Director, Application Security (Cybersecurity Defense)

What Cybersecurity Defense contributes to Cardinal Health

Cybersecurity Defense focuses heavily on threat detection, incident response, and implementing security measures to protect our digital assets and infrastructure at Cardinal Health. The Director, Application Security is responsible for establishing, leading, and evolving the enterprise application security strategy to embed security into the software development lifecycle (SDLC) and reduce application-layer risk across the business segments. This leader ensures that applications and APIs are designed, developed, and deployed in alignment with security policies & standards, regulatory requirements, and risk management objectives. This Director oversees segment-aligned application security capabilities across Pharma, Medical, and Commercial Technology environments, enabling consistent governance, scalable processes, and effective risk mitigation across diverse application portfolios.

Location - Open to candidates nationwide working in a fully remote capacity, with preference towards those based local to Central Ohio (willingness to travel into our Corporate HQ in Dublin, OH during certain period of the year is a plus)

Responsibilities

• Lead the enterprise application security strategy aligned with cybersecurity, risk management, and business objectives.

• Establish governance frameworks to embed security into the software development lifecycle (SDLC) across all application domains.

• Collaborate with enterprise architecture, engineering, and product teams to align application security with technology strategies and transformation initiatives.

• Serve as an advisor to executive and business leadership on application security risks, priorities, and investment decisions.

• Drive a secure-by-design culture across development and engineering teams.

• Oversee application security capabilities across Pharma, Medical, and Commercial Technology segments, ensuring consistent implementation of security practices.

• Define segment-specific requirements and approaches to address unique regulatory, operational, and risk considerations.

• Ensure alignment of application security practices across segments while enabling flexibility to support business-specific needs.

• Drive standardization of processes, tooling, and reporting across segment application security teams.

• Oversee enterprise application security testing programs, including SAST, DAST, SCA, and IAST across all application environments.

• Ensure vulnerabilities are identified, assessed, prioritized, and remediated during the development lifecycle prior to deployment.

• Establish secure coding standards and integrate security controls into CI/CD pipelines and development workflows.

• Collaborate with development teams to reduce application security technical debt and improve code quality.

• Oversee implementation of runtime security controls for applications and APIs, including WAF, API gateways, and runtime monitoring solutions.

• Ensure security requirements are embedded into application and API design, deployment, and operational processes.

• Collaborate with engineering and infrastructure teams to enforce runtime protections aligned with enterprise architecture.

• Monitor runtime risks and coordinate mitigation efforts across application environments.

• Lead development and integration of application security tooling, including configuration, onboarding, and operational management.

• Define use cases, policies, and detection logic for application security tools to ensure effective coverage and scalability.

• Drive integration of application security tools into CI/CD pipelines and DevSecOps workflows.

• Ensure application security tooling aligns with enterprise security architecture and standards.

• Collaborate with Security Architecture teams to define secure design patterns, reference architectures, and application security standards.

• Ensure application security requirements are incorporated into solution design and architecture reviews.

• Partner with engineering teams to implement secure development lifecycle (SDLC) practices and controls.

• Support evaluation of new technologies and architectures to ensure alignment with security requirements.

• Ensure application security practices align with regulatory requirements, compliance standards, and enterprise risk management frameworks.

• Provide application security oversight for audits, regulatory assessments, and compliance reporting.

• Collaborate with risk and compliance teams to translate application security risks into enterprise risk insights.

• Support remediation of identified risks and ensure alignment with risk tolerance and governance processes.

• Define and track KPIs and KRIs related to application security posture, vulnerability management, and SDLC integration.

• Provide regular reporting to executive leadership on application security risks, trends, and program effectiveness.

• Leverage data and analytics to drive continuous improvement in application security practices and outcomes.

• Identify opportunities to enhance automation, efficiency, and scalability of application security processes.

• Collaborate with application development, product, IT, security operations, and business teams to integrate application security into enterprise processes.

• Partner with Cyber Detection & Response to ensure application security findings are integrated into monitoring and incident response workflows.

• Engage with segment leaders to align application security initiatives with business priorities and risk considerations.

• Support M&A activities by assessing and integrating application security controls for acquired applications.

• Build and lead a high-performing application security organization with expertise across secure development, testing, and runtime protection.

• Ensure alignment of team capabilities with evolving technologies, threats, and business needs.

Qualifications

• Ideally targeting individuals with 10+ years of experience in cybersecurity, with a focus on application security, secure development, or DevSecOps.

• Deep expertise in application security testing methodologies (SAST, DAST, SCA, IAST) and secure development practices, strongly preferred.

• Strong understanding of application and API security, cloud-native architectures, and modern development frameworks.

• Experience leading application security programs across large, complex organization, preferred.

• Strong understanding of cybersecurity frameworks (e.g., NIST CSF, OWASP, ISO 27001) and regulatory requirements.

• Demonstrated ability to collaborate with cross-functional teams and influence executive stakeholders.

• Strong leadership, communication, and problem-solving skills.

#LI-LP

#LI-Remote

Anticipated salary range: $135,400 - $208,100

Bonus eligible: Yes

Benefits: Cardinal Health offers a wide variety of benefits and programs to support health and well-being.

• Medical, dental and vision coverage

• Paid time off plan

• Health savings account (HSA)

• 401k savings plan

• Access to wages before pay day with myFlexPay

• Flexible spending accounts (FSAs)

• Short- and long-term disability coverage

• Work-Life resources

• Paid parental leave

• Healthy lifestyle programs

Application window anticipated to close: 07/01/2026 *if interested in opportunity, please submit application as soon as possible.

The salary range listed is an estimate. Pay at Cardinal Health is determined by multiple factors including, but not limited to, a candidate's geographical location, relevant education, experience and skills and an evaluation of internal pay equity.

Candidates who are back-to-work, people with disabilities, without a college degree, and Veterans are encouraged to apply.

Cardinal Health supports an inclusive workplace that values diversity of thought, experience and background. We celebrate the power of our differences to create better solutions for our customers by ensuring employees can be their authentic selves each day. Cardinal Health is an Equal Opportunity/Affirmative Action employer. All qualified applicants will receive consideration for employment without regard to race, religion, color, national origin, ancestry, age, physical or mental disability, sex, sexual orientation, gender identity/expression, pregnancy, veteran status, marital status, creed, status with regard to public assistance, genetic status or any other status protected by federal, state or local law.

To read and review this privacy notice click here (