Program Lead, Third Party Risk and Resilience Management

Position Overview

Program Lead for Third Party Risk and Resilience Management establishes and maintains a robust governance framework for all Offshore Development Centers (ODCs). This leader ensures ODCs function as strategic extensions of Roche’s R&D engine while maintaining zero major IT compliance breaches and guides vendors during ODC setup to ensure full compliance with Roche Security standards.

• Determine ODC necessity based on country risk and data sensitivity.
• Initiate new ODC setups and coordinate vendor office space establishment.
• Guide vendors on Roche Security standards and conduct Security Risk Assessment (SRA) and Data Classification Review (DCR) for all services and applications.
• Identify services unsuitable for external partners and escrow remediation to product/service owners or DSM.
• Create, review, and maintain ODC Manuals, Impact Assessments, and Security Control Tables.
• Periodically update impact assessment documents and remove retired services.
• Ensure compliance with GDPR, CCPA, and Roche security protocols.
• Own role‑specific training curricula; verify mandatory security and role‑specific training before system access, and track completion via the Roche Training Solution system.
• Approve all ODC changes including staff assignments, project onboarding, and service modifications.
• Manage Service Now requests for infrastructure such as NAS storage, VDI creation/updates, and application packaging.
• Maintain vendor security/privacy capabilities throughout the ODC lifecycle and conduct periodic audits prior to service commencement.
• Conduct assessments for major changes (e.g., new projects with higher security needs) and remediate audit findings with vendors.
• Propagate mandatory notifications (e.g., GSP) into processes for all new vendor collaborations.
• Collaborate with Network, Perimeter, and Citrix teams on connectivity, URL whitelisting, and access controls.
• Lead ODC Security Incident Management, including timely identification, mandatory escalation, and resolution.
• Maintain incident, change, and problem management processes across all ODC operations.
• Participate in security audits and close all identified gaps promptly.
• Document audit findings, track remediation, and ensure Business Continuity Plans and disaster recovery readiness.
• Coordinate vendor selection, onboarding, performance monitoring, and decommissioning of strategic offshore partners.
• Manage ODC user onboarding, offboarding, travel requests, and work‑from‑home approvals.
• Oversee ODC decommissioning with proper data handling, access revocation, and infrastructure cleanup.
• Engage in technical discussions on Citrix, network infrastructure, security, risk, and governance with relevant teams.
• Translate complex technical requirements, articulate constraints, and propose viable alternatives.
• Address ad‑hoc requests and ODC challenges with quality and compliance focus.

• Bachelor’s or advanced degree in a technical or business discipline (e.g., Computer Science, Information Security). 8+ years in IT/R&D environments.
• 5+ years managing large‑scale ODCs or captive centres.
• Experience with Roche or a similarly regulated industry and its IT Security standards and compliance frameworks.
• Strong compliance knowledge of GDPR, CCPA, data privacy, GxP, and ISO 27001 audit requirements.
• Experience in risk assessment methodologies and vendor security evaluation.
• Background in connectivity / network infrastructure: IT networks, cabling, switches, routers, WAN, firewalls.
• Experience with virtual environments: VDI, Citrix, and application virtualization.
• IT operations knowledge: thin/thick clients, servers, technical documentation, Service Now, and IT Service Management tools.
• Familiarity with cloud infrastructure (AWS, Azure), Dev Ops, and enterprise security frameworks.
• Experience with ISMS & ITSM implementation and best practices.
• Incident management and problem resolution experience.
• Deep understanding of Software Development Life Cycle (SDLC) and R&D workflows.
• Knowledge of outsourcing engagement models and service delivery operations in the pharmaceutical industry or a similarly regulated sector.
• Preferred:
  Professional security or risk management credentials such as CISSP, CISM, CRISC, or equivalent.
• Relocation benefits are not available for this posting.

Expected salary range for Tucson, AZ: $106,400–$197,600, based on experience, qualifications, and location. A discretionary annual bonus may be available. Benefits are detailed at the link provided in the original posting.

Roche is an equal opportunity employer. Our policy prohibits unlawful discrimination, including but not limited to discrimination on the basis of protected veteran status, individuals with disabilities, and consistent with all federal, state, or local laws. If you have a disability and need an accommodation in relation to the application process, contact us by completing the accommodations form.