Chief Information Security Officer

About the job

Madrigal is a biopharmaceutical company pursuing novel therapeutics for non-alcoholic steatohepatitis (NASH), also known as metabolic dysfunction associated steatohepatitis (MASH). Our first therapy, Rezdiffra (resmetirom), was granted accelerated approval by the U.S. Food and Drug Administration (FDA) for the treatment of adults with NASH with moderate to advanced liver fibrosis (consistent with stages F2 to F3 fibrosis) and is being studied in a Phase 3 trial for the treatment of NASH with compensated cirrhosis.

Role Overview

CHIEF INFORMATION SECURITY OFFICER (CISO)

As the Chief Information Security Officer (CISO) at Madrigal Pharmaceuticals you will be responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. You will lead the development and implementation of a comprehensive cybersecurity program to mitigate risks, enhance compliance, and safeguard the company's data, applications, and infrastructure.

Position Responsibilities

STRATEGIC LEADERSHIP & GOVERNANCE:

• Develop, implement, and maintain an enterprise-wide information security strategy aligned with business objectives and regulatory requirements.
• Establish cybersecurity policies, standards, and frameworks to protect critical business and customer data.
• Lead the development of a risk management program, identifying vulnerabilities and implementing appropriate mitigation measures.
• Ensure compliance with industry standards and regulatory frameworks (e.g., HIPAA, GDPR, NIST, ISO 27001, SOC 2).
• Report regularly to executive leadership on security risks and mitigation strategies.

Cybersecurity Operations & Risk Management

• Oversee the security operations center (SOC) and manage incident response, ensuring rapid detection, investigation, and mitigation of security threats.
• Direct the threat intelligence program, ensuring proactive monitoring of emerging cyber threats.
• Conduct regular security assessments, audits, and penetration testing to identify vulnerabilities and strengthen defenses.
• Implement and oversee a business continuity and disaster recovery plan to ensure resilience in case of cyber incidents.
• Develop and oversee security awareness training programs for employees to mitigate insider threats.

Technology & Infrastructure Security

• Ensure secure design, implementation, and monitoring of cloud-based and on-premises IT infrastructure.
• Lead identity and access management (IAM) strategies, ensuring proper authentication and authorization policies.
• Oversee the development and enforcement of data protection strategies, including encryption, endpoint security, and network security.
• Work closely with IT and engineering teams to integrate security best practices into software development (DevSecOps).
• Evaluate and implement next-generation cybersecurity technologies, such as AI-driven threat detection and zero-trust architecture.

Cross-functional Collaboration & Compliance

• Partner with legal, compliance, and risk management teams to ensure adherence to data protection laws and regulatory requirements.
• Work with business leaders, IT teams, and third-party vendors to align security strategies with corporate objectives.
• Establish security requirements and vendor risk management processes for third-party services and cloud providers.
• Drive the adoption of security-focused culture across all business units through education and training programs.

Qualifications And Skills Required

• Bachelor's or Master's degree in Information Security, Computer Science, Engineering, or a related field.
• 15+ years of experience in IT security, including 10+ years in a leadership role overseeing cybersecurity operations / programs.
• Deep expertise in cybersecurity frameworks, compliance standards, and risk management (e.g., NIST, ISO 27001, HIPAA, GDPR, SOC 2).
• Strong background in incident response, threat intelligence, penetration testing, and vulnerability management.
• Hands-on experience with security technologies (e.g., SIEM, firewalls, EDR, IDS/IPS, IAM, DLP).
• Strong knowledge of cloud security architectures (AWS, Azure, Google Cloud) and zero-trust frameworks.
• Familiarity with machine learning / AI-driven security tactics and analytics.
• Excellent communication and presentation skills, with experience reporting to executive leadership.
• Industry-recognized certifications preferred: CISSP, CISM, CISA, CRISC, CCISO, or equivalent.
• Fluency in English.

Relocation assistance available for qualified candidates.

Compensation: Base salary is determined by several factors that include, but are not limited to, a successful candidate's qualifications, skills, education, experience, business needs, and market demands.
The role may also be eligible for bonus, equity, and comprehensive benefits, which include flexible paid time off (PTO), medical, dental, vision, and life and disability insurance.

We know how to fine-tune corporate security because we've led effective and efficient Fortune 500-level security programs. The SEC helps businesses find the best balance of risk mitigation, cost and innovation.