Cybersecurity GRC Lead

What You’ll Do

The Cybersecurity GRC Lead - Medical Devices (Continuous Control Monitoring Lead) is responsible for overseeing and coordinating cybersecurity governance, risk, and compliance (GRC) activities supporting medical devices produced and supported internationally. This role ensures that cybersecurity "run‑the‑business" controls and evidence-producing activities -- such as access reviews, vulnerability scanning cadence, patch tracking, SBOM governance, and audit readiness -- are properly planned, executed by the appropriate teams, and documented.

This is a coordination, governance, and assurance role rather than a hands‑on technical execution role. The position partners closely with Engineering/ R&D, Quality, Regulatory Affairs, IT, and Information Security to maintain compliance with applicable standards and regulatory guidance and to ensure customer and regulatory cybersecurity requirements are tracked through completion.

• Own and maintain the medical device cybersecurity GRC plan, calendar, and control schedule (monthly, quarterly, and annual activities).
• Ensure cybersecurity roles, responsibilities, RACIs, and escalation paths are defined and functioning across IT, Engineering, and Quality teams.
• Maintain governance documentation, including policies, procedures, standards, control narratives, and work instructions related to medical device cybersecurity.
• Provide regular program status reporting (KPIs/KRIs, control execution status, risk posture, overdue actions) to the CISO and other stakeholders.

• Track cybersecurity requirements from customers, internal stakeholders, and applicable standards and guidance (e.g., FDA expectations, IEC 62304/62443 concepts, NIST‑aligned controls) through implementation and evidence completion.
• Coordinate cybersecurity risk assessments and ensure resulting remediation actions are assigned, tracked, and closed by accountable owners (Engineering, IT, suppliers, etc.).
• Maintain the cybersecurity risk register for medical device‑related risks impacting products, manufacturing/operations, and supporting systems.

• Serve as the central coordination point between Sales, Engineering, Quality, Regulatory Affairs, IT, and Information Security for cybersecurity compliance deliverables.
• Coordinate with Quality and Regulatory Affairs to ensure pre‑sale cybersecurity responses meet regulatory and compliance expectations.
• Escalate and track gaps or risks identified during the pre‑sale process to appropriate internal stakeholders.
• Support Quality and Regulatory teams with audit and inspection readiness by ensuring cybersecurity artifacts are current, approved, and readily retrievable (e.g., threat models, vulnerability management evidence, access review records).
• Drive continuous improvement of GRC processes, including templates, checklists, evidence repositories, and dashboards.

• Ensure execution and evidence capture for recurring cybersecurity controls, including:
• Monthly and quarterly user and privileged access reviews for applications, cloud portals, and applicable manufacturing‑support systems.
• Vulnerability scanning governance, confirming scans occur on schedule, findings are triaged, and remediation plans are tracked to closure.
• Patch and vulnerability remediation tracking, including SLA monitoring, exception handling, compensating controls, and escalation of overdue items.
• Backup, restore, and security monitoring attestations for device‑supporting environments, where applicable.
• Supplier and third‑party security evidence coordination related to device development or connectivity.
• Govern SBOM accuracy and update cadence by coordinating inputs from Engineering and suppliers and ensuring evidence is maintained for audits and customer requests.
• Coordinate vulnerability intake, triage governance, and coordinated vulnerability disclosure (CVD) processes.
• Lead and coordinate responses to customer cybersecurity questionnaires, risk assessments, and security audits by gathering SME input and ensuring consistent, compliant responses.