Senior Manager - Cybersecurity, Data Privacy and Protection

Purpose of the Job:

The role of Senior Manager - Cybersecurity, Data Privacy and Protection is accountable for the strategic definition, execution, and sustained governance of cybersecurity, data privacy, and data protection across all Vision Care Solutions (VCS) platforms, products, and digital initiatives. The role serves as the single-point owner for cyber risk management, privacy-by-design principles, and regulatory compliance within a highly regulated global healthcare environment.

This position combines strategic leadership with a strong hands-on orientation, ensuring that cybersecurity and privacy considerations are systematically embedded throughout the entire product, platform, and technology lifecycle—from early architecture and design decisions through development, deployment, and ongoing operations.

Operating in close alignment with the Business Information Security Organization (BISO), the role ensures consistent adherence to ZEISS security, privacy, and data protection standards, while enabling business innovation, speed, and scalability. The incumbent acts as a key integrator between business strategy, digital transformation, engineering execution, and regulatory obligations, thereby enabling the secure and compliant delivery of Vision Care Solutions worldwide.

This is a senior individual contributor role with global reach and strategic influence. The position provides dotted-line technical oversight, architectural guidance, and prioritization to cybersecurity engineers embedded within product, platform, and technology teams across multiple regions.

The role requires close and continuous collaboration with Product Management, Engineering, Cloud and Platform teams, Legal, Compliance, IT, and external partners. Through proactive engagement, the incumbent identifies and mitigates risks early, influences critical design and architectural decisions, and drives a strong culture of security and privacy by design across the organization.

Primary duties and responsibilities :

Cybersecurity Strategy & Risk Management:

• Define, own, and continuously evolve the Vision Care Solutions cybersecurity strategy, ensuring alignment with business objectives, digital transformation priorities, and healthcare regulatory requirements.
• Identify, assess, prioritize, and mitigate cybersecurity risks across applications, platforms, infrastructure, cloud environments, and third-party integrations.
• Lead and oversee threat modeling, vulnerability management, penetration testing, and incident response preparedness across all digital assets.
• Establish and maintain security architecture principles, standards, and reference models that guide secure system and product design.
• Define clear, actionable security work instructions and expectations for software development teams, ensuring that all development activities adhere to secure-by-design and secure-by-default principles throughout the SDLC.

Data Privacy and Data Protection:

• Drive the adoption and operationalization of privacy-by-design and privacy-by-default principles across products, platforms, and systems, including DEPS (Design Engineering for Privacy and Security).
• Ensure compliance with applicable global and regional data protection regulations, including GDPR, HIPAA, and other healthcare-relevant privacy frameworks.
• Define, implement, and monitor policies related to data classification, access control, encryption, data retention, consent management, and secure data handling.
• Act as the internal authority on data privacy risks, privacy impact assessments, regulatory interpretations, and remediation strategies.
• Provide expert guidance to product and engineering teams to ensure privacy considerations are addressed early and consistently across the solution lifecycle.

DevSecOps and Engineering Enablement:

• Embed appropriate security controls, tools, and automated checks into CI/CD pipelines and DevSecOps workflows.
• Partner closely with software engineering, platform, and cloud teams to proactively identify and remediate security gaps.
• Provide dotted-line technical leadership and prioritization to cybersecurity engineers distributed across product and technology teams.
• Review and challenge architecture designs, technical solutions, and release decisions to ensure alignment with security and privacy standards.
• Promote scalable, repeatable, and automation-driven security practices that support rapid and secure product delivery.

Governance, Advisory, and Stakeholder Engagement:

• Serve as a trusted advisor to senior leadership on cybersecurity posture, risk exposure, incidents, and regulatory implications.
• Partner with Product, Engineering, Legal, Compliance, IT, and Business stakeholders to balance security, compliance, innovation, and time-to-market.
• Lead security and privacy awareness initiatives, fostering a strong culture of accountability and best-practice adoption across engineering and digital teams.
• Represent Vision Care Solutions in engagements with external auditors, regulators, customers, and security partners, as required.
• Ensure transparent reporting and escalation of security and privacy risks, incidents, and remediation progress.

Experience, Qualifications, and Skills:

• Minimum of 15 years of experience in software engineering, platform development, cybersecurity, and/or DevSecOps environments.
• Proven experience providing technical leadership, architectural guidance, and governance in complex, distributed technology landscapes.
• Strong background in secure software development, cloud security, application security, and modern DevSecOps practices.
• Prior experience in healthcare, health technology, medical devices, or other highly regulated industries is strongly preferred.
• Demonstrated ability to influence without direct authority and operate effectively in a global, matrixed organization.
• Relevant professional certifications (e.g., CISSP, CISM, CIPP, CCSP) are desirable but not mandatory.