Senior Director- Global Cyber Compliance at Eli Lilly

What you'd actually do

Define and own the global cyber compliance program, establishing a clear approach that transitions the function from reactionary audits and inspections toward continuous, risk-responsive, program-aligned assurance.

Set the vision and drive execution for AI, automation and GRC platform capabilities to accelerate compliance delivery, reduce manual overhead, and improve compliance outcomes.

Own and evolve Lilly's multi-framework compliance program spanning FDA 21 CFR Part 11, GxP, ISO 27001, SOC 2, NIS2, HIPAA, CCPA, PIPL/CSL/DSL, and emerging AI/ML governance requirements across global manufacturing, research, and commercial technology environments.

Serve as the service owner for the LogicGate Risk Cloud compliance module, driving object hierarchy design, workflow automation, integration architecture, and adoption.

Champion and deliver AI-augmented compliance capabilities including policy intelligence, automated evidence collection, and natural language advisory tooling that enables teams to self-serve compliance guidance at speed.

Skills

Required

Global cyber compliance program leadership
Multi-framework regulatory expertise (FDA 21 CFR Part 11, GxP, NIS2, ISO 27001, SOC 2, HIPAA, CCPA, PIPL/CSL/DSL)
AI and automation in compliance
GRC platform management (LogicGate Risk Cloud)
Risk management and analysis
Stakeholder communication (boards, regulators, senior leadership)
Team building and development

Nice to have

Technical credibility
Platform acumen

At Lilly, we unite caring with discovery to make life better for people around the world. We are a global healthcare leader headquartered in Indianapolis, Indiana. Our employees around the world work to discover and bring life-changing medicines to those who need them, improve the understanding and management of disease, and give back to our communities through philanthropy and volunteerism. We give our best effort to our work, and we put people first. We’re looking for people who are determined to make life better for people around the world.

Job Overview:

Lilly Cybersecurity is seeking a Senior Director of Global Cyber Compliance to lead the transformation of our compliance function into a high-performing, AI-enabled, risk-responsive program that measurably reduces regulatory risk across Lilly's global technology environment. This leader owns strategy and execution across a complex, multi-framework regulatory landscape—including FDA 21 CFR Part 11, GxP, NIS2, ISO 27001, SOC 2, HIPAA, CCPA, PIPL/CSL/DSL, and emerging AI governance requirements—while ensuring every compliance decision is anchored to Lilly's threat-based cyber program.

The successful candidate brings the technical credibility to challenge the status quo, the platform acumen to automate compliance at scale through LogicGate Risk Cloud and AI-augmented workflows, the operational leadership to build and develop a global compliance team, and the communication skills to translate complex compliance posture into clear business language for boards, regulators, and senior leadership alike.

Four converging forces demand compliance leadership in global pharma:

Regulatory acceleration — NIS2, FDA cybersecurity guidance for digital health and manufacturing, the CCPA Cybersecurity Audit Rule, the DoJ Data Rule, Chinese regulations (PIPL/CSL/DSL), and emerging AI governance mandates are creating a multi-jurisdictional compliance surface that legacy, manual processes cannot scale to address.
Threat landscape maturity — Pharma IP, clinical trial data, OT/manufacturing systems, and drug supply chains are high-value adversary targets. Compliance not anchored to threats creates false assurance and misallocates resources.
AI and automation imperative — Manual evidence collection, spreadsheet-based control tracking, and static policy inventories are operationally unsustainable. The next-generation compliance function requires AI-augmented workflows, automated control testing, and intelligent risk quantification delivered through a modern GRC platform.
Global scale and complexity — Lilly's operating footprint spans EU, US, and APAC regulatory regimes simultaneously. A single-jurisdiction compliance mindset is insufficient; this role requires an strong leader who can orchestrate compliance across manufacturing, research, and commercial technology environments at global scale.

What You Will Be Doing:

Global Compliance Strategy & Program Ownership

Define and own the global cyber compliance program, establishing a clear approach that transitions the function from reactionary audits and inspections toward continuous, risk-responsive, program-aligned assurance.
Set the vision and drive execution for AI, automation and GRC platform capabilities to accelerate compliance delivery, reduce manual overhead, and improve compliance outcomes.
Own and evolve Lilly's multi-framework compliance program spanning FDA 21 CFR Part 11, GxP, ISO 27001, SOC 2, NIS2, HIPAA, CCPA, PIPL/CSL/DSL, and emerging AI/ML governance requirements across global manufacturing, research, and commercial technology environments.
Develop scope definitions for security controls and regulatory requirements that reduce task-driven overhead through technical innovation including AI and automation.

Regulatory Engagement & Inspection Readiness

Maintain a current-state, executive-ready view of how Lilly's cyber control environment satisfies each applicable regulatory framework, clearly mapping satisfied obligations and characterizing gaps with meaningful regulatory risk analysis.
Drive effort to build and sustain inspection-ready documentation, evidence packages, and response protocols enabling confident engagement with authorities, ISO auditors, and other regulators globally with minimal lead time.
Develop deep working knowledge of how relevant regulatory bodies operate—their inspection methodologies, documentation expectations, finding classification frameworks, and how cyber evidence is evaluated, so preparation is proactive rather than reactive.
Translate regulatory gap analysis into prioritized, risk-ranked remediation roadmaps that leadership can act on, with clear articulation of residual risk where full remediation is not immediately feasible.
Serve as Lilly's primary internal and external subject-matter authority on cyber regulatory interpretation, advising program teams, platform owners, and business leaders on how new initiatives or technology changes affect compliance posture.

GRC Platform & AI-Enabled Compliance

Serve as the service owner for the LogicGate Risk Cloud compliance module, driving object hierarchy design, workflow automation, integration architecture, and adoption.
Champion and deliver AI-augmented compliance capabilities including policy intelligence, automated evidence collection, and natural language advisory tooling that enables teams to self-serve compliance guidance at speed.
Define the target state for compliance automation: continuous control testing, automated regulatory change monitoring, and real-time risk dashboards replacing manual audit cycles.

Process Optimization & Data Operations

Design and implement lightweight, scalable compliance processes that eliminate bottlenecks and drive operational efficiency across security and compliance functions.
Build and oversee data pipelines that consolidate compliance, security, and operational metrics from diverse sources into actionable, executive-ready reporting.
Develop predictive analytics capabilities that forecast compliance risk, resource requirements, and audit readiness posture.
Implement data governance frameworks ensuring compliance data quality, consistency, and accessibility across global security operations.

Cybersecurity Control Optimization

Apply knowledge of Lilly's cyber control environment and established frameworks to validate that control design satisfies applicable regulatory requirements.
Own and mature exception management processes, documenting control intensity adjustments based on validated compensating controls, risk context, and business justification.
Collaborate with Cyber service areas including Programs, Platforms, Operations, and M&A Cyber Integration to embed compliance into security operations rather than treating it as a parallel track.

Communication & Strategic Influence

Define and own outcome-based regulatory effectiveness, operational efficiency, and program maturity, replacing activity metrics with measures that demonstrate business value.
Communicate compliance posture, regulatory trends, and program effectiveness to executive cyber leadership in clear, concise language.
Represent Lilly Cybersecurity's compliance function in cross-functional forums and external regulatory interactions, building trust and credibility with partners across Legal, Quality, Finance, and the business.

Team Leadership & Organizational Development

Define team structure, roles, and operating model to support delivery across multiple concurrent regulatory frameworks and geographies.
Drive cross-functional alignment with Legal, Quality, Privacy, Internal Audit, and Regulatory Affairs—ensuring compliance activities are integrated, non-duplicative, and defensible under regulatory and third-party scrutiny.

How You Will Succeed:

Own the view — you maintain a clear, current-state map of which regulatory obligations are satisfied by existing controls and where gaps require attention, so leadership is never surprised by an audit finding or regulatory inquiry.
Lead through transformation — you move the compliance function from reactive and manual to proactive, automated, and data-driven, with measurable gains in efficiency and regulatory quality.
Build the team — you hire, develop, and retain compliance talent who grow their regulatory expertise, earn stakeholder trust, and deliver outcomes beyond their individual scope.
Drive platform adoption — LogicGate Risk Cloud becomes the system of record for compliance, with teams self-serving compliance data and manual processes deprecated.
Lead with data — you replace activity-based reporting with outcome-based KPIs that demonstrate regulatory effectiveness and operational efficiency in business terms.
Build trust across the enterprise — Legal, Quality, Audit, and business stakeholders see Cyber Compliance as a strategic partner that enables speed, not a gatekeeping function that creates friction.
Stay ahead globally — NIS2, FDA cyber guidance, AI governance, DoJ Bulk Data Rule, PIPL/CSL/DSL, and other emerging requirements are anticipated and addressed proactively before they become reactive remediation efforts.

Your Basic Qualifications:

Bachelor's degree in Information Security, Computer Science, Risk Management, Operations Research, or related field
12+ years of progressive experience in cybersecurity compliance, risk management, GRC, or data operations roles within complex, global technology environments.
Experience designing and operating multi-framework compliance programs that prioritize controls based on risk rather than static regulatory checklists.
Hands-on experience implementing or operating a modern GRC platform (LogicGate, ServiceNow GRC, Archer, or equivalent) at enterprise scale.
Experience in highly regulated, multinational environments with demonstrated regulatory engagement, inspection support, and audit management success (FDA, EMA, ISO, NIS2, or equivalent).
Qualified applicants must be authorized to work in the United States on a full-time basis. Lilly will not provide support for or sponsor work authorization or visas for this role, including but not limited to F-1 CPT, F-1 OPT, F-1 STEM OPT, J-1, H-1B, TN, O-1, E-3, H-1B1, or L-1.

Certifications (Required or Expected Within 12 Months)

One or more of the following certifications required or to be obtained within 12 months of hire: CISSP, CISA, CRISC, CISM, or equivalent advanced cybersecurity certification.

**What You Should Bring/ Preferred Qualifications: **

Advanced degree (MBA, MS) in a relevant field preferred.
Working knowledge of how FDA, EMA, NIS2 competent authorities, and ISO certification bodies conduct cybersecurity-related inspections—including documentation expectations, finding classification, and evidence evaluation criteria
Demonstrated track record transforming a compliance function from reactive and manual to proactive, AI-augmented, and platform-enabled—with measurable efficiency and quality improvements
Experience performing structured regulatory gap analysis: mapping existing control environments to regulatory requirements, quantifying residual risk, and communicating findings to executive audiences
Experience operating in multinational pharma, medtech, or life sciences environments across EU, US, and APAC regulatory regimes concurrently
Familiarity with GxP computer system validation (CSV), 21 CFR Part 11 electronic records/signatures, and audit trail requirements in pharmaceutical or life sciences technology contexts
Track record of building and presenting executive-ready compliance risk dashboards and reporting
Knowledge of cybersecurity frameworks and their application to control design and regulatory mapping
Experience with M&A cybersecurity due diligence and integrating compliance programs across acquired entities at global scale
Experience with AI/ML governance frameworks and AI risk management (NIST AI RMF, EU AI Act implications for pharma)
Proven ability to build, develop, and retain high-performing compliance teams—including coaching members through their first regulatory engagement or audit cycle
Proficiency with GRC automation, workflow configuration, and compliance-as-code concepts; experience with LogicGate Risk Cloud a strong plus
Advanced proficiency in data analytics tools (Python, R, SQL, Tableau, Power BI) and experience building automated reporting pipelines
Understanding of OT/ICS security (NIST 800-82, IEC 62443) in pharmaceutical manufacturing or critical infrastructure contexts
Experience with workflow automation platforms and data pipeline technologies in a compliance or security operations context
Familiarity with third-party risk management, vendor security assessment programs, and supply chain compliance considerations
Familiarity with AI self-service advisory tooling or cybersecurity chatbot capabilities in a compliance context

Lilly is dedicated to helping individuals with disabilities to actively engage in the workforce, ensuring equal opportunities when vying for positions. If you require accommodation to submit a resume for a position at Lilly, please complete the accommodation request form (https://careers.lilly.com/us/en/workplace-accommodation) for further assistance. Please note this is for individuals to request an accommodation as part of the application process and any other correspondence will not receive a response.

Lilly is proud to be an EEO Employer and does not discriminate on the basis of age, race, color, religion, gender identity, sex, gender expression, sexual orientation, genetic information, ancestry, national origin, protected veteran status, disability, or any other legally protected status.

Our employee resource groups (ERGs) offer strong support networks for their members and are open to all employees. Our current groups include: Africa, Middle East, Central Asia Network, Black Employees at Lilly, Chinese Culture Network, Japanese International Leadership Network (JILN), Lilly India Network, Organization of Latinx at Lilly (OLA), PRIDE (LGBTQ+ Allies), Veterans Leadership Network (VLN), Women’s Initiative for Leading at Lilly (WILL), enAble (for people with disabilities). Learn more about all of our groups.

Actual compensation will depend on a candidate’s education, experience, skills, and geographic location. The anticipated wage for this position is

$157,500 - $231,000

Full-time equivalent employees also will be eligible for a company bonus (depending, in part, on company and individual performance). In addition, Lilly offers a comprehensive benefit program to eligible employees, including eligibility to participate in a company-sponsored 401(k); pension; vacation benefits; eligibility for medical, dental, vision and prescription drug benefits; flexible benefits (e.g., healthcare and/or dependent day care flexible spending accounts); life insurance and death benefits; certain time off and leave of absence benefits; and well-being benefits (e.g., employee assistance program, fitness benefits, and employee clubs and activities).Lilly reserves the right to amend, modify, or terminate its compensation and benefit programs in its sole discretion and Lilly’s compensation practices and guidelines will apply regarding the details of any promotion or transfer of Lilly employees.

#WeAreLilly