Director, Application Security; Cybersecurity Defense

Position: Director, Application Security (Cybersecurity Defense)
** _What Cybersecurity Defense contributes to Cardinal Health_*
* Cybersecurity Defense focuses heavily on threat detection, incident response, and implementing security measures to protect our digital assets and infrastructure at Cardinal Health. The  _Director, Application Security_  is responsible for establishing, leading, and evolving the enterprise application security strategy to embed security into the software development lifecycle (SDLC) and reduce application-layer risk across the business segments. This leader ensures that applications and APIs are designed, developed, and deployed in alignment with security policies & standards, regulatory requirements, and risk management objectives.

This Director oversees segment-aligned application security capabilities across Pharma, Medical, and Commercial Technology environments, enabling consistent governance, scalable processes, and effective risk mitigation across diverse application portfolios.

** Location**  - Open to candidates nationwide working in a fully remote capacity, with preference towards those based local to Central Ohio (willingness to travel into our Corporate HQ in Dublin, OH during certain period of the year is a plus)

** Responsibilities*
* + Lead the enterprise application security strategy aligned with cybersecurity, risk management, and business objectives.

+ Establish governance frameworks to embed security into the software development lifecycle (SDLC) across all application domains.

+ Collaborate with enterprise architecture, engineering, and product teams to align application security with technology strategies and transformation initiatives.

+ Serve as an advisor to executive and business leadership on application security risks, priorities, and investment decisions.

+ Drive a secure-by-design culture across development and engineering teams.

+ Oversee application security capabilities across Pharma, Medical, and Commercial Technology segments, ensuring consistent implementation of security practices.

+ Define segment-specific requirements and approaches to address unique regulatory, operational, and risk considerations.

+ Ensure alignment of application security practices across segments while enabling flexibility to support business-specific needs.

+ Drive standardization of processes, tooling, and reporting across segment application security teams.

+ Oversee enterprise application security testing programs, including SAST, DAST, SCA, and IAST across all application environments.

+ Ensure vulnerabilities are identified, assessed, prioritized, and remediated during the development lifecycle prior to deployment.

+ Establish secure coding standards and integrate security controls into CI/CD pipelines and development workflows.

+ Collaborate with development teams to reduce application security technical debt and improve code quality.

+ Oversee implementation of runtime security controls for applications and APIs, including WAF, API gateways, and runtime monitoring solutions.

+ Ensure security requirements are embedded into application and API design, deployment, and operational processes.

+ Collaborate with engineering and infrastructure teams to enforce runtime protections aligned with enterprise architecture.

+ Monitor runtime risks and coordinate mitigation efforts across application environments.

+ Lead development and integration of application security tooling, including configuration, onboarding, and operational management.

+ Define use cases, policies, and detection logic for application security tools to ensure effective coverage and scalability.

+ Drive integration of application security tools into CI/CD pipelines and Dev Sec Ops  workflows.

+ Ensure application security tooling aligns with enterprise security architecture and standards.

+ Collaborate with Security Architecture teams to define secure design patterns, reference architectures, and application security standards.

+ Ensure application security requirements are incorporated into solution design and architecture reviews.

+ Partner with engineering teams to implement secure development lifecycle (SDLC) practices and controls.

+ Support evaluation of new…