Director Data Risk & Protection

Working with Us Challenging. Meaningful. Life-changing. Those aren’t words that are usually associated with a job. But working at Bristol Myers Squibb is anything but usual. Here, uniquely interesting work happens every day, in every department. From optimizing a production line to the latest breakthroughs in cell therapy, this is work that transforms the lives of patients, and the careers of those who do it. You’ll get the chance to grow and thrive through opportunities uncommon in scale and scope, alongside high-achieving teams. Take your career farther than you thought possible. Bristol Myers Squibb recognizes the importance of balance and flexibility in our work environment. We offer a wide variety of competitive benefits, services and programs that provide our employees with the resources to pursue their goals, both at work and in their personal lives. Read more: careers.bms.com/working-with-us. Key Responsibilities: * Define and lead BMS's enterprise Data Risk and Protection strategy, aligned to the company's risk appetite, regulatory requirements, and broader cybersecurity strategy. * Design and implement the Data Risk and Protection operating model & engagement, including team structure, roles and responsibilities, process workflows, tooling stack, and an integrated engagement model with Cybersecurity Fusion Center, Legal, HR, Compliance, Audit, and key Business Units. * Establish, maintain, and continuously evolve a comprehensive Data Risk & Protection program, encompassing policy governance, use-case development, monitoring, detection, response, and remediation. * Develop and execute a multi-year capability roadmap with clear priorities, milestones, measurable KPIs, and outcome-based risk reduction metrics. * Lead the scaling and maturation of the Data Risk & Protection function, building specialist capabilities and fostering a high-performing team. * Provide regular program status reporting and risk posture updates to senior leadership, governance bodies. Inside Risk & Threat Analysis: * Establish and operationalize insider threat monitoring and behavioral analytics capabilities to improve visibility and enable timely response. * Define and maintain insider threat personas, use cases, and detection scenarios (e.g., intellectual property theft, clinical trial data exfiltration, fraud, sabotage, negligent data leakage, Generative AI misuse), informed by threat intelligence, business context, and prior incident trends. * Collaborate with technical teams to design, operate, and continuously refine monitoring and analytics capabilities, including UEBA, DLP, CASB, endpoint and identity telemetry, cloud security monitoring, and privileged access monitoring, with a focus on improving detection coverage and reducing false positives. * Oversee the end-to-end insider risk case lifecycle, from alert generation through triage, investigation, response, closure, and lessons learned, coordinating across Cybersecurity Fusion Center, HR, Legal, Compliance, Corporate Security, and Business Units. * Ensure timely and proportionate incident responses, applying a risk-based methodology that distinguishes between malicious, negligent, and compromised actors, and driving root-cause analysis to strengthen controls and processes. * Assess and mitigate data risks associated with Generative AI and emerging technologies, including data leakage via AI tools, model misuse, shadow AI adoption, and unapproved application usage. Data Loss Prevention (DLP) & Information Protection * Lead the strategy, design, and operational management of BMS's enterprise DLP program across endpoints, email, cloud, and collaboration platforms (e.g., Microsoft 365, Teams, SharePoint, Copilot, AWS, Google Cloud etc). * Define and govern data classification policies and standards, ensuring sensitive BMS data — including clinical trial data, intellectual property, PII, and regulated data — is appropriately labelled, handled, and protected. * Drive continuous tuning, optimization, and lifecycle management of DLP rules, policies, and controls to improve accuracy, reduce operational burden, and align with evolving business needs. * Partner with IT Security Architecture and Engineering teams to ensure data protection controls are embedded into infrastructure, application development, and cloud adoption workflows. * Establish metrics and dashboards to track DLP program effectiveness, data exposure trends, policy violations, and remediation outcomes, and report regularly to senior leadership. Policy, Governance, Assurance & Culture * Develop, review, and maintain data risk and protection policies, standards, and guidelines (e.g., acceptable use, data handling, monitoring, GenAI usage) in close collaboration with Legal, HR, Compliance, and Privacy teams. * Establish clear escalation paths, decision rights, and documentation standards for data-related incidents and insider risk cases, ensuring all activities comply with applicable laws, regulations, and internal policies — particularly around privacy, data protection, and employment practices. * Lead or support internal assurance and audit activities on data risk and protection as directed by the Audit Committee and senior management, including targeted reviews, thematic risk assessments, and deep-dive investigations into control effectiveness. * Build strong relationships with stakeholders across BMS, and design targeted awareness, education, and training on data protection, insider risk, and responsible use of Generative AI tools, tailored to different roles and risk profiles. * Foster a culture of trust, accountability, and security-conscious behavior, balancing deterrence with transparency, and represent BMS in relevant external forums, regulatory engagements, and peer networks to leverage industry best practices. Qualifications: Education * Bachelor's degree required in Computer Science, Information Systems, Cybersecurity, Risk Management, Law, Business Administration, or a related discipline. * Advanced degree (Master's or equivalent) preferred. Certifications Relevant professional certifications are strongly preferred, including but not limited to: * CISSP (Certified Information Systems Security Professional) * CISM (Certified Information Security Manager) * CISA (Certified Information Systems Auditor) * CRISC (Certified in Risk and Information Systems Control) * CDPSE (Certified Data Privacy Solutions Engineer) * CFE (Certified Fraud Examiner) or equivalent risk/investigation credentials Experience & Skills * 10+ years of progressive experience in cybersecurity, data risk management, insider risk, information protection, security operations, or related disciplines, with demonstrated experience designing and leading complex, enterprise-scale security or risk programs in large, matrixed organizations — preferably in the pharmaceutical, life sciences, or highly regulated industry sector. * Demonstrable experience in data loss prevention (DLP), insider threat management, user and entity behavior analytics, or security investigations, including hands-on program ownership in a large enterprise environment. * Strong technical fluency in tools and platforms commonly used in data risk and protection programs, including: * SIEM, UEBA, DLP, EDR/XDR, CASB (e.g., Microsoft Purview, Symantec DLP, Varonis, Securonix, CrowdStrike, Zscaler, Cisco etc) * Identity & Access Management (IAM) and Privileged Access Management (PAM) * Cloud security platforms (Microsoft 365 Security, Azure, AWS) and collaboration security tools * Familiarity with legal, privacy, employment, and ethical considerations relating to employee monitoring, data protection, cross-border data transfers, and applicable regulations (e.g., GDPR, CCPA, HIPAA); prior experience working closely with Legal, HR, and Compliance is required. * Proven ability to build, lead, and scale a multidisciplinary, high-performing organization, including recruiting and developing top talent, defining team operating models, establishing governance frameworks, and driving measurable outcomes through clear performance metrics. * Experience leading or overseeing complex investigations, including cross-functional coordination with HR, Legal, Compliance, Corporate Security, and, where relevant, external counsel or law enforcement. * Strong data-driven analytical and problem-solving skills, with demonstrated experience using metrics, dashboards, and risk data to drive decisions, measure program impact, and identify improvements. * Excellent communication, influencing, and stakeholder management skills, with experience presenting to senior management, governance bodies, and, ideally, Audit Committees or Boards of Directors. * Ability to balance security, privacy, cultural, and operational considerations in a pragmatic, risk-based manner appropriate to a global pharmaceutical organization. * High level of integrity, discretion, and professional judgement, with demonstrated ability to handle sensitive, confidential, and legally privileged information with the utmost care. If you come across a role that intrigues you but doesn’t perfectly line up with your resume, we encourage you to apply anyway. You could be one step away from work that will transform your life and career. Compensation Overview: Princeton - NJ - US: $188,790 - $228,763 The starting compensation range(s) for this role are listed above for a full-time employee (FTE) basis. Additional incentive cash and stock opportunities (based on eligibility) may be available. The starting pay rate takes into account characteristics of the job, such as required skills, where the job is performed, the employee’s work schedule, job-related knowledge, and experience. Final, individual compensation will be decided based on demonstrated experience. Eligibility for specific benefits listed on our careers site may vary based on the job and location. For more on benefits, please visit https://careers.bms.com/life-at-bms/. Benefit offerings are subject to the terms and conditions of the applicable plans in effect at the time and may require enrollment. Our benefits include: * Health Coverage: Medical, pharmacy, dental, and vision care. * Wellbeing Support: Programs such as BMS Well-Being Account, BMS Living Life Better, and Employee Assistance Programs (EAP). * Financial Well-being and Protection: 401(k) plan, short- and long-term disability, life insurance, accident insurance, supplemental health insurance, business travel protection, personal liability protection, identity theft benefit, legal support, and survivor support. ​Work-life benefits include: Paid Time Off * US Exempt Employees: flexible time off (unlimited, with manager approval, 11 paid national holidays (not applicable to employees in Phoenix, AZ, Puerto Rico or Rayzebio employees) * Phoenix, AZ, Puerto Rico and Rayzebio Exempt, Non-Exempt, Hourly Employees: 160 hours annual paid vacation for new hires with manager approval, 11 national holidays, and 3 optional holidays Based on eligibility*, additional time off for employees may include unlimited paid sick time, up to 2 paid volunteer days per year, summer hours flexibility, leaves of absence for medical, personal, parental, caregiver, bereavement, and military needs and an annual Global Shutdown between Christmas and New Years Day. All global employees full and part-time who are actively employed at and paid directly by BMS at the end of the calendar year are eligible to take advantage of the Global Shutdown. *Eligibility Disclosure: The summer hours program is for United States (U.S.) office-based employees due to the unique nature of their work. Summer hours are generally not available for field sales and manufacturing operations and may also be limited for the capability centers. Employees in remote-by-design or lab-based roles may be eligible for summer hours, depending on the nature of their work, and should discuss eligibility with their manager. Employees covered under a collective bargaining agreement should consult that document to determine if they are eligible. Contractors, leased workers and other service providers are not eligible to participate in the program. Uniquely Interesting Work, Life-changing Careers With a single vision as inspiring as “Transforming patients’ lives through science™ ”, every BMS employee plays an integral role in work that goes far beyond ordinary. Each of us is empowered to apply our individual talents and unique perspectives in a supportive culture, promoting global participation in clinical trials, while our shared values of passion, innovation, urgency, accountability, inclusion and integrity bring out the highest potential of each of our colleagues. On-site Protocol BMS has an occupancy structure that determines where an employee is required to conduct their work. This structure includes site-essential, site-by-design, field-based and remote-by-design jobs. The occupancy type that you are assigned is determined by the nature and responsibilities of your role: Site-essential roles require 100% of shifts onsite at your assigned facility. Site-by-design roles may be eligible for a hybrid work model with at least 50% onsite at your assigned facility. For these roles, onsite presence is considered an essential job function and is critical to collaboration, innovation, productivity, and a positive Company culture. For field-based and remote-by-design roles the ability to physically travel to visit customers, patients or business partners and to attend meetings on behalf of BMS as directed is an essential job function. Supporting People with Disabilities BMS is dedicated to ensuring that people with disabilities can excel through a transparent recruitment process, reasonable workplace accommodations/adjustments and ongoing support in their roles. Applicants can request a reasonable workplace accommodation/adjustment prior to accepting a job offer. If you require reasonable accommodations/adjustments in completing this application, or in any part of the recruitment process, direct your inquiries to adastaffingsupport@bms.com. Visit careers.bms.com/eeo-accessibility to access our complete Equal Employment Opportunity statement. Candidate Rights BMS will consider for employment qualified applicants with arrest and conviction records, pursuant to applicable laws in your area. If you live in or expect to work from Los Angeles County if hired for this position, please visit this page for important additional information: https://careers.bms.com/california-residents/ Data Protection We will never request payments, financial information, or social security numbers during our application or recruitment process. Learn more about protecting yourself at https://careers.bms.com/fraud-protection. Any data processed in connection with role applications will be treated in accordance with applicable data privacy policies and regulations. If you believe that the job posting is missing information required by local law or incorrect in any way, please contact BMS at TAEnablement@bms.com. Please provide the Job Title and Requisition number so we can review. Communications related to your application should not be sent to this email and you will not receive a response. Inquiries related to the status of your application should be directed to Chat with Ripley. R1603221 : Director Data Risk & Protection