VP - Cybersecurity Governance, Risk & Compliance

** _What Information Security and Risk contributes to Cardinal Health_*
* Information Technology oversees the effective development, delivery, and operation of computing and information services. This function anticipates, plans, and delivers Information Technology solutions and strategies that enable operations and drive business value.

Information Security and Risk develops, implements, and enforces security controls to protect the organization's technology assets from intentional or inadvertent modification, disclosure or destruction. This job family develops system back-up and disaster recovery plans. Information Technology also conducts incident response, threat management, vulnerability scanning, virus management and intrusion detection and completes risk assessments.

** _Job Summary _*
* The Vice President - Cybersecurity Governance, Risk & Compliance is a senior executive responsible for establishing, leading, and evolving the enterprise-wide cybersecurity governance, risk management, compliance, resilience, and third-party oversight strategy. This individual will ensure that cybersecurity risks are effectively identified, managed, and communicated in alignment with business objectives, regulatory requirements, and enterprise risk frameworks.

The role requires a seasoned leader with deep expertise in cybersecurity GRC, including risk management, regulatory compliance, policy and standards, third-party risk oversight, cyber resilience, disaster recovery, and security awareness. This individual will play a critical role in embedding security and risk-informed decision-making across the business, enabling scalable governance processes, and ensuring organizational readiness for evolving regulatory, operational, and threat landscapes.  

The ideal candidate brings divers perspectives gained through leadership experience across multiple organizations, industries, regulatory environments or large-scale transformation initiatives.  This position reports to the SVP, Chief Information Security Officer (CISO).

** _Responsibilities_*
* ** Organizational Leadership & Governance*
* + Support CISO in operating a cybersecurity governance program that defines policies, standards, roles, and accountability structures across the enterprise

+ Serve as an advisor to executive leadership and the board on cybersecurity risk posture, regulatory exposure, and compliance readiness

+ Establish and maintain governance processes that ensure alignment between cybersecurity initiatives, enterprise risk management, and business objectives

+ Drive integration of cybersecurity governance into enterprise decision-making, transformation initiatives, and operational processes

+ Foster a culture of accountability, transparency, and risk awareness across the organization

** Cyber Policy, Standards & Controls Governance*
* + Maintain, and enforce cybersecurity policies and standards aligned with regulatory requirements, industry frameworks, and enterprise objectives

+ Oversee policy lifecycle management, including development, review, approval, communication, and enforcement

+ Establish and maintain a centralized controls inventory to track security controls and associated requirements across systems and applications. Ensure effective communication and adoption of policies and standards across business and technology teams

** Cyber Risk Management & ERM Integration*
* + Operationalize a standardized cybersecurity risk management framework, taxonomy, and methodology aligned to enterprise risk management practices

+ Oversee cyber risk assessments, including identification, evaluation, and prioritization of threats and vulnerabilities

+ Establish and maintain GRC platform to track risks, remediation activities, and risk ownership across cybersecurity and business teams

+ Oversee risk response and remediation strategies so that appropriate mitigation plans are developed, executed, and monitored

+ Partner with Enterprise Risk Management (ERM) to align cyber risks with broader organizational risk frameworks and reporting structures

** Regulatory Compliance & Assurance*
* + Oversee cybersecurity compliance programs to support adherence to applicable regulatory, legal, and industry requirements (e.g., SOX, HIPAA, PCI, HITRUST, SOC
2)

+ Establish and maintain processes for internal and external compliance assessments, including audit support, evidence management, and remediation tracking

+ Oversee internal compliance management efforts to enforce adherence to security policies, standards, and controls

+ Direct external compliance activities, including customer assessments, regulatory reviews, and third-party audits

+ Ensure continuous monitoring of the regulatory landscape to proactively adapt compliance programs and controls

** Cyber Third Party Risk Management*
* + Oversee the cybersecurity third-party risk management (TPRM) program, including risk assessments, onboarding, monitoring, and offboarding processes

+ Establish governance for third-party lifecycle management to…