Director, Information Security

At Avantor, people are the most important part of our success because they drive our global performance. That's why our Operations, Lab Services, Sales, and many other Avantor teams rely on our talent acquisition initiatives to attract, engage and hire the right talent. Avantor's Information Security vertical is a crucial part of this mix, enabling all our internal teams worldwide to grow beyond their limits.

The Information Security Governance, Risk, and Compliance (GRC) Director is a senior leadership role responsible for defining, executing, and maturing Avantor's global security governance, risk, and compliance strategy and function. This individual will develop and oversee programs that ensure adherence to regulatory requirements, alignment with security best practices, and effective management of cybersecurity risk across the enterprise. The ideal candidate combines deep expertise in security frameworks (NIST, ISO, SOC, CIS), extensive experience with risk management, strong communication skills, and the ability to influence and partner with global leaders across IT, Legal, Procurement, Operations, and Business Units.

What we're looking for:

• Education: Bachelor's degree in Information Security, Cybersecurity, Computer Science, or related field (or equivalent experience). Advanced degree (MBA, MS in Cybersecurity, etc.) preferred

• Experience: 10+ years of progressive experience in Information Security, with at least 5 years in GRC leadership roles. Strong understanding of security frameworks: NIST CSF/800-53, ISO 27001, SOC 2, CIS Controls, COBIT
• Preferred:
  • Professional certifications: CISSP, CISM, CISA, CRISC, CGEIT, ISO 27001 Lead Implementer / Auditor, or similar.
  • Experience in life sciences, manufacturing, or highly regulated industries.
  • Familiarity with data privacy regulations (GDPR, CCPA) and cloud compliance programs.

Who you are:

• Demonstrated experience managing large-scale compliance initiatives and audit processes.
• Expertise in enterprise risk management methodologies and tools.
• Excellent communication and stakeholder-management skills, including presenting to executives and boards.
• Proven ability to build, mentor, and lead high-performing teams.

How you will thrive and create an impact:

Strategic Leadership

• Develop and lead a comprehensive global GRC strategy aligned with Avantor's security, technology, and business priorities.
• Advise the CISO and senior leadership on enterprise risk posture, emerging threats, compliance obligations, and security performance.
• Champion a culture of security accountability across the organization.

Governance & Policy Management

• Manage the Company's Information Security Management System (ISMS).
• Establish, maintain, and evolve the Company's information security policies, standards, and guidelines.
• Ensure consistency and applicability across global operations, systems, and business units.
• Maintain governance boards, steering committees, and reporting mechanisms that support effective oversight.

Application Security Strategy & Program Leadership

• Define and drive the enterprise application security strategy, ensuring alignment with business objectives, regulatory requirements (e.g., SOX, PCI, ISO 27001), and risk tolerance.
• Develop and maintain a multi-year roadmap for application security capabilities, including the integration of threat modeling, secure coding standards, and SSDLC automation.
• Serve as the subject matter expert and executive advisor on application security across product, architecture, engineering, Dev Ops, and compliance teams.
• Lead the design, implementation, and continuous improvement of SSDLC practices, ensuring security requirements are embedded in each phase of the software development lifecycle (requirements, design, coding, testing, release).
• Collaborate with development teams to integrate security tooling (e.g., SAST, DAST, SCA, IaC scanning) into CI/CD pipelines, with measurable guardrails and thresholds.
• Drive adoption of secure coding guidelines, threat modeling, and security design reviews, including training and enablement for engineering teams.
• Develop and oversee a risk-based application vulnerability management program, covering both custom code and third-party/open-source components (e.g., SBOM, CVEs).
• Partner with Dev Ops and engineering to triage, prioritize, and remediate vulnerabilities, ensuring SLA adherence and measurable risk reduction.
• Lead the implementation and optimization of vulnerability scanning tools and workflows, ensuring visibility, consistency, and centralized reporting across platforms.

Risk Management

• Lead the enterprise cyber risk management program, including risk assessments, risk treatment plans, tracking, and reporting.
• Identify, evaluate, and prioritize risks associated with new systems, technologies, vendors, and business initiatives.
• Improve risk quantification and help business leaders understand security risks in operational and financial terms.

Compliance & Assurance

• Own information security components of compliance…