Governance Risk & Compliance Lead

Our Team:

Our Governance, Risk & Compliance team, reporting directly to the CISO alongside the Security Architecture and Security Operations & SOC teams, plays a pivotal role in safeguarding the organization's assets and ensuring regulatory compliance. Under the leadership of the Governance, Risk & Compliance Lead, this team ensures our organization's technological infrastructure is secure, compliant, and resilient against evolving cyber threats.

Main responsibilities:

The Governance, Risk & Compliance Lead will manage and oversee the key functions within the Governance, Risk & Compliance team, ensuring alignment with broader digital and cybersecurity teams. This managerial role focuses on guiding and supporting a team of 2 FTEs in the following key areas:

• Risk appetite & management
  • Guide decisions on cyber risk appetite for the organization in collaboration with the broader business.
  • Oversee the definition and delivery of risk reporting plans and key indicators.
  • Manage the assessment of risk and govern the process of updating risk appetite at least every 12 months in coordination with other teams.
  • Supervise compliance monitoring to cyber policies across the organization (incl. policies & tech standards, DLP, IAM).
• Risk assessment & pen testing
  • Oversee risk assessments at least every 6 months across all environments.
  • Supervise penetration testing at least every 3-6 months across most (>75%) on-premise and cloud environments.
  • Manage the preparation of vulnerability disclosure reports on outward-facing systems (in the future).
• Third party management support
  • Design, review, and update supplier risk assessment frameworks (incl. criteria for tiering of vendors).
  • Communicate cyber policies to strategic vendors, assess their cybersecurity risk and compliance at least every 12 months and as needed, and drive remediation/mitigation of risks.
  • Oversee the review of cybersecurity risk posed by the supply chain of all strategic vendors at least every 12 months.
  • Monitor deployed 3rd party HW/SW for vulnerabilities and ensure compliance.
• Support GRC-driven activities
  • Guide the definition of cybersecurity-related enterprise standards, policies, and controls.
  • Oversee audits covering risk-centric assessments (incl. follow-up findings with corrective measures), provide inputs to regulatory and compliance teams on cybersecurity risk, and support the deployment of corporate compliance programs.
• Data privacy
  • Define data privacy policies and standards and monitor compliance across the organization from a legal/regulatory perspective.
  • Support the Global Data Privacy program (e.g., managing requests across regions, mapping of data and specific regulations, coordination with Global GBS).
  • Manage data process agreements (incl. review of contracts, annual assessment re-evaluation).
• Strategy & Roadmap (incl. budget)
  • Refresh the cyber strategy at least every 18 months and ensure it supports the broader organization strategy.
  • Deliver the cybersecurity strategy in line with the defined roadmap, timelines, and milestones.
  • Communicate a prioritized, approved, and funded cybersecurity roadmap to the broader organization.
  • Manage cybersecurity spend optimization and benchmark regularly (i.e., every 24 months).
• Performance management & consistency
  • In collaboration with the Security Operations Lead and Security Architecture Lead, design and define cybersecurity KPIs and revisit on a yearly basis.
  • Compile data from defined cybersecurity KPIs every month for analysis to drive improvement actions.
  • Review outputs of KPIs (real-time or periodically depending on metrics) and identify trends/issues with performance, facilitate remediation of issues, and refresh KPIs where necessary.
• Stakeholder management
  • Prepare and provide the Board/ELT with monthly/quarterly updates.
  • Define, review, test, and update decision rights for the cybersecurity team in the key digital and wider organization governance forums to ensure effective and appropriate decision-making related to cybersecurity.
• Capability building
  • Design, implement, and maintain training/awareness programs for the wider organization.
  • Ensure the cybersecurity team has the right capabilities through training and evaluation.
• Manage activities with cross-team dependencies
  • Provide guidance for key digital & cloud initiatives from a cybersecurity standpoint.
  • Manage insurance coverage aligned with the board and leaders across the wider organization.

About you

• Experience:
  • 10+ years of professional experience (equivalent combination of experience and education accepted)
  • Previous experience in implementing ISO27001 and NIS-2
  • Previous work in an international environment.
  • In-depth knowledge of cybersecurity principles, practices, and technologies across digital domains (network, cloud, endpoint, applications, data).
  • Demonstrated leadership in managing cybersecurity teams, particularly in governance, risk, and compliance (GRC).
  • Proven track record of overseeing the design and implementation of GRC solutions aligned with organizational goals and regulatory requirements.
  • Experience collaborating with Security Architect and Operations teams in a feedback loop.
  • Ability to develop and communicate policies based on feedback from the Security Architect team.
• Soft skills:
  • Proven digital leadership and people management, recruiting and development skills; ability to build, develop & lead a team to achieve assigned outcomes.
  • Leading teams through empowerment
  • Broad experience in working in large digital teams, with an understanding of how digital and business processes are linked.
  • Project management skills / experience in supporting transformations in digital is essential; the ability to work collaboratively within and across different digital and business teams to design and implement solutions with global impact.
  • Skilled problem solver and self-starter.
  • A hands-on pragmatic attitude to driving change.
  • Positive, "can-do" attitude.
• Technical skills:
  • Experience with AGILE or similar project management frameworks.
  • Working knowledge of common information security management frameworks (ISO/IEC 27001, ITIL, NIST, NISD, CISSP/CCSP, QxP, CIS20).
• Education:
  • Bachelor’s and master’s degree (preferred) in any of the following fields of study: Information Technology, Computer Science, Cybersecurity or Information Security
• Languages:
  • English

Better is out there. Better medications, better outcomes, better science. But progress doesn’t happen without people – people from different backgrounds, in different locations, doing different roles, all united by one thing: a desire to make miracles happen. So, let’s be those people.

At Sanofi, we provide equal opportunities to all regardless of race, colour, ancestry, religion, sex, national origin, sexual orientation, age, citizenship, marital status, ability or gender identity.

Watch our ALL IN video and check out our Diversity Equity and Inclusion actions at sanofi.com!