Director Data Risk & Protection

Key Responsibilities

• Define and lead BMS’s enterprise Data Risk and Protection strategy, aligned to the company's risk appetite, regulatory requirements, and broader cybersecurity strategy.
• Design and implement the Data Risk and Protection operating model & engagement, including team structure, roles and responsibilities, process workflows, tooling stack, and an integrated engagement model with Cybersecurity Fusion Center, Legal, HR, Compliance, Audit, and key Business Units.
• Establish, maintain, and continuously evolve a comprehensive Data Risk & Protection program, encompassing policy governance, use‑case development, monitoring, detection, response, and remediation.
• Develop and execute a multi‑year capability roadmap with clear priorities, milestones, measurable KPIs, and outcome‑based risk reduction metrics.
• Lead the scaling and maturation of the Data Risk & Protection function, building specialist capabilities and fostering a high‑performing team.
• Provide regular program status reporting and risk posture updates to senior leadership and governance bodies.

• Establish and operationalize insider threat monitoring and behavioral analytics capabilities.
• Define and maintain insider threat personas, use cases, and detection scenarios (e.g., intellectual property theft, clinical trial data exfiltration, fraud, sabotage, negligent data leakage, Generative AI misuse).
• Collaborate with technical teams to design, operate, and continuously refine monitoring and analytics capabilities, including UEBA, DLP, CASB, endpoint and identity telemetry, cloud security monitoring, and privileged access monitoring.
• Oversee the end‑to‑end insider risk case lifecycle from alert generation through triage, investigation, response, closure, and lessons learned.
• Ensure timely and proportionate incident responses, applying a risk‑based methodology that distinguishes between malicious, negligent, and compromised actors.
• Assess and mitigate data risks associated with Generative AI and emerging technologies.

• Lead the strategy, design, and operational management of BMS’s enterprise DLP program across endpoints, email, cloud, and collaboration platforms.
• Define and govern data classification policies and standards, ensuring sensitive BMS data is appropriately labelled, handled, and protected.
• Drive continuous tuning, optimization, and lifecycle management of DLP rules, policies, and controls.
• Partner with IT Security Architecture and Engineering teams to embed data protection controls into infrastructure, application development, and cloud adoption workflows.
• Establish metrics and dashboards to track DLP program effectiveness.

• Develop, review, and maintain data risk and protection policies, standards, and guidelines.
• Establish clear escalation paths, decision rights, and documentation standards for data‑related incidents and insider risk cases.
• Lead or support internal assurance and audit activities on data risk and protection as directed.
• Build strong relationships with stakeholders across BMS and design targeted awareness, education, and training.
• Foster a culture of trust, accountability, and security‑conscious behavior.

• Education:
  
  Bachelor’s degree required in Computer Science, Information Systems, Cybersecurity, Risk Management, Law, Business Administration, or related discipline. Master’s preferred.
• Certifications:
  
  CISSP, CISM, CISA, CRISC, CDPSE, CFE or equivalent risk/investigation credentials preferred.
• Experience &
  
  Skills:
  
  10+ years in cybersecurity, data risk management, insider risk, or related disciplines; experience designing and leading complex, enterprise‑scale security or risk programs.
• Technical fluency in SIEM, UEBA, DLP, EDR/XDR, CASB, IAM, PAM, cloud security platforms (Microsoft 365, Azure, AWS).
• Familiarity with legal, privacy, employment, and ethical considerations; proven ability to lead multidisciplinary, high‑performing organization.
• Excellent communication, influencing, and stakeholder management skills.
• Ability to balance security, privacy and operational considerations in a risk‑based manner.

• Health Coverage:
  Medical, pharmacy, dental, and vision care.
• Wellbeing Support: BMS Well‑Being Account, BMS Living Life Better, Employee Assistance Programs.
• Financial Well‑being and Protection: 401(k) plan, disability, life insurance, supplemental health, travel protection, identity theft benefit, legal support.
• Work‑life benefits:
  Paid Time Off, flexible time off, national holidays, vacation, sick time, volunteer days, summer hours flexibility, leaves of absence, global shutdown.

We are an equal opportunity employer. All qualified applicants will receive consideration for employment. For the full EEO statement, visit