Cybersecurity Network Lead - Regulatory Affairs

At Roche you can show up as yourself, embraced for the unique qualities you bring. Our culture encourages personal expression, open dialogue, and genuine connections, where you are valued, accepted and respected for who you are, allowing you to thrive both personally and professionally. This is how we aim to prevent, stop and cure diseases and ensure everyone has access to healthcare today and for generations to come. Join Roche, where every voice matters.

At Roche, we are passionate about transforming patients’ lives and we are fearless in both decision and action - we believe that good business means a better world. That is why we come to work each day. We commit ourselves to scientific rigor, unassailable ethics, and access to medical innovations for all. We do this today to build a better tomorrow.

As the Cybersecurity Network Lead, your main objectives are to support the Global Quality and Regulatory Affairs (Q&R) organization to inform the best design strategies for managing threats to the portfolio and products, support policy work related to cybersecurity in coordination with our Regulatory Policy and Intelligence (RPI) group, and lead internally and externally on matters related to diagnostic and medical device cybersecurity regulatory requirements with an impact to the Roche product portfolio.

As a cybersecurity expert in the diagnostic and medical device space, you will be responsible for establishing and maintaining a robust cybersecurity posture for our products. You will leverage your deep understanding of cybersecurity principles, medical device regulations, and industry best practices to identify, assess, and mitigate security risks throughout the product lifecycle. This role requires strong technical and regulatory expertise, excellent communication skills, and the ability to collaborate effectively with cross-functional teams.

The Opportunity

• Assess and develop individual project and portfolio strategies, in conjunction with project leads, as well as identify and apply feasible approaches to ensuring cybersecurity.

• Collaborate with internal stakeholders from multiple global functions and affiliates, and external stakeholders, in particular the US FDA, on cybersecurity matters across all of our customer areas, both product-specific and above product.

• Support and lead projects in the Roche Diagnostic Policy and Strategy agenda related to cybersecurity topics. This includes strategy efforts through all phases of strategic planning, design, and execution.

• Act as industry thought leader in areas related to cybersecurity. Pursue the appropriate levels of performance and differentiation needed within Q&R to properly support the business. To that end, is expected to know both the external and internal contexts for areas of focus.

• Drive prioritized strategies and deliverables related to cybersecurity that have the greatest impact for our customers. Develop and implement robust cybersecurity strategies for our products and portfolio to support successful submissions and assess the impact of new and changing regulations to the product portfolio.

• Empower and enable project teams and act as Senior Advisor and Coach, which includes advising the Head of Regulatory and quality, network leads, and other staff on cybersecurity portfolio and project topics, where needed.

• Ensure the Implementation of Risk Assessment and Management Across the Portfolio. Conduct comprehensive portfolio and/or project level cybersecurity risk assessments of diagnostics and medical devices, associated software, and networks to identify potential vulnerabilities, threats, and exposures. Analyze and evaluate portfolio security risks, determine their potential impact, and recommend appropriate mitigation strategies.

• Ensure Compliance with Industry Standards. Where needed, support the preparation for cybersecurity audits and inspections by regulatory bodies.

• Partner to Ensure Security Design and Implementation Across the Product Portfolio:

  • Collaborate with Product Security and Privacy Organization (PSPO), Research and Development (R&D), Engineering, and IT teams to integrate security considerations into the design and development of medical devices and related systems.

  • Define security requirements and specifications for diagnostics, medical devices and software.

  • Participate in security design reviews and provide recommendations to enhance the security posture.

  • Assist in the implementation and configuration of security controls.

• Monitor Threat Intelligence and Vulnerability Management:

  • Partner with product security in review of the external landscape periodically for emerging cybersecurity threats and vulnerabilities relevant to diagnostics and medical devices.

  • Assess vulnerability assessments and penetration testing of diagnostics, medical devices and related systems across the portfolio and recommend portfolio level changes, as necessary.

  • Analyze vulnerability reports, prioritize remediation efforts, and track their implementation.

  • Develop and disseminate security advisories and guidance to relevant teams.

• Engage in Incident Response and Security Awareness and Training:

  • Participate in the development and execution of incident response plans for cybersecurity events.

  • Serve as a subject matter expert with internal and external stakeholders during incident response activities.

  • Contribute to the development and delivery of cybersecurity awareness and training programs for employees involved in the development and handling of medical devices.

  • Promote a culture of security consciousness within the organization.

Who You Are

• You have a Bachelor or Advanced degree in Computer Science, Cybersecurity, Law, Biomedical Engineering, or a related field.

• You hold a general understanding of the Diagnostics industry, lifecycle & development process and global trends.

• You have a minimum of 10 years of experience in cybersecurity, with a significant focus on medical devices or other regulated industries.

  • Knowledge in Diagnostics, Pharmaceutical, and /or Medical Device industry; Regulatory Compliance, Federal cGMP’s and QSR’s, ISO13485 and 27001.

  • Knowledge of FDA guidelines on medical device cybersecurity, ISO 14971, IEC 62304, NIST (e.g., NIST 800-53), and HIPAA (Health Insurance Portability and Accountability Act) where applicable.

  • Knowledge of specific programming languages and technologies used in medical device development.

• You are knowledgeable of secure software development lifecycle (SSDLC) principles and practices.

• You have experience with incident response processes and methodologies.

• You have experience with cloud security and IoT security in the context of medical devices.

• You are familiar with the Software Bill of Materials (SBOM) and its importance in medical device cybersecurity.

• You are experienced with penetration testing methodologies and tools.

Leadership & Senior Management Skills

• You show a consistent record of building collaborative relationships with peers and teams, helping cross-functional teams address strategic opportunities and solve problems across the organization.

• You demonstrate experience working in a matrixed organization, the ability to build strong relationships and effective stakeholder management.

• You have Senior-level experience leading, motivating, coaching, and developing teams to drive customer focus in our mindset, work priorities and collaborative behaviors.

• You are able to foster positive partnerships through effective influencing, negotiation and conflict management skills to achieve alignment up and down the organization.

Locations

You are preferably based out of Indianapolis, or Washington DC. We will consider remote work arrangements for this role.

Relocation assistance is not available.

At the Company's discretion, an exception to the location requirement could be made under extraordinary circumstances.

As this position is a global role, international business travel will be required depending upon the business location of the successful candidate and ongoing business project activities.

The expected salary range for this position based on the primary location of Indianapolis is between $144,000 and $268,500. Actual pay will be determined based on experience, qualifications, geographic location, and other job-related factors permitted by law. A discretionary annual bonus may be available based on individual and Company performance. This position also qualifies for the benefits detailed at the link provided below.

A healthier future drives us to innovate. Together, more than 100’000 employees across the globe are dedicated to advance science, ensuring everyone has access to healthcare today and for generations to come. Our efforts result in more than 26 million people treated with our medicines and over 30 billion tests conducted using our Diagnostics products. We empower each other to explore new possibilities, foster creativity, and keep our ambitions high, so we can deliver life-changing healthcare solutions that make a global impact.

Let’s build a healthier future, together.

Roche is an equal opportunity employer. It is our policy and practice to employ, promote, and otherwise treat any and all employees and applicants on the basis of merit, qualifications, and competence. The company's policy prohibits unlawful discrimination, including but not limited to, discrimination on the basis of Protected Veteran status, individuals with disabilities status, and consistent with all federal, state, or local laws.

If you have a disability and need an accommodation in relation to the online application process, please contact us by completing this form Accommodations for Applicants.