Principal Analyst, Cybersecurity Governance, Risk, and Compliance

Lantheus is headquartered in Bedford, Massachusetts with offices in Billerica as well as in Canada, and Sweden. For more than 60 years, Lantheus has been instrumental in pioneering the field of medical imaging and has helped physicians enhance patient care with its broad product portfolio.

Lantheus is an entrepreneurial, agile, growing organization that provides innovative diagnostics, targeted therapeutics, and artificial intelligence (AI) solutions that empower clinicians to find, fight and follow disease. At Lantheus our purpose and values guide our behaviors in all interactions and play a vital role in creating a dynamic environment that contributes to our success. Every employee is crucial to our success; we respect one another and act as one knowing that someone’s health is in our hands. We believe in helping people be their best and are seeking to bring together a diverse group of individuals with different viewpoints and skill sets to be a part of a productive and inclusive team.

The Principal Analyst, Cybersecurity Governance, Risk, and Compliance will report directly to the Chief Information Security Officer and is tasked with strengthening and guarding the firm from the many risks we face while fostering a transparent and risk-aware culture.  

Responsibilities include, but are not limited to: 

• Partner with the CISO to develop the operating model and a service-oriented customer engagement model supporting all GRC services and capabilities, including data privacy compliance.
• Operationalize GRC capability areas including policy and exception management, third-party risk management, security reviews and audits, enterprise security risk management, compliance management, and international data privacy compliance.
• Maintain cybersecurity risk register
• Establish and provide security metrics and reporting for all GRC services
• Perform risk assessments addressing security threats, changes to systems and/or applications, process improvement initiatives
• Monitor the security risk profiles of our suppliers to objectively determine high risk suppliers that require additional review
• Respond to customer security/compliance questionnaires
• Partner with the Enterprise Risk Management and Compliance organization to achieve corporate strategies and objectives
• Ensures HIPAA, GDPR, and PCI requirements are adhered to as Globally applicable.
• Oversee the configuration and management of data privacy and protection tools and related measures within our systems, ensuring compliance with global data privacy and data protection regulations, and safeguarding sensitive corporate data, including intellectual property.
• Collaborate with Ethics & Compliance Data Privacy team to support education and training for employees on data handling protocols, emphasizing the protection of sensitive health-related information and Corporate assets.
• Maintain awareness of existing and evolving privacy legislation, regulations, frameworks, and other marketplace/industry dynamics relevant to Lantheus and its industry, business, and operations to determine the practical effects on and requirements for Lantheus programs, policies, communications, and training needs.
• Ability to be flexible and adaptable to changes. Must feel comfortable in creating new processes and grow with organizational and regulatory changes.

Minimum Requirements: 

• Bachelor’s or master’s degree in a relevant field of work or equivalent combination of education and work experience 
• 7 years’ experience in cybersecurity with a minimum of 5 in cybersecurity governance risk and compliance
• Proven track record of promotion and collaboration of risk and compliance policies and practices across IT and organizational business units
• Excellent oral and written communication skills with ability to communicate risks to executive leadership and key stakeholders
• Strong understanding of cybersecurity frameworks (e.g., ISO 27001) and ability to lead the execution and implementation of the frameworks as well as articulate their value and purpose
• Understanding of cybersecurity risk management and control principles with a proven ability to anticipate and identify risks and take effective mitigating actions
• Strong organizational, project management, multi-tasking and stakeholder management skills with demonstrated ability to manage expectations and deliver results with a high level of professionalism, self-motivation, and integrity
• Ability to determine and set the strategic direction of the Cybersecurity GRC function(s)
• Strong understanding of industry standards and regulations including: NIST, SOX, PCI, ISO, GDPR, CCPA, HITRUST, GxP, and others

Lantheus is committed to equal employment opportunity and non-discrimination for all employees and qualified applicants without regard to a person's race, color, sex, gender identity or expression, age, religion, national origin, ancestry, ethnicity, disability, veteran status, genetic information, sexual orientation, marital status, or any characteristic protected under applicable law. Lantheus is an E-Verify Employer in the United States. Lantheus will make reasonable accommodations for qualified individuals with known disabilities, in accordance with applicable law.