Jobs · Engineering · Indiana

Senior Director - GRC Engineer

BioSpace · Indianapolis, IN · 3 wk ago
Engineering$155k–$227k/yrFull-time

About the role

The Senior Director, Governance Risk and Compliance (GRC) Engineer is a senior leader within the Digital Legal Office (DLO) GRC & Service Management organization. The role translates the DLO’s privacy, AI, and data governance frameworks into effective, auditable, and increasingly automated control designs. The GRC Engineer bridges the gap between what regulatory and policy obligations require, and how those obligations are implemented as operational controls by business control owners across the enterprise.

Responsibilities

  • Own end-to-end design of DLO-owned privacy, AI, and data governance controls—translating regulatory obligations, policy requirements, and risk appetite into auditable, repeatable control architectures.

  • Define and retain control design specifications for each control in the DLO GRC Framework, including test procedures, evidence requirements, data flows, and automation targets.

  • Apply privacy-by-design and AI-by-design principles throughout the control engineering lifecycle, from inception through deployment and ongoing sustainment.

  • Lead technical analysis to identify control gaps, design deficiencies, and automation opportunities; propose and drive remediation with appropriate urgency.

  • Develop and publish design documentation, technical specifications, and implementation guides that create consistency in how controls are built and validated.

  • Design control evidence outputs that directly feed KRI/KPI measurement—ensuring that what gets measured is a function of control design, not manual data collection.

  • Be responsible for the DLO control maturity roadmap—a multi-year strategic plan defining how DLO-owned controls will evolve in response to regulatory change, technology advancement, and enterprise risk posture shifts.

  • Synthesize inputs from GRC Analysts (risk assessments, control effectiveness ratings, gap analyses) and KRI/KPI performance data to identify where controls are underperforming, immature, or misaligned to risk appetite—and translate those findings into prioritized maturity initiatives.

  • Define maturity targets for each control domain (privacy, AI, data governance), establishing clear progression criteria from initial/ad-hoc through optimized/automated states.

  • Lead strategic planning processes that translate the roadmap into prioritized, funded, and governed initiatives with clear milestones, owners, and success metrics.

  • Anticipate regulatory and technology trends (e.g., EU AI Act enforcement, evolving NIST frameworks, agentic AI) and proactively incorporate their implications into control design direction and maturity targets.

  • Partner with GRC Analysts and Service Management to align the control maturity roadmap with the risk assessment calendar and service delivery capacity.

  • Engage DLO leadership and senior stakeholders regularly to communicate roadmap progress, emerging risks, and recommended strategic investments in control maturity.

  • Provide support and direction on how to translate assessment findings, incidents, and issues into actionable control improvements.

  • Triage and advise on sophisticated, ambiguous control scenarios where regulatory guidance, technical constraints, and business priorities must be carefully balanced.

  • Build engagement models that create a consistent control design culture across the enterprise—proactively sharing protocols, lessons learned, and design patterns.

  • Partner with Service Management to design control configurations within the GRC platform (ServiceNow IRM), ensuring that what is designed can be operationalized, monitored, and reported against.

  • Provide engineering leadership for the automation and AI-enablement of control operations across DLO owned and non-DLO owned controls—identifying where intelligent workflows, AI agents, and tooling can reduce manual effort and improve control reliability.

  • Ensure that changes to the regulatory environment or technology landscape trigger appropriate design reviews and service updates, maintaining a living control ecosystem.

  • Contribute to the DLO service catalog by ensuring controls are represented as managed services with defined inputs, outputs, SLAs, and continuous improvement mechanisms.

Requirements

  • Bachelor’s degree in Computer Science, Information Systems, Engineering, Cybersecurity, or a related technical field.

  • 10+ years of progressive experience in GRC, risk engineering, privacy engineering, or security architecture.

  • 5+ years of experience focused on control design, implementation, or assurance at an enterprise scale.

Qualifications

  • Demonstrated ability to translate regulatory and policy requirements into technical control specifications and implementation guidance.

  • Experience influencing senior team members on control design decisions in a matrixed, federated operating model.

  • Experience with GRC platforms (ServiceNow IRM preferred) including control configuration, evidence management, and reporting design.

  • Deep solid understanding of privacy and AI regulatory frameworks (GDPR, NIST Privacy Framework, NIST AI RMF, EU AI Act, U.S. state privacy laws).

  • Experience developing and owning control maturity roadmaps, including defining maturity models, setting progression targets, and aligning investment to risk posture.

  • Experience operating within a federated risk model, enabling business control owners rather than implementing controls directly.

  • Strong verbal and written communication skills, with demonstrated ability to convey technical control design concepts to non-technical senior leaders.

  • Experience in regulated industries—pharmaceutical, healthcare, or life sciences strongly preferred.

  • Professional certification in privacy, risk, or security (e.g., CIPP/E, CIPT, CRISC, CISSP, CDPSE).

  • Experience with privacy-enhancing technologies (PETs), AI governance tooling, or data classification technologies.

  • Familiarity with ISO 27001/27701, SOC 2 controls, or equivalent control frameworks.

  • Experience scaling control capabilities across a large, matrixed enterprise with multiple lines of defense.

  • Hands-on experience with control automation, including workflow orchestration, API-based evidence collection, or AI-assisted monitoring.

  • Prior exposure to 2nd/3rd line of defense coordination (Internal Audit, Enterprise Risk, Quality).

  • Track record of partnering with cybersecurity engineering and architecture functions on shared control design.

Skills

  • Experience with privacy-enhancing technologies (PETs), AI governance tooling, or data classification technologies.

  • Familiarity with ISO 27001/27701, SOC 2 controls, or equivalent control frameworks.

  • Experience with control automation, including workflow orchestration, API-based evidence collection, or AI-assisted monitoring.

  • Experience with control maturity roadmapping and strategic planning.

  • Experience with control design and implementation in a regulated industry.

Benefits

Lilly offers a comprehensive benefit program to eligible employees, including health insurance, retirement plans, and paid time off.

Pay

$154,500 - $226,600

Schedule

Full-time equivalent employees also will be eligible for a company bonus (depending, in part, on company and individual performance). In addition, Lilly offers a comprehensive benefit program to eligible employees.

Similar jobs

Senior GRC Engineer

Nexus Venture PartnersSan Francisco, CA· 5 days ago
Engineering$180k–$200k/yrapply on job-boards.greenhouse.io

Senior GRC Engineer

PostmanSan Francisco, CA· 6 days ago
Engineering$180k–$200k/yrapply on job-boards.greenhouse.io

Senior GRC Engineer

FlockUnited States· 6 days ago
RemoteEngineering$130k–$145k/yrapply on jobs.ashbyhq.com

Senior GRC Engineer

BiographNew York, NY· 1 mo ago
Engineering$150k–$200k/yrapply on jobs.ashbyhq.com