Job Title

Job DescriptionThe AVP, Cyber Security Governance, Risk Management and Compliance (GRC), reporting directly to the Chief Information Security Officer, is responsible for establishing and maintaining the overall cyber security risk management program. This position will lead a team of cyber security risk management professionals responsible for identifying, evaluating, managing and reporting on cyber security risks in a manner that meets CVS Health's internal, regulatory and other compliance requirements As a senior leader in the Enterprise Information Security organization, this leader will work proactively with the clients, regulatory agencies, business units, and other internal departments and organizations to implement practices that meet CVS Health's defined policies and standards for information risk management. The GRC team is responsible for providing oversight and governance of cybersecurity risk related activities and to ensure management awareness through transparent reporting of our security risk and compliance posture. The Associate Vice President of Information Security Governance and Risk Management will: Provide management oversight and serve as the leadership point of contact for the cyber security Governance, Risk and Compliance (GRC) team Take end to end ownership of cybersecurity owned programs and related teams including security policies, vendor risk and compliance management, regulatory audits and compliance management, metrics, risk and performance indicators, executive and board reporting, security integration and assessment of M&A and related ventures. Be responsible for overall cyber security risk management using continuous self-assessments and executive reporting Provide continuous input to the CISO and help measure the cybersecurity risk posture of CVS Health Provide leadership and engage with the business to perform security assessment and ensure timely execution of projects and program while mitigating any security risks Identify, recommend, and, when applicable, execute appropriate measures to manage and mitigate risks and reduce potential impacts on information resources to a level acceptable to the senior management of the company. Manage and operate the third-party security risk management program and team Continuously evaluate cyber security controls to ensure effectiveness, compliance and adherence to key controls and policies and drive its remediation efforts. Work closely with internal groups such as Human Resources, Enterprise Risk Management, Internal Audit, Privacy, Legal, and Compliance on matters of policy and risk management Develop and improve KPIs, metrics, and trending Mentor, coach and train security staff.Pay RangeThe typical pay range for this role is:Minimum: 180,000Maximum: 365,000Please keep in mind that this range represents the pay range for all positions in the job grade within which this position falls. The actual salary offer will take into account a wide range of factors, including location.Required Qualifications Track record of leading distributed teams and leading delivery of complex, multi-faceted technology assessment and compliance initiatives 12+ years experience directly related to information security governance, policy development and risk management. 6-8 years in leadership and/or program management. Demonstrated experience in managing an enterprise governance and risk management program Deep experience in understanding regulatory and industry standards such as PCI, SOX, GLBA, ISO standards, HIPAA, NIST framework, SSAE as well hands-on experience with common governance and risk management frameworks, such as NIST 800-37, COSO Integrated Framework, ISACA COBIT 5, etc. Hands on leadership experience in authoring security policies, developing standards, deploying GRC solutions to effectively manage and measure on the cyber risk posture Technically strong in understanding and solving complex cybersecurity challenges, having a track record of leading the delivery of complex, multi-faceted technology initiatives Excellent communications and presentation skills with demonstrated skill in presenting analytical data effectively to varied audiences including executive management. Attested ability to establish and sustain effective, professional relationships with product and business managers; work closely with business partners to understand business drivers and market requirements; and provide leadership to the technology group in order to create the right solutions for the market in the required time frames. High degree of technical complexity and conservancy; familiarity with complex global information security infrastructures preferred Experience with a wide array of security platforms, protocols, tools, and technologies.Knowledge of/experience with international compliance requirements/standards CISSP, CGEIT, or CRISC certification or demonstrated mastery of governance and risk management. Experience with Information Security in a Pharmacy Benefits Management, Insurance, Retail or Home Health care delivery environment a plus. 5+ years' experience managing an information security program in a highly-regulated sector, such as healthcare, financial or other critical infrastructure sector.Preferred Qualifications Advanced DegreeEducation Bachelor's Degree - Engineering, ScienceBusiness OverviewBring your heart to CVS Health Every one of us at CVS Health shares a single, clear purpose: Bringing our heart to every moment of your health. This purpose guides our commitment to deliver enhanced human-centric health care for a rapidly changing world. Anchored in our brand - with heart at its center - our purpose sends a personal message that how we deliver our services is just as important as what we deliver. Our Heart At Work Behaviors support this purpose. We want everyone who works at CVS Health to feel empowered by the role they play in transforming our culture and accelerating our ability to innovate and deliver solutions to make health care more personal, convenient and affordable. We strive to promote and sustain a culture of diversity, inclusion and belonging every day. CVS Health is an affirmative action employer, and is an equal opportunity employer, as are the physician-owned businesses for which CVS Health provides management services. We do not discriminate in recruiting, hiring, promotion, or any other personnel action based on race, ethnicity, color, national origin, sex/gender, sexual orientation, gender identity or expression, religion, age, disability, protected veteran status, or any other characteristic protected by applicable federal, state, or local law. We proudly support and encourage people with military experience (active, veterans, reservists and National Guard) as well as military spouses to apply for CVS Health job opportunities.