Associate Director, IT Cybersecurity Risk and Audit

The Associate Director, IT Cybersecurity Risk and Audit is a key role responsible for leading the organization’s IT Risk, Audit and Compliance efforts to ensure adherence to regulatory requirements and industry frameworks, particularly NIST, SOX, and other applicable standards. Supports the design, implementation, and enhancement of IT general controls and cybersecurity governance frameworks. Collaborates with internal stakeholders, external auditors, and cross-functional teams to mitigate risks, implement policies, and maintain compliance with cybersecurity and other regulatory standards.

Roles & Responsibilities

• Lead the IT audit program activities in alignment with NIST and SOX programs by performing internal and external audits and playing a critical role in the continued enhancement of the IT general controls.
• Lead the IT and cybersecurity risk register, ensuring risks are identified, assessed, tracked, and mitigated effectively, and collaborate with the broader cybersecurity and cross-functional stakeholders to ensure risk treatment plans are developed and mitigated.
• Partner with IT and business stakeholders to perform due diligence, risk assessment and ongoing monitoring of third-party vendor risk, ensuring compliance with cybersecurity and other regulatory standards.
• Implement and enforce IT policies and standards aligned with NIST, SEC, SOX, HIPAA, CPRA and other applicable regulatory standards ensuring practical application and ongoing monitoring.
• Assist in planning and executing compliance audits such as NIST, SOX, HIPAA, SOC2 including gathering evidence, preparing audit documentation, and liaising with external auditors.
• Support the development and execution of Business Continuity and Disaster Recovery plans to ensure operational resilience.
• Create, analyze and develop risk assessment/audit reports and remediation plans resulting from the identification of risks and vulnerabilities discovered during audits/risk assessments.
• Prepare and maintain comprehensive reports detailing cybersecurity risks, controls, and incident responses for regulatory and executive reporting.
• Maintain robust documentation of cybersecurity governance, incident response plans, and risk assessments to support SEC, NIST and other regulatory compliance efforts.
• Conduct and document IT system assessments, incident investigations collaborating with relevant teams to gather information and implement findings.
• Develop and execute remediation plans for audit findings, working with responsible parties to implement corrective actions and track progress.
• Serve as system administrator of the enterprise NIST Framework tools used to perform all key assurance activities, including implementing enhancements in the tool as necessary.
• Assist in the diagnosis of complex issues, evaluate and recommend solutions to effectively resolve problems.

Education & Licenses And Experience

• Bachelor’s degree in computer science, math, engineering, MIS, or equivalent experience.
• Minimum of 10 years of experience in information security required; experience in governance, risk, and compliance strongly preferred.
• CISSP, CISA or CRISC certifications preferred.
• PMP or other relevant certifications.

Competencies & Skills

• Proficient in TPRM, NIST framework tools such as CyberGRX, ProcessUnity, AuditBoard etc.
• Skilled in a variety of technology domains (including infrastructure, security, application development, enterprise networks, cloud and storage etc.)
• Azure/AWS/Google Cloud architecture and native services.
• Thorough understanding of best practices in SDLC and ITIL.
• Project management skills and focus on delivery of results.
• Ability to communicate complex problems in a non-technical and simplified manner to stakeholders and end-users and to effectively communicate business needs to technology teams.
• Demonstrated ability to work in a multi-disciplinary setting, acting as a creator and facilitator to drive fulfillment of IT strategic goals.
• Strong familiarity with IT auditing techniques, COBIT, ISO 27001, NIST 800-53 or equivalent framework.
• Familiarity with various data privacy, security and compliance regulations with U.S and Canada.
• Proficient knowledge of prevailing Security & Compliance frameworks / standards such as NIST, HIPAA, CPRA, SOX, GDPR, etc.
• Experience working in a regulated environment is preferred (FDA, GxP, GDPR, SOX and PHI).

Why Join Us?

Arcutis is a pioneering medical dermatology company dedicated to revolutionizing the treatment of serious skin diseases and our pipeline is one of the more robust and exciting in the industry. Our vision is to revitalize the standard of care for dermatological diseases and conditions through novel therapies that simplify disease management for physicians and patients. We are focused on filling the innovation gap in medical dermatology drug development by applying our deep clinical, product development and commercial expertise in dermatology to develop best-in-class therapies against biologically validated targets. Arcutis is uniquely positioned to become the preeminent innovation-driven medical dermatology company, and we are looking for top talent to join our team. We are nimble, collaborative, and passionate about achieving our mission!

This job description has been designed to indicate the general nature and level of work performed by employees in this position. It is not designed to contain or be interpreted as a comprehensive inventory of all duties, responsibilities and qualifications required of employees assigned to the job.

Arcutis is an Equal Opportunity Employer and does not discriminate against any employee or applicant for employment because of race, color, sex, age, national origin, religion, sexual orientation, gender identity, status as a veteran, and basis of disability or any other federal, state or local protected class.

California Employee/Applicant Privacy Notice