialist – Evinova
Location: Gaithersburg, MD

At AstraZeneca, we pride ourselves on crafting a collaborative culture that champions knowledge-sharing, ambitious thinking and innovation – ultimately providing employees with the opportunity to work across teams, functions and even the globe. 

Recognizing the importance of individualized flexibility, our ways of working allow employees to balance personal and work commitments while ensuring we continue to create a strong culture of collaboration and teamwork by engaging face-to-face in our offices 3 days a week. Our head is purposely designed with collaboration in mind, providing space where teams can come together to strategize, brainstorm and connect on key projects. 

Are you ready to be part of the future of healthcare? Can you think big, be bold, and harness the power of digital and AI to tackle longstanding life sciences challenges?  Then Evinova, a global health tech business might be for you!  

Transform patients’ lives through technology, data, and innovative ways of working. You’re disruptive, decisive, and transformative. Someone excited to use technology to improve patients’ health. We’re building a new Health-tech business – Evinova, a fully-owned subsidiary of AstraZeneca Group.

Evinova delivers market-leading digital health solutions that are science-based, evidence-led, and human experience-driven. Thoughtful risks and quick decisions come together to accelerate innovation across the life sciences sector. Be part of a diverse team that pushes the boundaries of science by digitally empowering a deeper understanding of the patients we’re helping. Launch pioneering digital solutions that improve the patients’ experience and deliver better health outcomes. Together, we have the opportunity to combine deep scientific expertise with digital and artificial intelligence to serve the wider healthcare community and create new standards across the sector. 

Introduction to Role:

The Cybersecurity Risk Analyst role at Evinova is a unique opportunity to join a global team as we advance our strategic and technical risk management programs. This role operates at the intersection of Cybersecurity Governance, Risk, and Compliance (GRC) and Cloud Security – specifically performing structured risk assessments, external audit response, supporting compliance objectives, and identifying control gaps across a dynamic and globally scaled cloud-native environment.

Success in this role requires performing with precision, a risk-informed approach, hands-on familiarity with cloud security concepts, and assessing controlsalignmente with relevant frameworks and compliance requirements (e.g., NIST CSF 2.0, ISO 27001, SOC2, CIS Controls, China MLPS, EU GDPR, HIPAA / HITRUST, etc.).

This role will be expected to collaborate multi-functionally across cyber domains, engineering squads, and business partners. The ideal candidate excels at distilling cybersecurity concepts into clear and concise advisory, tailored for non-technical audiences, and ultimately contributing to an increased cyber literacy across Evinova. As a direct report to the Evinova Head of Cybersecurity, this role also provides focused professional development through continuous leadership visibility and exposure to strategic program maturation initiatives.  

Accountabilities:

Cybersecurity Program Management Support:

• Participate in continuous improvement initiatives to enhance Evinova’s cyber risk management methodology, tooling decisions, and workflows 

• Collaborate across all cybersecurity and enterprise IT teams to develop periodic risk metrics and dashboards to enable data-driven decision making and risk prioritization 

• Advise the Head of Cybersecurity by identifying new areas of focus and emerging risks that should be considered as part of our annual cyber strategy development and roadmap planning 

• Support internal reporting to Engineering Leadership and Business Operations by developing PowerPoint slides and other forms of visual analysis  

Information Security Risk Management (Cyber GRC Operations):

• Support the Cybersecurity Governance, Risk, and Compliance (GRC) Leader with maintaining our Information Security Management System (ISMS) through policy / standards development, controls baseline maintenance, and crosswalk mappings 

• Perform cyber risk assessments over our cloud infrastructure, corporate applications, customer products, and third-party services using structured methodologies aligned to NIST CSF, ISO 27001, and internal methodologies 

• Contribute to risk and compliance focused gap assessments to ensure continued compliance with relevant standards and regulatory requirements (e.g., SOC2, ISO 27001, China MLPS, Local Data Privacy Laws) 

• Partner with control owners to evaluate and monitor the effectiveness of technical and administrative controls 

• Analyze audit findings and other sources of confirmed control weaknesses (e.g., incident trends, vulnerability scans, penetration testing) to identify root causes and develop lasting remediation measures 

• Maintain and enhance our Cybersecurity Risk Register by documenting newly identified risks, timely updates to risk treatment plans / remediation efforts, and following up on approved risk exceptions 

• Collaborate with the Cyber GRC Leader on developing and delivering training on cybersecurity fundamentals / best practices and emerging threat advisories 

• Integrate “Compliance-as-Code” practices to automate compliance checks and ensuring alignment with all relevant regulatory requirements 

• Implement continuous compliance strategies to maintain alignment to SOC2 and ISO 27001 standards, reducing the risk of non-compliance and timely detection of compliance drift 

Platform Security Risk Management (Cloud Security):

• Support the Cloud Security Architecture Leader with evaluating cybersecurity risks related to our AWS Infrastructure, Kubernetes workloads, serverless functions, and Infrastructure-as-Code (IaC) deployments 

• Conduct necessary research and information gathering to support the Cloud Security Architecture Leader in determining risk exception responses and advising on mitigation strategies  

• Perform cloud security posture risk reviews by utilizing our Cloud Security Posture Management (CSPM) tool, CI/CD pipeline scanners, and other cloud-centric vulnerability detection solutions 

• Coordinate vulnerability remediation efforts with the Platform Operations Team to ensure security relevant issues are addressed in a timely manner 

• Collaborate with the Platform Engineering teams to provide cybersecurity risk advisory on proposed architectural changes, new platform features / services, and third-party integrations – to ensure alignment with secure design principles and the Evinova Cyber Baseline 

• Collaborate with DevOps and engineering teams to embed compliance checks into the CI/CD pipeline, enabling proactive identification and resolution of compliance issues 

Audit Response and Evidence Analysis (External Audit Support):

• Collaborate with the Cyber GRC Leader and Head of Cybersecurity to provide timely and accurate responses to external audit and customer inquiries (e.g., SOC2, ISO 27001, Customer Qualifications) 

• Perform periodic refreshes of our control evidences (i.e., “proofs”) to ensure continued validity and optimal audit response activities (e.g., collection, organization, and auditor submission) 

• Facilitate audit response efforts by tracking auditor requests and coordinating with internal teams for evidence generation and auditor walkthroughsTop of Form 

• Develop and provide periodic audit progress updates (e.g., SOC2, ISO 27001, China MLPS) to Senior Leaders in both Cybersecurity and the broader Evinova Organization 

Essential Skills/Experience:

• 3+ years of hands-on experience in Cybersecurity, specifically in the areas of Risk Management and / or Cloud Security
• High School Diploma or GED
• Familiarity with relevant information security frameworks and compliance standards – specifically, NIST CSF, ISO 27001, SOC2, CIS Controls. Experience with China MLPS is a strong plus, not but required
• Basic understanding of Amazon Web Services (AWS) services and core cloud security concepts (e.g., IAM, encryption, networking, serverless, container security)
• Strong written and verbal communication skills, with the ability to eloquently draft risk statements, rationales, and mitigation strategies for both technical and non-technical audiences
• Experience working with risk registers, controls assessments, and compliance tooling
• Hands on experience with audit readiness, response, and remediation activities
• Knowledge of common Cloud Security and Web Application Security risks (e.g., OWASP Top 10)
• Ability to work independently in a fast-paced environment with a demonstrable ability to manage competing priorities 
• Excellent written and verbal communication skills, project management, process improvement, attention to detail, and critical thinking skills are highly preferred

Desired Skills/Qualifications:

• Bachelor's degree in computer science, business administration, or a similar relevant area of study. 

• Prior experience providing GRC-related capabilities at a SaaS/cloud service provider, with a focus on cloud security. 

• Familiarity with Life Sciences / Clinical Development related regulations and standards is a strong plus. 

• Experience in ensuring compliance within a highly regulated, sophisticated global business environment, particularly in the healthcare and/or clinical research industry. 

• A global perspective on privacy, security, and data protection issues and trends, with experience in Asia-Pacific data privacy and protection regulations being a strong plus. 

• At least one of the following professional certifications: Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified Cloud Security Professional (CCSP), and / or Certified Information Systems Security Professional (CISSP).  
• Foundational certificates from AWS such as AWS Solution Architect and AWS Certified Cloud Practitioner

• Demonstrated initiative and strong customer orientation, with an ability to work effectively across cultures. 

Where can I find out more?

• Learn more about Evinova www.evinova.com
• Our Social Media, Follow AstraZeneca on LinkedIn https://www.linkedin.com/company/1603/
• Follow AstraZeneca on Facebook https://www.facebook.com/astrazenecacareers/
• Follow AstraZeneca on Instagram https://www.instagram.com/astrazeneca_careers/?hl=en
• Our US Footprint: Powering Scientific Innovation - YouTube

Why Evinova?

Evinova is a global health tech business, separate company part of the AstraZeneca group. Together, we can accelerate the delivery of life-changing medicines, improve the design and delivery of clinical trials for better patient experiences and outcomes, and think more holistically about patient care before, during, and after treatment.  We know that regulators, healthcare professionals, and care teams at clinical trial sites do not want a fragmented approach. They do not want a future where every pharmaceutical company provides its own, different digital solutions. They want solutions that work across the sector, simplify their workload, and benefit patients broadly. By bringing our solutions to the wider life sciences community, we can help build more unified approaches to how we all develop and deploy digital technologies, better serving our teams, physicians, and ultimately patients.  Evinova represents a unique opportunity to deliver meaningful outcomes with digital and AI to serve the wider healthcare community and create new standards for the sector.  Join us on our journey of building a new kind of health tech business to reset expectations of what a bio-pharmaceutical company can be. This means we’re opening new ways to work, pioneering cutting-edge methods, and bringing unexpected teams together. Interested? Come and join our journey.

Total Rewards:

The annual base pay for this position ranges from $103,898.40 to $155,847.60. Hourly and salaried non-exempt employees will also be paid overtime pay when working qualifying overtime hours. Base pay offered may vary depending on multiple individualized factors, including market location, job-related knowledge, skills, and experience.  In addition, our positions offer a short-term incentive bonus opportunity; eligibility to participate in our equity-based long-term incentive program (salaried roles), to receive a retirement contribution (hourly roles), and commission payment eligibility (sales roles). Benefits offered included a qualified retirement program [401(k) plan]; paid vacation and holidays; paid leaves; and, health benefits including medical, prescription drug, dental, and vision coverage in accordance with the terms and conditions of the applicable plans. Additional details of participation in these benefit plans will be provided if an employee receives an offer of employment. If hired, employee will be in an “at-will position” and the Company reserves the right to modify base pay (as well as any other discretionary payment or compensation program) at any time, including for reasons related to individual performance, Company or individual department/team performance, and market factors. 

AstraZeneca is an equal opportunity employer that is committed to diversity and inclusion and providing a workplace that is free from discrimination. AstraZeneca is committed to accommodating persons with disabilities. Such accommodation is available on request in respect of all aspects of the recruitment, assessment and selection process and may be requested by emailing AZCHumanResources@astrazeneca.com.

#LI-Hybrid

AstraZeneca embraces diversity and equality of opportunity. We are committed to building an inclusive and diverse team representing all backgrounds, with as wide a range of perspectives as possible, and harnessing industry-leading skills. We believe that the more inclusive we are, the better our work will be. We welcome and consider applications to join our team from all qualified candidates, regardless of their characteristics. We comply with all applicable laws and regulations on non-discrimination in employment (and recruitment), as well as work authorization and employment eligibility verification requirements.