Lead Director - Third Party Security, Assessment Operations

We're building a world of health around every individual - shaping a more connected, convenient and compassionate health experience. At CVS Health®, you'll be surrounded by passionate colleagues who care deeply, innovate with purpose, hold ourselves accountable and prioritize safety and quality in everything we do. Join us and be part of something bigger - helping to simplify health care one person, one family and one community at a time.

The Lead Director of Third-Party Security Assessment & Risk Operations plays a critical role in protecting the organization by ensuring that third parties (vendors, suppliers, and partners) meet the security standards required to operate in a highly regulated environment. This role leads the end-to-end lifecycle of third-party security assessments, ensuring that risks are identified early, understood clearly, and addressed effectively. By building and advancing a scalable, risk-based assessment program, this position helps safeguard the enterprise while enabling the business to move forward with confidence in its external partnerships.

This leader partners closely with Procurement, Legal, Compliance, and business units to embed security into the full vendor lifecycle and translate complex cyber risks into clear, actionable guidance. The role also shapes enterprise-wide risk and control assurance efforts by bringing visibility, consistency, and accountability to third-party risk management. Through strong program leadership, executive engagement, and continuous improvement, the Lead Director ensures the organization can manage third-party risk at scale while supporting growth, regulatory compliance, and operational resilience.

• Own and continuously mature the enterprise Third Party Security program, including processes, and tooling.
• Direct staff in the identification, development, implementation, and maintenance of security assessment practices for all third parties - including vendors, suppliers, and business partners.
• Establish demand-driven resource models and align team capacity to portfolio volume and organizational priorities.
• Build, coach, and lead a high-performing team of security professionals spanning Individual Contributors, Managers, and Senior Managers.

• Lead the evaluation and assessment of emerging cyber threats, vulnerabilities, and attack vectors relevant to third party ecosystems.
• Direct detailed control testing, regulatory audit scenarios, and compliance validation activities for third party relationships.
• Develop and enforce risk-based remediation strategies derived from assessment findings and lessons learned.
• Implement and enforce security controls within third parties supporting large, complex, and diverse enterprise environments.

• Ensure organizational adherence to applicable local, national, and international regulatory requirements (e.g., HIPAA, PCI-DSS, NIST, ISO 27001/27036, SOC
  2) within the scope of third party security.
• Provide authoritative security guidance to project teams, portfolio personnel, and business leaders to ensure alignment with CVS Health control standards.
• Monitor evolving regulatory and industry landscapes and proactively adjust program requirements to maintain compliance.

• Serve as a trusted advisor to senior business and technology executives on third party cyber security matters.
• Communicate risk posture, program performance metrics, and remediation status to executive leadership through compelling, data-driven presentations.
• Act as the primary point of enablement for Third Party Security Assessment Operations across the organization.
• Develop and sustain strategic relationships across functional business, IT, and vendor leadership teams.

• Establish organizational capabilities to track program progress, surface issues, and remove obstacles in alignment with the CVS Health mission.
• Define and monitor KPIs and KRIs to measure program effectiveness and drive continuous improvement.
• Identify and implement technology solutions and automation opportunities to scale assessment operations.

• 10+ years of progressive Information Security experience, with a strong foundation across risk management, architecture, and engineering domains.
• 7+ years of direct leadership experience managing security professionals in both direct and matrixed reporting structures.
• 5+ years of experience building and leading Third Party Security Risk or Vendor Risk Management programs at enterprise scale.
• 5+ years of experience leading detailed control testing, regulatory audits, and compliance assessments.
• 3+ years of experience implementing security controls within third party environments supporting large, complex enterprises.

• Exceptional communication and executive presentation skills; ability to translate technical…