BISO - Commercial IT

The Commercial IT Cybersecurity Business Information Security Officer (BISO) acts as the main cybersecurity partner to Commercial IT and related business areas. This role represents the CISO to lower cyber risk and improve resilience across platforms dedicated to clients and revenue generation. This role leads security for a SaaS-heavy, data-centric Commercial ecosystem spanning CRM, omnichannel engagement, digital experience, analytics and personalization, data and AI platforms, pricing and revenue, integration and API fabric, BI, and MDM. Key platforms include Veeva (CRM/Vault/OCE), Salesforce (Service/Health/Life Sciences/Marketing Cloud, Data 360), Adobe Experience Cloud (AEM/Analytics/Target), Tealium, Databricks on AWS, Model N, MuleSoft/SnapLogic, Power BI, and Reltio, supporting both global operations and localized implementation alongside agency and third-party delivery models.

Ready to shape how these critical capabilities stay secure while enabling bold Commercial ambitions?

Accountabilities

• Act as the Commercial IT security lead and CISO representative. Serve as the primary cybersecurity liaison for the commercial IT division and associated business units worldwide. Coordinate the security strategy with business objectives and customer-centered, revenue-enhancing outcomes.

• Lead governance and risk-based decision-making by chairing or participating in key forums, ensuring risk visibility, documented risk acceptance and ownership, and translating enterprise security policy into Commercial-ready standards, guardrails, and roadmaps.  

• Provide continuous risk advisory and posture management by maintaining awareness of threat trends and regulatory drivers relevant to Commercial operations, proactively advising on priorities, architecture decisions, and long-term security posture.  

• Establish SaaS security governance across core Commercial platforms by defining and implementing secure configuration baselines, environment and tenant management, identity, SSO and MFA patterns, logging and monitoring, and continuous control monitoring for Veeva, Salesforce, Adobe Experience Cloud, Tealium, and connected tooling.

• Strengthen digital channel and web experience security by partnering with digital teams to embed secure SDLC and release practices for externally hosted web content and experiences, aligning protections such as WAF, CDN and DDoS where applicable, and mitigating web-layer and brand-abuse risks including impersonation, account takeover, credential stuffing, web skimming and scraping.  

• Drive security controls aligned with privacy in marketing and data collection. Ensure consent, tracking governance, and secure handling of healthcare professional and consumer information across digital marketing operations. Follow GDPR and other global privacy rules.  

• Improve control maturity for commercial content, records and revenue interfaces by maturing controls for content lifecycle and records (including audit trail and e-signature expectations where applicable) and for financial and ordering interfaces where Commercial platforms touch revenue processes, including SOX-relevant controls.  

• Run vulnerability, audit, and testing remediation to closure. Facilitate risk assessment and ongoing maintenance across SaaS tenants, web properties, and integrations. Drive timely remediation of audit and penetration test findings while reducing repeat issues.

• Enhance incident readiness and response coordination by partnering with enterprise SecOps to build Commercial-relevant playbooks, align crisis and BCP activities, support post-incident reviews, and drive business-centric improvements for scenarios such as SaaS compromise, third-party or agency incidents, data exposure and digital channel compromise.  

• Advance third-party and agency risk management by defining onboarding patterns, minimum control requirements and ongoing monitoring for Commercial vendors and agencies (creative, media/AdTech partners, event hosts, SaaS providers), ensuring clear remediation paths and exit strategies.  

• Measure and communicate outcomes through KPIs, OKRs, dashboards and reporting that demonstrate risk ownership, remediation throughput, control coverage and resilience improvements over time.  

• Champion security culture and targeted awareness by tailoring training and communications for Commercial roles and partner ecosystems on phishing and social engineering, safe SaaS usage, HCP and customer data handling, and reporting obligations.  

• Plan and oversee security initiatives and investment by shaping multi-year roadmaps, business cases and resource plans; overseeing delivery of security improvements aligned to Commercial programs including platform changes, integrations and data initiatives.  

• Lead and develop the BISO team by directing a group spanning risk reporting and analytics, risk management and remediation, and security consulting tailored to SaaS-heavy international Commercial operating models; setting clear goals tied to measurable risk reduction and resilience outcomes; coaching for high performance.  

Essential Skills/Experience  

• Information security leadership: 10+ years of experience in information security positions, with 5+ years’ experience overseeing an information security functionand influencing senior business/IT stakeholders.  

• Commercial pharma domain familiarity: Experience supporting Commercial/Go-to-Market functions in a regulated life sciences environment (marketing operations, sales operations, customer/HCP engagement, digital channels, and in-country execution models).  

• SaaS/CRM security depth: Hands-on experience securing Veeva CRM, Veeva Vault, Veeva OCE, and/or Salesforce ecosystems (Service Cloud, Health Cloud, Life Sciences Cloud, Marketing Cloud, Data 360), including identity/access models, connected apps, environment strategy, secure configuration, and operational monitoring.  

• Digital experience and marketing technology security: Experience with Adobe Experience Manager, Adobe Analytics, Adobe Target, and Tealium (or equivalent) including tag/consent governance, tracking controls, data-layer integrity, and security considerations for externally facing digital content.  

• Data platform and cloud security: Experience securing Databricks and AWS-hosted data platforms, including IAM, network controls, encryption/KMS, logging/telemetry, data governance, and prevention/detection of data exfiltration.

• Integration and API security: Experience with integration platforms such as MuleSoft and SnapLogic, with a strong understanding of API security patterns, OAuth/token hygiene, certificate lifecycle, secrets management, and secure data movement.  

• Commercial operations / revenue process awareness: Familiarity with commercial operations platforms such as Model N and the control expectations when systems support pricing, contracting, rebates/chargebacks, and/or interfaces to order booking and revenue processes (including SOX-relevant control considerations).  

• Depth of knowledge in Frameworks and control implementation, Vulnerability and security testing management, Risk dashboarding and data-driven execution, Incident response collaboration are key attributes required for this role.

• Stakeholder communication: Strong written and verbal communication skills with proven ability to present complex technical information to both technical and non-technical audiences, including Commercial leadership and in-country stakeholders.  

• Execution under pressure: Proven ability to manage competing priorities, operate under time constraints tied to launches or campaigns, and drive outcomes through influence across matrixed teams.  

• Bachelor's degree in science or relevant technical field of study;Master'spreferred.

When we put unexpected teams in the same room, we unleash bold thinking with the power to encourage life-changing medicines. In-person working gives us the platform we need to connect, work at pace and challenge perceptions. That's why we work, on average, a minimum of three days per week from the office. But that doesn't mean we're not flexible. We balance the expectation of being in the office while respecting individual flexibility. Join us in our unique and ambitious world.

The annual base pay for this position ranges from $190,956.80 - $286,435.20  USD Annual. Hourly and salaried non-exempt employees will also be paid overtime pay when working qualifying overtime hours. Base pay offered may vary depending on multiple individualized factors, including market location, job-related knowledge, skills, and experience. In addition, our positions offer a short-term incentive bonus opportunity; eligibility to participate in our equity-based long-term incentive program (salaried roles), to receive a retirement contribution (hourly roles), and commission payment eligibility (sales roles). Benefits offered included a qualified retirement program [401(k) plan]; paid vacation and holidays; paid leaves; and, health benefits including medical, prescription drug, dental, and vision coverage in accordance with the terms and conditions of the applicable plans. Additional details of participation in these benefit plans will be provided if an employee receives an offer of employment. If hired, employee will be in an “at-will position” and the Company reserves the right to modify base pay (as well as any other discretionary payment or compensation program) at any time, including for reasons related to individual performance, Company or individual department/team performance, and market factors.

Are you ready to bring new insights and fresh thinking to the table? Fantastic! We have one seat available, and we hope it’s yours. Apply today.

AstraZeneca embraces diversity and equality of opportunity. We are committed to building an inclusive and diverse team representing all backgrounds, with as wide a range of perspectives as possible, and harnessing industry-leading skills. We believe that the more inclusive we are, the better our work will be. We welcome and consider applications to join our team from all qualified candidates, regardless of their characteristics. We follow all applicable laws and regulations on non-discrimination in employment (and recruitment), as well as work authorization and employment eligibility verification requirements.

Date Posted

06-May-2026

Closing Date

28-May-2026

Our mission is to build an inclusive environment where equal employment opportunities are available to all applicants and employees. In furtherance of that mission, we welcome and consider applications from all qualified candidates, regardless of their protected characteristics. If you have a disability or special need that requires accommodation, please complete the corresponding section in the application form.

AstraZeneca embraces diversity and equality of opportunity. We are committed to building an inclusive and diverse team representing all backgrounds, with as wide a range of perspectives as possible, and harnessing industry-leading skills. We believe that the more inclusive we are, the better our work will be. We welcome and consider applications to join our team from all qualified candidates, regardless of their characteristics. We comply with all applicable laws and regulations on non-discrimination in employment (and recruitment), as well as work authorisation and employment eligibility verification requirements.