Cybersecurity Senior Manager, Global Information Security

Santenは、眼科医療に特化した130年の歴史を持つ製薬企業です。日本発のグローバル企業として60カ国以上に拠点を持ち、目の健康のために様々な革新的な治療法とデジタルソリューションを提供し、世界中の人々の視覚に関わる社会問題に取り組んでいます。

Job’s mission

Under the direct supervision and guidance of the Global Head of Information Security, the job holder is part of the Global Information Security (Digital & IT Division), responsible for leading the implementation & execution of Global Cyber Defense Strategy, implementation of technical solutions to defend Santen from cyberattacks, running risk assessments of all new global solutions, managing the risk and vulnerability management process (both Information Systems and Industrial Control Systems), developing and maintaining the organization's security architecture, while considering investor's expectation for company security measures such as security regulations, standards and best practice, working with SOC (Security Operations Center) partner in order to ensure that information assets are adequately protected and compliant as well as maximize the benefit of information systems for Santen’s global businesses.

Number of direct subordinates

There might be direct reports soon, and several Digital & IT members and external consultants whose activities need to be coordinated by this role within the framework of cybersecurity projects or processes.

Key Responsibilities & Accountabilities

Cybersecurity Defense & Management

• According to the company’s long-term vision, formulate and integrate cybersecurity strategies into a companywide strategic plan by collaborating with cross-functional teams to design and implement secure infrastructure and application solutions
• Understand expectations of the company regarding continuous growth, establish concrete goals, and create mid-term strategies to achieve goals
• Drive the Global Cyber Defense Strategy, maintain ready forces and capabilities to conduct cybersecurity operations
• Anticipate future internal and external trends and implications and create appropriate cybersecurity measures
• Build understanding of cyber threats in each level. Develop detection & protection measures continuously, lead the technical solution implementations to be prepared to defend Santen from disruptive or destructive cyberattacks

Security Incident Management

• Ensure the security incident management process are executed properly by all parties by tracking the resolution process and making sure the known issues are addressed according to risk management methodology
• Lead the monthly operational meetings between SOC team and Santen, improve the overall process and ensure the KPIs are achieved
• Verify and continuously improve the Recovery Process performed during or after a security incident to ensure that it meets business requirements and is effective and practical
• Manage the Major Security Incident Management process, under Global Head of Information Security, and guide/train different stakeholders, including SOC team, DIT leaders and technical managers
• Support the Disaster Recovery and Business Continuity framework, initiatives, and execution

Technical Risk Management

• Improve Santen’s cybersecurity maturity level by increasing overall awareness and providing security advice/insights on technical requirements to DIT and non-DIT leaders (both Information Systems and Industrial Control Systems global leaders)
• Lead global programs & project implementations, planning the delivery of risk mitigation solutions and answering technical questions, reviewing current security measures, recommending enhancements, and identifying areas of security weakness
• Perform technical risk assessments (IT & OT) of all new global solutions and third parties, identify potential gaps and make sound recommendations for mitigating the risks on a global scale
• Implement the Internal Cybersecurity Framework to support the state-of-art technologies and Santen regulatory and organizational requirements (ISO 27001, NIST, Data Privacy Laws)

Vulnerability Management

• Implement and improve the Global Vulnerability Management Program focused on reducing the risk presented by vulnerabilities in Santen environment by continuously performing three core steps: Discovery, Reporting and Remediation
• Guide the technical teams (Global IT Infra, Regional IT Infra and Application teams, critical third parties) to make sure vulnerabilities are mitigated on a timely manner, perform the escalations on time
• Manage the global vulnerability scan and penetration test exercises
• Manage the relationship and contracts with the external suppliers to obtain the best value for Santen

Threat Intelligence

• Determine the need for covering the risks on company’s threat landscape and continuously search for the most strategic product & services to deliver the needed capabilities
• Keep track of changes in Santen’s business, threat landscape, product innovations and rebalance according to the risk appetite
• Build and maintain robust partnerships with market leaders (e.g. Gartner, ISF) to deter shared threats in our industry
• Build close partnerships and implement efficient internal processes with business and technical teams to detect and mitigate threats before they can be exploited

Project Initiation and Execution

• Lead projects to implement new cybersecurity solutions or frameworks by developing business cases or conducting opportunity studies when needed
• Understand projects and services specificities in a multi locations environment with many remote management situations
• Ensure there are continuous PDCA (Plan, Do, Check and Action) cycles to improve services and solution in place in relations with KPIs/SLAs in place or to be developed

Stakeholder Relationship and Vendor Management

• Maintain good working relationships with internal stakeholders globally, especially with Digital & IT management
• Support his/her Digital & IT peers in charge of infrastructure, service operations and business applications to provide the right information security advice or solutions allowing them to provide the contributions to business domains
• Manage the suppliers by defining clear guidelines and objectives, relying on KPIs in coordination with the governance in place. Challenge organization and governance in place to verify the company is obtaining best value and that vendors are meeting our information security needs and requirements

Resources Management

• Develop and own the budget proposal for the cybersecurity domain in accordance with the company guidance on budget directions
• Ensure financial governance and efficient use of resources to meet business objectives.
• Execute the budget in respect of its objectives in terms of services to operate, solutions to deliver

• Perform ongoing security maturity level assessment to evaluate the effectiveness of security controls and explain the effectiveness to project teams, business stakeholders and senior management

Education

Indicate the type and level of education (including languages) required and whether they are “essential” or “desirable”. Describe the education required for the job.

Essential

• Bachelor's degree in Business, Computer Sciences, Engineering, or related field
• Relevant Cyber security certifications (CISSP, CISM, CISA, CEH, etc.)

Experience

Indicate the length and type of experience required to perform this job satisfactorily and whether they are “essential” or “desirable”.

Essential

• Minimum of 10 years experiences in Information Systems, including minimum of 7 years experiences in the fields of Information Security, Cybersecurity, Risk Management, including demonstrated competency in:

• Cross-functional leadership and stakeholder relationship management (external and internal)
• Successfully implementing global cybersecurity programs and systems
• Implementing a risk-based cybersecurity framework

• Expert knowledge/experience with program implementations such as ISO, NIST CSF, COBIT and other related compliance frameworks
• Proven experience in performing risk, business impact, control and vulnerability assessments, and in defining treatment strategies
• Successful experiences of project management, applied to information systems and services
• International experience of working with teams spread across different countries and global stakeholders
• Proven experience in researching, evaluating, negotiating, and managing third-party service providers.

Functional Competencies

Highlight the particularly important areas (aptitude, expertise and skills) and whether they are “essential” or “desirable”.

                                                                                                                 Essential

• Expert understanding of cybersecurity concepts, principles and practices
• Expert knowledge of current and emerging cybersecurity risks, and innovative risk management methods and solutions
• Knowledge of security best practices in public cloud environments and SASE, CASB, SWG, ZTNA technologies
• Broad knowledge and perspectives on information systems, including business systems and services
• A strong understanding of the business impact of security tools, technologies and policies
• Practical project management skills applied to information systems and services
• Strong collaboration/communication experiences in diverse/cross-cultural organizations.
• Proven leadership skills in an ambiguous or changing environment.
• Strong in logical thinking, time management, decision-making, and problem solving as able to manage multiple programs and priorities simultaneously.
• Excellent track records of delivering results.
• Excellent interpersonal, organizational, planning, presentation, documentation, facilitation, and communication skills and be capable to clearly articulate the viewpoint.
• Ability to communicate effectively up and down the management chain in the appropriate language and provides the appropriate level of detail and focus on the right information.
• Demonstrated initiative and ownership: Ability to lead, guide, and motivate people to deliver results; encourage risk taking, initiative, and responsibility; demonstrates the ability to effectively persuade others to listen, commit, and act on a new approach.
• Ability to work in a fast-paced environment leveraging internal and external resources to meet simultaneous deadlines/demands.

Santen Leadership Competencies

Highlight the most important SLCs required for the job (behaviors, attitude, mindset) and whether they are “essential” or “desirable”.

                                                                                                                    Essential

Generic style

• Independent & autonomous, while still a strong teammate
• Strong sense of integrity
• Enthusiastic and self-starting

Achieving Valuable Business Results

• Stays focus on business value
• Sets clear, challenging goals, then measures the result
• Deals with performance issues of the projects/implementations in a timely manner
• Look for new solutions, new technologies, using innovative approach

Thinking and Decision Making

• Takes a systematic and methodical approach to work
• Strong analytical, research, and problem-solving skills with a keen attention to detail
• Makes most effective questions before problems resolution plans are made
• Makes clear and timely decisions, forward-thinking

Influencing

• Good interpersonal and communication skills in order to share knowledge with a variety of levels, and to communicate effectively with business and technical functions
• Uses a mixture of data, logical arguments and organizational knowledge to achieve the desired results
• Ability to prioritize incoming escalations and requests appropriately using clear communications.

（業務内容の変更の範囲）当社業務全般
（就業場所の変更の範囲）本社および全国の事業所、営業所

Santenにおけるキャリア構築

Santenでのキャリアは、あなたにとって変化をもたらす機会となります。Santenは、「Santen2030」に示されている長期的ビジョンを通じて、視覚障がい者の社会的・経済的ニーズに応える社会イノベーターとなることを目指しています。そのために私たちは、世界中のチームメンバーと多様な才能を発揮し合い、柔軟な働き方とインクルーシブな職場環境を提供しております。その結果、新たなソリューションを発見し、患者様への理解、治療の革新を推進しています。

Santenグループは、Equal Opportunity Employerです。  私たちは、多様なチームを構築し、チームメンバー一人ひとりにとって安全でインクルーシブな物理的・仮想的職場を提供することを約束します。すべての雇用は、人種、肌の色、民族、出身/祖先、宗教、性的指向、性別、性同一性/表現、年齢、障がい、病状、配偶者の有無、退役軍人の有無、または法律で保護されているその他の特性に関係なく、ビジネスニーズ、役割要件、個人のスキルセットに基づいて行われます。