Director, IT - Governance, Risk & Compliance

DIRECTOR, IT GOVERNANCE, RISK & COMPLIANCE

COMPANY OVERVIEW:

Zentalis® Pharmaceuticals, Inc. is a clinical-stage biopharmaceutical company developing azenosertib (ZN-c3), a potentially first-in-class and best-in-class WEE1 inhibitor for patients with Cyclin E1+ platinum-resistant ovarian cancer (PROC). Azenosertib is being evaluated as a monotherapy and in combination across multiple tumor types in clinical trials and has broad franchise potential. In clinical trials, azenosertib has been well tolerated and has demonstrated anti-tumor activity as a single agent across multiple tumor types. The Company is also leveraging its extensive experience and capabilities to translate its science to advance research on additional areas of opportunity for azenosertib outside PROC.

POSITION SUMMARY:

The Director of IT Governance, Risk & Compliance (IT GRC) is a senior leader responsible for maturing the company's IT governance framework, risk management program, and regulatory compliance posture. This role owns the IT GRC function serving as the primary liaison between Information Technology, Quality Assurance, Legal, Finance, and external auditors to ensure that IT systems, processes, and controls meet all applicable regulatory and industry standards. Operating within a highly regulated biotech environment, this leader will drive compliance with FDA 21 CFR Part 11, GxP system validation, SOX IT General Controls (ITGCs), HIPAA, NIS2 Directive, and cybersecurity frameworks (NIST, ISO 27001). Reporting directly to the VP of IT the Director is a key member of the IT leadership team with accountability for enterprise-wide IT risk strategy, audit outcomes, and regulatory readiness. This role carries significant cross-functional influence and is expected to shape company culture around governance and compliance.

ESSENTIAL DUTIES AND RESPONSIBILITIES:

IT Governance

• Own and continuously evolve the IT governance framework aligned with COBIT, ITIL, or equivalent standards; set multi-year roadmap for IT GRC maturity.
• Establish, maintain, and enforce IT policies, standards, and procedures in alignment with business objectives and regulatory requirements.
• Lead the IT Governance Committee; prepare Board-and executive-level reporting on governance posture, KPIs, and strategic risk.
• Drive IT portfolio governance to ensure alignment of technology investments with enterprise strategy and risk appetite; partner with Finance on IT spend decisions.
• Contribute to enterprise risk management (ERM) strategy alongside Finance and Legal

Risk Management

• Lead the enterprise IT risk management lifecycle: identification, assessment, treatment, monitoring, and reporting.
• Maintain and continuously update the IT risk register; escalate critical risks to senior leadership and the Board, as appropriate.
• Partner with business units to conduct risk-based vendor and third-party assessments for critical technology partners and SaaS providers.

Regulatory Compliance & Audit

• Own and manage IT compliance programs across GxP (21 CFR Part 11, Annex 11), SOX ITGCs, HIPAA, NIS2 Directive, and applicable data privacy regulations (GDPR, CCPA, when applicable).
• Serve as the primary IT point of contact for internal and external auditors; coordinate IT audit requests, responses, and remediation.
• Lead IT General Controls testing and documentation for SOX compliance cycles; partner with Finance and External Audit.
• Participate in GxP computer system validation (CSV) oversight in coordination with QA — including URS, IQ/OQ/PQ documentation, and periodic reviews.
• Track and drive closure of all IT audit findings, control deficiencies, and corrective and preventative actions (CAPAs).

Policy, Training & Awareness

• Develop and maintain the IT policy library; ensure timely review cycles and version control.
• Drive an IT compliance awareness culture through training programs, communications, and onboarding curriculum.

Advise IT project teams and technology owners on control requirements during system design and implementation

KNOWLEDGE/SKILLS/ABILITIES REQUIRED:

Required

Bachelor's degree in Information Technology, Computer Science, Life Sciences, or a related field; Master's degree strongly preferred.

12+ years of progressive IT GRC, IT audit, or IT compliance experience, with at least 5 years in a biotech, pharmaceutical, or medical device environment.

Minimum 4 years of people management experience, including managing managers or senior individual contributors.

Deep expertise in FDA 21 CFR Part 11, GxP computer system validation (CSV), and SOX IT General Controls.

Proven track record managing IT audit processes and working directly with external auditors (Big 4 preferred) and regulatory agencies.

Strong knowledge of IT risk management frameworks (NIST CSF, ISO 27001/27002, COBIT) and demonstrated ability to set and execute multi-year GRC strategy.

Preferred

Master's degree in Information Systems, Business Administration, or a related discipline.

Professional certifications: CISA, CRISC, CGEIT, CISSP, or CIPP.

Experience with cloud GRC platforms (ServiceNow GRC, Archer, Vanta, Drata) and validated cloud environments (AWS, Azure, GCP).

Familiarity with HIPAA/HITECH, NIS2 Directive, GDPR, and CCPA compliance in a clinical or research setting.

Prior experience supporting IND/NDA/BLA submissions or FDA facility inspections.

Experience standing up a GRC function or program from an early-stage maturity baseline.