What Information Security and Risk contributes to Cardinal Health
Information Technology oversees the effective development, delivery, and operation of computing and information services. This function anticipates, plans, and delivers Information Technology solutions and strategies that enable operations and drive business value.
Information Security and Risk develops, implements, and enforces security controls to protect the organization's technology assets from intentional or inadvertent modification, disclosure or destruction. This job family develops system back-up and disaster recovery plans. Information Technology also conducts incident response, threat management, vulnerability scanning, virus management and intrusion detection and completes risk assessments.
Job Summary
The Vice President - Cybersecurity Governance, Risk & Compliance is a senior executive responsible for establishing, leading, and evolving the enterprise-wide cybersecurity governance, risk management, compliance, resilience, and third-party oversight strategy. This individual will ensure that cybersecurity risks are effectively identified, managed, and communicated in alignment with business objectives, regulatory requirements, and enterprise risk frameworks.
The role requires a seasoned leader with deep expertise in cybersecurity GRC, including risk management, regulatory compliance, policy and standards, third-party risk oversight, cyber resilience, disaster recovery, and security awareness. This individual will play a critical role in embedding security and risk-informed decision-making across the business, enabling scalable governance processes, and ensuring organizational readiness for evolving regulatory, operational, and threat landscapes. The ideal candidate brings divers perspectives gained through leadership experience across multiple organizations, industries, regulatory environments or large-scale transformation initiatives. This position reports to the SVP, Chief Information Security Officer (CISO).
Responsibilities
Organizational Leadership & Governance
Support CISO in operating a cybersecurity governance program that defines policies, standards, roles, and accountability structures across the enterprise
Serve as an advisor to executive leadership and the board on cybersecurity risk posture, regulatory exposure, and compliance readiness
Establish and maintain governance processes that ensure alignment between cybersecurity initiatives, enterprise risk management, and business objectives
Drive integration of cybersecurity governance into enterprise decision-making, transformation initiatives, and operational processes
Foster a culture of accountability, transparency, and risk awareness across the organization
Cyber Policy, Standards & Controls Governance
Maintain, and enforce cybersecurity policies and standards aligned with regulatory requirements, industry frameworks, and enterprise objectives
Oversee policy lifecycle management, including development, review, approval, communication, and enforcement
Establish and maintain a centralized controls inventory to track security controls and associated requirements across systems and applications. Ensure effective communication and adoption of policies and standards across business and technology teams
Cyber Risk Management & ERM Integration
Operationalize a standardized cybersecurity risk management framework, taxonomy, and methodology aligned to enterprise risk management practices
Oversee cyber risk assessments, including identification, evaluation, and prioritization of threats and vulnerabilities
Establish and maintain GRC platform to track risks, remediation activities, and risk ownership across cybersecurity and business teams
Oversee risk response and remediation strategies so that appropriate mitigation plans are developed, executed, and monitored
Partner with Enterprise Risk Management (ERM) to align cyber risks with broader organizational risk frameworks and reporting structures
Regulatory Compliance & Assurance
Oversee cybersecurity compliance programs to support adherence to applicable regulatory, legal, and industry requirements (e.g., SOX, HIPAA, PCI, HITRUST, SOC 2)
Establish and maintain processes for internal and external compliance assessments, including audit support, evidence management, and remediation tracking
Oversee internal compliance management efforts to enforce adherence to security policies, standards, and controls
Direct external compliance activities, including customer assessments, regulatory reviews, and third-party audits
Ensure continuous monitoring of the regulatory landscape to proactively adapt compliance programs and controls
Cyber Third Party Risk Management
Oversee the cybersecurity third-party risk management (TPRM) program, including risk assessments, onboarding, monitoring, and offboarding processes
Establish governance for third-party lifecycle management to ensure risks are identified, assessed, and mitigated throughout vendor engagements
Oversee contract reviews to validate inclusion of security and data protection requirements
Collaborate with internal stakeholders and external providers to develop joint incident response plans and ensure alignment with enterprise security expectations
Drive integration of third-party risk insights into overall cybersecurity risk posture and reporting
Cyber Resilience, Disaster Recovery & Crisis Management
Define and lead enterprise cyber resilience strategy, including IT resilience assessments and dependency mapping to identify critical system vulnerabilities
Oversee development and maintenance of disaster recovery (DR) and business continuity plans for IT systems and operational environments
Direct execution of disaster recovery testing and simulation exercises to validate effectiveness of recovery strategies and plans
Oversee crisis management coordination, including establishment of governance structures, escalation protocols, and communication processes for major incidents
Ensure alignment between resilience, incident response, and business continuity strategies
Metrics, Reporting & GRC Tooling
Establish and oversee cybersecurity metrics and reporting frameworks, including KPIs and KRIs, to measure program performance and risk posture
Provide regular reporting and insights to executive leadership and the board to support strategic decision-making
Oversee the design, implementation, and optimization of GRC tools and platforms to enable efficient risk, compliance, and control management
Leverage data analytics to drive transparency, prioritization, and continuous improvement across GRC functions
Cyber Training, Awareness & Culture
Support and oversee the enterprise-wide cybersecurity training and awareness programs to promote secure behaviors and risk awareness
Oversee role-based and executive training initiatives to ensure accountability and understanding of cybersecurity responsibilities
Direct phishing simulation programs and awareness campaigns to strengthen organizational resilience against social engineering threats
Promote continuous learning and capability development across cybersecurity and business teams
Stakeholder Engagement & Business Integration
Partner with business units, IT, legal, audit, and compliance teams to embed cybersecurity governance, risk, and compliance practices into business operations
Serve as a liaison between cybersecurity and enterprise stakeholders to ensure alignment on risk priorities and compliance requirements
Collaborate with security architecture and engineering teams to ensure solutions align with established security standards and policies
Drive consistent communication, reporting, and alignment across global cybersecurity and business teams
Talent Leadership & Program Maturity
