Work Flexibility: Remote

Position Summary:

Serves as the leader of Governance, Risk, and Compliance team for Stryker Product Security and will be responsible for the enterprise practice. In this role you will be responsible for architecture, implementation, and effective management of the program, shaping policies and procedures used to monitor compliance and will lead capability to maintain appropriate risk posture for the enterprise portfolio of medical technologies.

The leader will be responsible to act as a subject matter expert in global regulatory requirements, risk evaluation methodologies, and compliance frameworks. This individual will be required to have a high degree of business acumen to manage engagement with stakeholder groups of various levels and technical backgrounds, across enterprise businesses.

Essential Duties & Responsibilities: (Detailed Description)

Governance:

• Lead a comprehensive governance program, including the ownership and management of Product Security policies, procedures, and standards necessary to maintain compliance and acceptable risk.
• Ensure that enterprise program and business partners achieve maturity goals in alignment with industry framework and standards.
• Utilize known global requirements (NIST, ISO/IEC, etc.) to guide in the program design.
• Work cooperatively with internal stakeholders from various areas within the company to solicit input, gain alignment, and drive change.
• Implement and manage the governance processes, educate the organization on the new governance programs, measure applicable areas, and report on aspects of these programs.

Risk Management:

• Be accountable for designing a comprehensive Product Security Risk Management program to identify, quantify, classify, and manage risks of company medical technologies and systems.
• Work cooperatively with identified stakeholders to define and communicate risk management calculations, appropriate risk levels, risk mitigation timing based on severity, and risk metrics, including communications, and reviews.
• Solicit input from the various areas of the organization and continually educate and training the organization on the new risk management function and how they can participate and contribute to it.
• Drive the identification of security risks and maintaining a risk register, including planned mitigations or acceptance.
• Track security risk levels and actions at the portfolio, business unit, and product levels for products, businesses, and portfolio.
• Align security risk management with the existing business risk management practices.

Compliance:

• Design a comprehensive compliance program, including the enhancement of Product Security policies, standards, and procedures.
• Take a risk-based approach to ensure the program design satisfies the business functions.
• Use the requirements aligned with global regulatory, company, and industry (SOC2, ISO27001, HITRUST, CMMC, others) standards.
• Continually evaluate and report on the controls design, implementation, effectiveness, and maturity levels and working cooperatively with others and solicit input from the various areas of the organization.
• Guiding, educating, and advocating the organization on the compliance requirements and how each person and department play a role in maintaining the required compliance and measuring and reporting on all aspects of the compliance program.
• Where necessary, working in partnership with Stryker Compliance team.

Leadership:

• Serve as the primary subject matter expert and leader on all aspects of compliance, governance, and risk management.
• Provide regular reports to the Head of Product Security and as required, with internal or external entities.
• Serve as the primary Product Security liaison for internal and external audits and as needed to represent Product Security.
• Responsible to define strategy, roadmap, and capability planning necessary to achieve desired results.
• Make independent decisions and frequently represent leadership interests.
• Demonstrate our risk posture and control adherence and manage GRC technology, staffing needs, and assigned budget in line with approved allocations.
• Mentor and manage others to increase team competency and continually build an inclusive culture of constant improvement and focus to exceed expectations.

Education & Special Trainings:

• BS in computer science, engineering, or MS/MBA in related field of study.
• Security certifications (CIPP, CISSP and/or CISM) preferred.
• Internationally accepted Privacy, Audit and Security credentials preferred.

Qualifications & Experience:

• Uncompromising personal and professional integrity and ethics.
• 10+ years of dedicated experience in product/device security, preferably with medical devices
• 7+ years of senior management experience working with executive leadership.
• 5+ years of experience in GRC tools/ technologies.
• 5+ years of experience in security or technical field.
• Advanced experience in building and managing compliance and risk management programs.
• Detailed knowledge in security requirements, standards, and best practices aligned with medical devices and healthcare.
• Skilled in communicating security and risk-related concepts to both technical and non-technical audiences in business terms.
• Experience in developing and maintaining security policies, processes, procedures, and technical standards.
• Strong ability to motivate and lead team members, including in a distributed workforce.
• Ability to manage across multiple competing priorities and time-sensitive initiatives.
• Well-developed understanding of the budgeting process, expense, and headcount management.
• Professional security-focused certifications preferred.
• Health care industry experience highly preferred.

Travel Percentage: 10%

Stryker Corporation is an equal opportunity employer. Qualified applicants will receive consideration for employment without regard to race, ethnicity, color, religion, sex, gender identity, sexual orientation, national origin, disability, or protected veteran status. Stryker is an EO employer – M/F/Veteran/Disability.

Stryker Corporation will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the contractor’s legal duty to furnish information.