Insulet Corporation
Head of Technology Governance Risk Compliance (GRC) - (Hybrid - San Diego, CA or
Insulet Corporation, San Diego, California, United States, 92189
Head of Technology Governance Risk Compliance (GRC) - (Hybrid - San Diego, CA or Acton, MA)
The Head of Technology (GRC) reports directly to the Chief Information Security Officer and plays a pivotal role within Insulet’s Chief Technology Office (CTO). This executive will lead an enterprise‑wide function that encompasses Information Security, Governance, Technology Risk, and Compliance (GRC), with strategic oversight of internal systems, customer‑facing platforms, and clinical data environments. The role includes direct management of senior leaders and a tight partnership with leadership across Finance, Global Operations, International Commercial, Product functions, along with other internal compliance and audit functions.
This position will be responsible for building Insulet’s technology risk, compliance and resiliency strategy, proactively identifying and mitigating risks, and ensuring alignment with external auditors, regulators, and legal teams. The leader chairs the cross‑functional Technology Risk Committee and regularly presents, alongside the CISO, to the Executive Leadership Team (ELT) and Board of Directors on compliance/regulatory status, governance, and technology risk posture.
The position requires a visionary leader who can formulate and implement a cohesive framework for data governance, business continuity, and technology risk management. This includes oversight of all technology risks—beyond cybersecurity and IT—such as AI usage, data protection, and technology adoption. This leader will influence and advise peers across CTO/R&D (e.g., Systems and Software Engineering), Finance (e.g., Audit and Accounting), Procurement, Regulatory, and Compliance, and will be customer‑facing to communicate security controls and compliance adherence.
Responsibilities Governance & Policy Leadership
Setting the strategic direction of the Technology GRC organization and overseeing the team that designs, implements, and maintains the IT GRC framework, including policies, standards, and controls aligned with business objectives and risk appetite.
Oversee and set the Insulet roadmap for our Information Security Management System (ISMS), ensuring alignment with ISO 27001 and other relevant frameworks.
Oversee self‑assessments, escalating decisions and escalations per requirements, to drive decisions and risk reduction.
Govern Business Continuity Management Program and lead risk quantification efforts.
Risk Management
Design and implement a robust Three Lines of Defense (3LOD) framework, clearly delineating roles and responsibilities across business units, risk management, and internal audit to enhance accountability, risk ownership, and assurance effectiveness in alignment with industry best practices.
Lead risk assessment activities, integrating findings into the Risk Register or the Enterprise Risk Management (ERM) program.
Maintain and report on the risk register, risk treatment plans, and mitigation strategies.
Provide actionable, data‑driven insights to executive leadership and the Board on risk posture and emerging threats.
Regulatory Compliance & Audit
Ensure compliance with HIPAA, HITECH, FDA cybersecurity guidance, SOX, GDPR, CMMC, and other applicable regulations.
Oversee internal and external audits, including SOC 2, ISO 27001, and HITRUST certifications.
Serve as the primary liaison to auditors, regulators, and legal teams on cybersecurity compliance matters.
Third‑Party & Supply Chain Risk
Lead the third‑party risk management program, including vendor due diligence, contract reviews, and continuous monitoring.
Ensure supply chain security practices meet regulatory and industry expectations, including FDA and SEC guidance.
Security Awareness & Culture
Oversee enterprise‑wide security awareness and training programs, including phishing simulations and compliance education.
Foster a culture of risk awareness and accountability across all levels of the organization.
Incident Response & Resilience
Govern the enterprise cyber incident response plan, including tabletop exercises and business continuity planning.
Ensure readiness for ransomware, data breaches, and other high‑impact events.
Lead the development of an enterprise‑wide Business Continuity Program (BCP), ensuring readiness for operational disruptions and alignment with risk management strategies.
Metrics & Reporting
Define and track key performance indicators (KPIs/KRIs) and metrics for risk, quantification, compliance, and control effectiveness.
Deliver quarterly board updates, annual program reviews, and ad‑hoc reports on incidents, audits, and compliance status.
Strategic & External Engagement
Represent the organization in industry forums (e.g., H‑ISAC), regulatory discussions, and peer collaborations.
Stay ahead of emerging technologies (e.g., AI, IoMT, cloud) and evolving regulatory landscapes to inform GRC strategy.
Develop budgets and resource requirements for direct reporting teams.
Participate in the development of team strategic plans, annual goal and delivery plans, and quarterly and monthly updates and retrospectives.
Required Leadership/Interpersonal Skills & Behaviors
Proven executive leader with a track record of building and scaling high‑performing, cross‑functional teams in complex, regulated environments.
Demonstrated ability to influence across the enterprise, including ELT and Board‑level stakeholders, to drive alignment and accountability for risk and compliance outcomes.
Builds trust quickly and leads with integrity, transparency, and a collaborative mindset.
Skilled at navigating ambiguity and driving clarity in high‑stakes, fast‑paced environments.
Required Skills And Competencies
Deep expertise in security and risk frameworks and regulations, including NIST CSF, ISO 27001, SOC 2, HIPAA, HITRUST, FDA cybersecurity guidance, GDPR, and SOX.
Strong executive presence with the ability to translate complex risk and compliance issues into actionable business insights for C‑level and Board audiences.
Experience leading enterprise‑wide GRC programs that span cybersecurity, privacy, product security, and data governance.
Demonstrated success in maturing GRC capabilities through automation, metrics, and continuous improvement.
Managed and mentored teams of 15+ or more and held the title of a director or above.
Preferred
Advanced degree (e.g., MBA, MS in Cybersecurity, or related discipline).
Professional certifications such as CISSP, CISM, CISA, CRISC, or CIPP.
Experience with GRC platforms and automation tools (e.g., Archer, ServiceNow GRC, OneTrust).
Familiarity with cloud security compliance frameworks (e.g., CSA CCM, FedRAMP, HITRUST for cloud).
Experience integrating cybersecurity with enterprise risk management, privacy, and product lifecycle governance.
Demonstrated ability to apply a methodical, risk‑based approach to evaluating and governing the use of AI technologies across the enterprise.
Education And Experience
15–20+ years of progressive experience in information security, risk management, or IT audit, with at least 5 years in a senior GRC leadership role.
Proven experience leading global GRC teams and managing complex compliance programs in highly regulated industries (e.g., healthcare, MedTech, financial services).
Additional Information
The position is hybrid at our Acton/SD/Bay Area office.
Travel is estimated at 25% but will flex depending on business needs.
NOTE: This position is eligible for hybrid working arrangements (requires on‑site work from our San Diego, CA or Acton, MA office; may work remotely other days).
Compensation The US base salary range for this full‑time position is $217,275.00 – $325,912.50. Our salary ranges are determined by role, level, and location. Within the range, individual pay is determined by work location and additional factors, including job‑related skills, experience, and relevant education or training.
About Insulet Corporation Insulet Corporation (NASDAQ: PODD), headquartered in Massachusetts, is an innovative medical device company dedicated to simplifying life for people with diabetes and other conditions through its Omnipod product platform. The Omnipod Insulin Management System provides a unique alternative to traditional insulin delivery methods. With its simple, wearable design, the tubeless disposable Pod provides up to three days of non‑stop insulin delivery, without the need to see or handle a needle. Insulet’s flagship innovation, the Omnipod 5 Automated Insulin Delivery System, integrates with a continuous glucose monitor to manage blood sugar with no multiple daily injections, zero fingersticks, and can be controlled by a compatible personal smartphone in the U.S. or by the Omnipod 5 Controller. Insulet also leverages the unique design of its Pod by tailoring its Omnipod technology platform for the delivery of non‑insulin subcutaneous drugs across other therapeutic areas. For more information, please visit insulet.com and omnipod.com.
Equal Employment Opportunity At Insulet Corporation all qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran.
#J-18808-Ljbffr
This position will be responsible for building Insulet’s technology risk, compliance and resiliency strategy, proactively identifying and mitigating risks, and ensuring alignment with external auditors, regulators, and legal teams. The leader chairs the cross‑functional Technology Risk Committee and regularly presents, alongside the CISO, to the Executive Leadership Team (ELT) and Board of Directors on compliance/regulatory status, governance, and technology risk posture.
The position requires a visionary leader who can formulate and implement a cohesive framework for data governance, business continuity, and technology risk management. This includes oversight of all technology risks—beyond cybersecurity and IT—such as AI usage, data protection, and technology adoption. This leader will influence and advise peers across CTO/R&D (e.g., Systems and Software Engineering), Finance (e.g., Audit and Accounting), Procurement, Regulatory, and Compliance, and will be customer‑facing to communicate security controls and compliance adherence.
Responsibilities Governance & Policy Leadership
Setting the strategic direction of the Technology GRC organization and overseeing the team that designs, implements, and maintains the IT GRC framework, including policies, standards, and controls aligned with business objectives and risk appetite.
Oversee and set the Insulet roadmap for our Information Security Management System (ISMS), ensuring alignment with ISO 27001 and other relevant frameworks.
Oversee self‑assessments, escalating decisions and escalations per requirements, to drive decisions and risk reduction.
Govern Business Continuity Management Program and lead risk quantification efforts.
Risk Management
Design and implement a robust Three Lines of Defense (3LOD) framework, clearly delineating roles and responsibilities across business units, risk management, and internal audit to enhance accountability, risk ownership, and assurance effectiveness in alignment with industry best practices.
Lead risk assessment activities, integrating findings into the Risk Register or the Enterprise Risk Management (ERM) program.
Maintain and report on the risk register, risk treatment plans, and mitigation strategies.
Provide actionable, data‑driven insights to executive leadership and the Board on risk posture and emerging threats.
Regulatory Compliance & Audit
Ensure compliance with HIPAA, HITECH, FDA cybersecurity guidance, SOX, GDPR, CMMC, and other applicable regulations.
Oversee internal and external audits, including SOC 2, ISO 27001, and HITRUST certifications.
Serve as the primary liaison to auditors, regulators, and legal teams on cybersecurity compliance matters.
Third‑Party & Supply Chain Risk
Lead the third‑party risk management program, including vendor due diligence, contract reviews, and continuous monitoring.
Ensure supply chain security practices meet regulatory and industry expectations, including FDA and SEC guidance.
Security Awareness & Culture
Oversee enterprise‑wide security awareness and training programs, including phishing simulations and compliance education.
Foster a culture of risk awareness and accountability across all levels of the organization.
Incident Response & Resilience
Govern the enterprise cyber incident response plan, including tabletop exercises and business continuity planning.
Ensure readiness for ransomware, data breaches, and other high‑impact events.
Lead the development of an enterprise‑wide Business Continuity Program (BCP), ensuring readiness for operational disruptions and alignment with risk management strategies.
Metrics & Reporting
Define and track key performance indicators (KPIs/KRIs) and metrics for risk, quantification, compliance, and control effectiveness.
Deliver quarterly board updates, annual program reviews, and ad‑hoc reports on incidents, audits, and compliance status.
Strategic & External Engagement
Represent the organization in industry forums (e.g., H‑ISAC), regulatory discussions, and peer collaborations.
Stay ahead of emerging technologies (e.g., AI, IoMT, cloud) and evolving regulatory landscapes to inform GRC strategy.
Develop budgets and resource requirements for direct reporting teams.
Participate in the development of team strategic plans, annual goal and delivery plans, and quarterly and monthly updates and retrospectives.
Required Leadership/Interpersonal Skills & Behaviors
Proven executive leader with a track record of building and scaling high‑performing, cross‑functional teams in complex, regulated environments.
Demonstrated ability to influence across the enterprise, including ELT and Board‑level stakeholders, to drive alignment and accountability for risk and compliance outcomes.
Builds trust quickly and leads with integrity, transparency, and a collaborative mindset.
Skilled at navigating ambiguity and driving clarity in high‑stakes, fast‑paced environments.
Required Skills And Competencies
Deep expertise in security and risk frameworks and regulations, including NIST CSF, ISO 27001, SOC 2, HIPAA, HITRUST, FDA cybersecurity guidance, GDPR, and SOX.
Strong executive presence with the ability to translate complex risk and compliance issues into actionable business insights for C‑level and Board audiences.
Experience leading enterprise‑wide GRC programs that span cybersecurity, privacy, product security, and data governance.
Demonstrated success in maturing GRC capabilities through automation, metrics, and continuous improvement.
Managed and mentored teams of 15+ or more and held the title of a director or above.
Preferred
Advanced degree (e.g., MBA, MS in Cybersecurity, or related discipline).
Professional certifications such as CISSP, CISM, CISA, CRISC, or CIPP.
Experience with GRC platforms and automation tools (e.g., Archer, ServiceNow GRC, OneTrust).
Familiarity with cloud security compliance frameworks (e.g., CSA CCM, FedRAMP, HITRUST for cloud).
Experience integrating cybersecurity with enterprise risk management, privacy, and product lifecycle governance.
Demonstrated ability to apply a methodical, risk‑based approach to evaluating and governing the use of AI technologies across the enterprise.
Education And Experience
15–20+ years of progressive experience in information security, risk management, or IT audit, with at least 5 years in a senior GRC leadership role.
Proven experience leading global GRC teams and managing complex compliance programs in highly regulated industries (e.g., healthcare, MedTech, financial services).
Additional Information
The position is hybrid at our Acton/SD/Bay Area office.
Travel is estimated at 25% but will flex depending on business needs.
NOTE: This position is eligible for hybrid working arrangements (requires on‑site work from our San Diego, CA or Acton, MA office; may work remotely other days).
Compensation The US base salary range for this full‑time position is $217,275.00 – $325,912.50. Our salary ranges are determined by role, level, and location. Within the range, individual pay is determined by work location and additional factors, including job‑related skills, experience, and relevant education or training.
About Insulet Corporation Insulet Corporation (NASDAQ: PODD), headquartered in Massachusetts, is an innovative medical device company dedicated to simplifying life for people with diabetes and other conditions through its Omnipod product platform. The Omnipod Insulin Management System provides a unique alternative to traditional insulin delivery methods. With its simple, wearable design, the tubeless disposable Pod provides up to three days of non‑stop insulin delivery, without the need to see or handle a needle. Insulet’s flagship innovation, the Omnipod 5 Automated Insulin Delivery System, integrates with a continuous glucose monitor to manage blood sugar with no multiple daily injections, zero fingersticks, and can be controlled by a compatible personal smartphone in the U.S. or by the Omnipod 5 Controller. Insulet also leverages the unique design of its Pod by tailoring its Omnipod technology platform for the delivery of non‑insulin subcutaneous drugs across other therapeutic areas. For more information, please visit insulet.com and omnipod.com.
Equal Employment Opportunity At Insulet Corporation all qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran.
#J-18808-Ljbffr