VP, Cybersecurity Governance, Risk, and Compliance (GRC)

Role Summary

Our Global Cybersecurity Governance, Risk, and Compliance (GRC) team plays a critical role in safeguarding Pfizer’s digital assets, ensuring regulatory compliance, and protecting sensitive data across all business functions. As part of our strategic commitment to strengthening our cybersecurity posture, we are enhancing and modernizing our GRC program to address enterprise-wide risks across applications, data, vendors, and critical operations.

We are seeking an experienced individual of Cybersecurity Governance, Risk, and Compliance to lead this transformation. The ideal candidate will have deep expertise in enterprise cyber risk management, regulatory compliance, audit readiness, and oversight of GRC technologies. This leader will drive enterprise programs across GRC, business security and data protection, application security governance, third-party risk management (TPRM), and business continuity/disaster recovery (BCP/DR).

Responsibilities

• Define and execute the enterprise GRC strategy, ensuring alignment with organizational goals and regulatory requirements.
• Lead the enterprise cyber risk management program, including risk identification, assessment, prioritization, and mitigation planning.
• Oversee all audit and compliance activities, including ISO 27001, SOC 2, PCI DSS, SOX, GxP, and other relevant standards.
• Serve as product owner for GRC platforms, ensuring configuration, integration, automation, and reporting capabilities meet enterprise needs.
• Establish and monitor cybersecurity policies, standards, and procedures, drive adoption across all business and IT units.
• Lead application security governance initiatives, embedding secure development lifecycle practices across the enterprise.
• Drive business security and data protection programs, ensuring alignment with global privacy regulations and internal controls.
• Oversee BCP/DR strategy and execution, ensuring operational resilience across critical business functions.
• Provide clear, actionable reporting and dashboards on risk, compliance, and program health to executive leadership and the board.
• Collaborate with Legal, IT, Privacy, Internal Audit, and business stakeholders to embed governance and risk management practices into daily operations.
• Build, develop, and lead a high-performing GRC team; mentor staff and create a culture of accountability, collaboration, and continuous improvement.
• Stay current on industry trends, emerging regulations, and cybersecurity best practices to proactively adapt the GRC program.

Qualifications

• Required: Bachelor’s degree with 15+ years of experience in cybersecurity, risk management, or related fields.
• Required: At least 8 years of direct leadership experience managing enterprise-wide GRC or risk/compliance functions.
• Required: CISSP certification.
• Preferred: CISM, CRISC, or CISA.
• Required: Experience leading Application Security Governance and secure development lifecycle practices.
• Required: Strong background in Third-Party Risk Management (TPRM) programs, including vendor assessments, monitoring, and remediation.
• Required: Deep knowledge of cybersecurity frameworks (NIST CSF, ISO 27001, SOC 2, PCI DSS, SOX) and data protection regulations (GDPR, CCPA, HIPAA).
• Required: Strong leadership, communication, and presentation skills, with the ability to translate complex risks into business-focused insights for senior executives and boards.
• Preferred: Experience with RSA Archer as the enterprise GRC platform, including ownership of configuration, workflows, and reporting.
• Preferred: Experience overseeing GRC-related technologies, including Data Protection/DLP platforms and Business Continuity/Disaster Recovery solutions.