VP - Cybersecurity Governance, Risk & Compliance

What Information Security and Risk contributes to Cardinal Health

Information Technology oversees the effective development, delivery, and operation of computing and information services. This function anticipates, plans, and delivers Information Technology solutions and strategies that enable operations and drive business value.

Information Security and Risk develops, implements, and enforces security controls to protect the organization's technology assets from intentional or inadvertent modification, disclosure or destruction. This job family develops system back-up and disaster recovery plans. Information Technology also conducts incident response, threat management, vulnerability scanning, virus management and intrusion detection and completes risk assessments.

Job Summary

The Vice President - Cybersecurity Governance, Risk & Compliance is a senior executive responsible for establishing, leading, and evolving the enterprise-wide cybersecurity governance, risk management, compliance, resilience, and third-party oversight strategy. This individual will ensure that cybersecurity risks are effectively identified, managed, and communicated in alignment with business objectives, regulatory requirements, and enterprise risk frameworks.

The role requires a seasoned leader with deep expertise in cybersecurity GRC, including risk management, regulatory compliance, policy and standards, third-party risk oversight, cyber resilience, disaster recovery, and security awareness. This individual will play a critical role in embedding security and risk-informed decision-making across the business, enabling scalable governance processes, and ensuring organizational readiness for evolving regulatory, operational, and threat landscapes. The ideal candidate brings divers perspectives gained through leadership experience across multiple organizations, industries, regulatory environments or large-scale transformation initiatives. This position reports to the SVP, Chief Information Security Officer (CISO).

Responsibilities

Organizational Leadership & Governance

• Support CISO in operating a cybersecurity governance program that defines policies, standards, roles, and accountability structures across the enterprise

• Serve as an advisor to executive leadership and the board on cybersecurity risk posture, regulatory exposure, and compliance readiness

• Establish and maintain governance processes that ensure alignment between cybersecurity initiatives, enterprise risk management, and business objectives

• Drive integration of cybersecurity governance into enterprise decision-making, transformation initiatives, and operational processes

• Foster a culture of accountability, transparency, and risk awareness across the organization

Cyber Policy, Standards & Controls Governance

• Maintain, and enforce cybersecurity policies and standards aligned with regulatory requirements, industry frameworks, and enterprise objectives

• Oversee policy lifecycle management, including development, review, approval, communication, and enforcement

• Establish and maintain a centralized controls inventory to track security controls and associated requirements across systems and applications. Ensure effective communication and adoption of policies and standards across business and technology teams

Cyber Risk Management & ERM Integration

• Operationalize a standardized cybersecurity risk management framework, taxonomy, and methodology aligned to enterprise risk management practices

• Oversee cyber risk assessments, including identification, evaluation, and prioritization of threats and vulnerabilities

• Establish and maintain GRC platform to track risks, remediation activities, and risk ownership across cybersecurity and business teams

• Oversee risk response and remediation strategies so that appropriate mitigation plans are developed, executed, and monitored

• Partner with Enterprise Risk Management (ERM) to align cyber risks with broader organizational risk frameworks and reporting structures

Regulatory Compliance & Assurance

• Oversee cybersecurity compliance programs to support adherence to applicable regulatory, legal, and industry requirements (e.g., SOX, HIPAA, PCI, HITRUST, SOC 2)

• Establish and maintain processes for internal and external compliance assessments, including audit support, evidence management, and remediation tracking

• Oversee internal compliance management efforts to enforce adherence to security policies, standards, and controls

• Direct external compliance activities, including customer assessments, regulatory reviews, and third-party audits

• Ensure continuous monitoring of the regulatory landscape to proactively adapt compliance programs and controls

Cyber Third Party Risk Management

• Oversee the cybersecurity third-party risk management (TPRM) program, including risk assessments, onboarding, monitoring, and offboarding processes

• Establish governance for third-party lifecycle management to ensure risks are identified, assessed, and mitigated throughout vendor engagements

• Oversee contract reviews to validate inclusion of security and data protection requirements

• Collaborate with internal stakeholders and external providers to develop joint incident response plans and ensure alignment with enterprise security expectations

• Drive integration of third-party risk insights into overall cybersecurity risk posture and reporting

Cyber Resilience, Disaster Recovery & Crisis Management

• Define and lead enterprise cyber resilience strategy, including IT resilience assessments and dependency mapping to identify critical system vulnerabilities

• Oversee development and maintenance of disaster recovery (DR) and business continuity plans for IT systems and operational environments

• Direct execution of disaster recovery testing and simulation exercises to validate effectiveness of recovery strategies and plans

• Oversee crisis management coordination, including establishment of governance structures, escalation protocols, and communication processes for major incidents

• Ensure alignment between resilience, incident response, and business continuity strategies

Metrics, Reporting & GRC Tooling

• Establish and oversee cybersecurity metrics and reporting frameworks, including KPIs and KRIs, to measure program performance and risk posture

• Provide regular reporting and insights to executive leadership and the board to support strategic decision-making

• Oversee the design, implementation, and optimization of GRC tools and platforms to enable efficient risk, compliance, and control management

• Leverage data analytics to drive transparency, prioritization, and continuous improvement across GRC functions

Cyber Training, Awareness & Culture

• Support and oversee the enterprise-wide cybersecurity training and awareness programs to promote secure behaviors and risk awareness

• Oversee role-based and executive training initiatives to ensure accountability and understanding of cybersecurity responsibilities

• Direct phishing simulation programs and awareness campaigns to strengthen organizational resilience against social engineering threats

• Promote continuous learning and capability development across cybersecurity and business teams

Stakeholder Engagement & Business Integration

• Partner with business units, IT, legal, audit, and compliance teams to embed cybersecurity governance, risk, and compliance practices into business operations

• Serve as a liaison between cybersecurity and enterprise stakeholders to ensure alignment on risk priorities and compliance requirements

• Collaborate with security architecture and engineering teams to ensure solutions align with established security standards and policies

• Drive consistent communication, reporting, and alignment across global cybersecurity and business teams

Talent Leadership & Program Maturity

• Build and lead a global GRC organization with capabilities spanning risk management, compliance, resilience, third-party risk, and governance

• Develop team capabilities through coaching, structured career development, and role-based training

• Drive continuous improvement of GRC processes, frameworks, and tools to enhance program maturity and scalability

• Establish succession planning and leadership development to sustain long-term organizational capability

Qualifications

• 12+ years of progressive experience in cybersecurity, risk management, compliance, or information security leadership roles preferred

• Demonstrated expertise in cybersecurity governance, risk management frameworks, regulatory compliance, and enterprise risk integration

• Proven experience developing and leading enterprise-wide GRC programs, including risk assessment, compliance, and governance processes

• Strong understanding of cybersecurity frameworks (e.g., NIST CSF, ISO 27001) and regulatory requirements

• Demonstrated experience presenting to executive leadership, audit committees, and board members

• Strong leadership, communication, and stakeholder management skills with the ability to influence across the organization

• Experience serving in a senior cyber leadership role (e.g., VP, Head of GRC, or equivalent) reporting to a CISO, CIO or CRO

• Demonstrated experience operating at the executive leadership level, driving strategic outcomes, influencing enterprise risk & governance, and tech compliance discussions with senior executives, boards and regulators

• Experience in highly regulated industries (e.g., aviation, financial services, healthcare, or government)

• Advanced degree (MBA, MS in Cybersecurity, Information Systems, or related field) preferred

• Professional certifications such as CISSP, CISM, CRISC, CISA, or similar

• Experience implementing or managing GRC platforms and enterprise risk tools

What is expected of you and others at this level

• Provides leadership and direction for multiple operational units or disciplines through; Directors may manage Managers

• Manages an organizational budget

• Approves significant policies and procedures that will result in the achievement of organizational goals

• Develops and implements functional and/or operational strategy

• Decisions have a serious impact on overall success or failure on area of accountability and external stakeholders

• Interacts with all levels of internal and/or external leaders

• Influence senior level leaders regarding matters of significance

Anticipated salary range: $176,400 - $298,320

Bonus eligible: Yes

Benefits: Cardinal Health offers a wide variety of benefits and programs to support health and well-being.

• Medical, dental and vision coverage

• Paid time off plan

• Health savings account (HSA)

• 401k savings plan

• Access to wages before pay day with myFlexPay

• Flexible spending accounts (FSAs)

• Short- and long-term disability coverage

• Work-Life resources

• Paid parental leave

• Healthy lifestyle programs

Application window anticipated to close: 6/12/26 *if interested in opportunity, please submit application as soon as possible. The salary range listed is an estimate. Pay at Cardinal Health is determined by multiple factors including, but not limited to, a candidate's geographical location, relevant education, experience and skills and an evaluation of internal pay equity.

Candidates who are back-to-work, people with disabilities, without a college degree, and Veterans are encouraged to apply.

Cardinal Health supports an inclusive workplace that values diversity of thought, experience and background. We celebrate the power of our differences to create better solutions for our customers by ensuring employees can be their authentic selves each day. Cardinal Health is an Equal Opportunity/Affirmative Action employer. All qualified applicants will receive consideration for employment without regard to race, religion, color, national origin, ancestry, age, physical or mental disability, sex, sexual orientation, gender identity/expression, pregnancy, veteran status, marital status, creed, status with regard to public assistance, genetic status or any other status protected by federal, state or local law.

To read and review this privacy notice click here (