Lead Director - Third Party Security, Assessment Operations

We're building a world of health around every individual - shaping a more connected, convenient and compassionate health experience. At CVS Health®, you'll be surrounded by passionate colleagues who care deeply, innovate with purpose, hold ourselves accountable and prioritize safety and quality in everything we do. Join us and be part of something bigger - helping to simplify health care one person, one family and one community at a time. Position Summary The Lead Director of Third-Party Security Assessment & Risk Operations plays a critical role in protecting the organization by ensuring that third parties (vendors, suppliers, and partners) meet the security standards required to operate in a highly regulated environment. This role leads the end-to-end lifecycle of third-party security assessments, ensuring that risks are identified early, understood clearly, and addressed effectively. By building and advancing a scalable, risk-based assessment program, this position helps safeguard the enterprise while enabling the business to move forward with confidence in its external partnerships. This leader partners closely with Procurement, Legal, Compliance, and business units to embed security into the full vendor lifecycle and translate complex cyber risks into clear, actionable guidance. The role also shapes enterprise-wide risk and control assurance efforts by bringing visibility, consistency, and accountability to third-party risk management. Through strong program leadership, executive engagement, and continuous improvement, the Lead Director ensures the organization can manage third-party risk at scale while supporting growth, regulatory compliance, and operational resilience. Key Responsibilities Third Party Security Leadership Own and continuously mature the enterprise Third Party Security program, including processes, and tooling. Direct staff in the identification, development, implementation, and maintenance of security assessment practices for all third parties - including vendors, suppliers, and business partners. Establish demand-driven resource models and align team capacity to portfolio volume and organizational priorities. Build, coach, and lead a high-performing team of security professionals spanning Individual Contributors, Managers, and Senior Managers. Risk Assessment & Control Assurance Lead the evaluation and assessment of emerging cyber threats, vulnerabilities, and attack vectors relevant to third party ecosystems. Direct detailed control testing, regulatory audit scenarios, and compliance validation activities for third party relationships. Develop and enforce risk-based remediation strategies derived from assessment findings and lessons learned. Implement and enforce security controls within third parties supporting large, complex, and diverse enterprise environments. Regulatory Compliance & Policy Alignment Ensure organizational adherence to applicable local, national, and international regulatory requirements (e.g., HIPAA, PCI-DSS, NIST, ISO 27001/27036, SOC 2) within the scope of third party security. Provide authoritative security guidance to project teams, portfolio personnel, and business leaders to ensure alignment with CVS Health control standards. Monitor evolving regulatory and industry landscapes and proactively adjust program requirements to maintain compliance. Executive Stakeholder Engagement Serve as a trusted advisor to senior business and technology executives on third party cyber security matters. Communicate risk posture, program performance metrics, and remediation status to executive leadership through compelling, data-driven presentations. Act as the primary point of enablement for Third Party Security Assessment Operations across the organization. Develop and sustain strategic relationships across functional business, IT, and vendor leadership teams. Operational Excellence & Continuous Improvement Establish organizational capabilities to track program progress, surface issues, and remove obstacles in alignment with the CVS Health mission. Define and monitor KPIs and KRIs to measure program effectiveness and drive continuous improvement. Identify and implement technology solutions and automation opportunities to scale assessment operations. Required Qualifications 10+ years of progressive Information Security experience, with a strong foundation across risk management, architecture, and engineering domains. 7+ years of direct leadership experience managing security professionals in both direct and matrixed reporting structures. 5+ years of experience building and leading Third Party Security Risk or Vendor Risk Management programs at enterprise scale. 5+ years of experience leading detailed control testing, regulatory audits, and compliance assessments. 3+ years of experience implementing security controls within third party environments supporting large, complex enterprises. Preferred Qualifications Exceptional communication and executive presentation skills; ability to translate technical risk into business language for non-technical audiences. Strong command of risk analysis frameworks and the ability to derive well-defined mitigation strategies from assessment findings. Demonstrated ability to lead and influence without direct authority across cross-functional, matrixed organizations. Superior organizational and process management skills; experience building and scaling high-performing teams. Proficiency with Third Party Risk platforms (e.g., Archer, SecurityScorecard, ServiceNow, BlackKite) and GRC tooling. Integration and adoption of AI-based tooling to facilitate time to market and defensible results Education Bachelor's degree or equivalent experience (High School Diploma and 4 years relevant experience) Pay Range The typical pay range for this role is: $144,200.00 - $288,400.00. This pay range represents the base hourly rate or base annual full-time salary for all positions in the job grade within which this position falls. The actual base salary offer will depend on a variety of factors including experience, education, geography and other relevant factors. This position is eligible for a CVS Health bonus, commission or short-term incentive program in addition to the base pay range listed above. This position also includes an award target in the company's equity award program. Benefits We take pride in offering a comprehensive and competitive mix of pay and benefits that reflects our commitment to our colleagues and their families. This full‑time position is eligible for a comprehensive benefits package designed to support the physical, emotional, and financial well‑being of colleagues and their families. The benefits for this position include medical, dental, and vision coverage, paid time off, retirement savings options, wellness programs, and other resources, based on eligibility. Additional details about available benefits are provided during the application process and on Benefits Moments. Qualified applicants with arrest or conviction records will be considered for employment in accordance with all federal, state and local laws. We anticipate the application window for this opening will close on: 07/06/2026. #J-18808-Ljbffr Hispanic Alliance for Career Enhancement