Purpose & Impact

The Business Information Security Office Lead serves as the strategic bridge between business/IT stakeholders and security teams ensuring that security architecture principles security requirements risk management practices and governance risk and compliance (GRC) requirements are deeply embedded into technology implementations enterprise processes and organizational decision-making. This role owns and drives secure architecture reviews provides authoritative guidance on design patterns risk treatment strategies and compliance obligations ultimately reducing risk exposure across multiple platforms and business domains.

Responsibilities

Lead Security Architecture Design & Review

• Drive and contribute tothe end-to-end secure architecture review process for on-prem cloud and hybrid applications/infrastructure ensuring adherence to secure design principles reference architectures security requirements and compliance standards.
• Support the use of and contribute tosecurity architecture patterns blueprints and reference modelsthat align with enterprise strategy and evolving threat landscapes.
• Evaluate proposed technical designs and system integrations to ensure security requirements are met providing prescriptive architectural and control recommendations.
• Perform security reviews for operational and architectural changes

Drive Enterprise Risk Management

• Leadand support comprehensive risk assessments including threat modeling control gap analysis compensating control and risk quantification for complex high-impact projects and initiatives.
• Support the maintenance of the risk register ensuring identified risks are documented assigned ownership is appropriate tracked through remediation and reported to leadership.
• Propose and validaterisk mitigation and treatment strategies balancing security requirements with business objectives and risk appetite.

Support Governance Activities the GRC Program

• Support and advance the organizationsGovernance Risk and Compliance (GRC) program ensuring alignment with regulatory requirements and industry frameworks (e.g.NIST CSF/800-53 ISO 27001/27002 SOC 2 GDPR HIPAA CMMC).
• Lead theevidence gathering control testing and documentationprocesses for internal and external audits regulatory examinations and certification efforts.
• Develop refine and enforcesecurity policies standards and guidelinesin collaboration with legal compliance and business stakeholders.

Serve as Primary Security Officer & Risk Contact

• Act as the authoritative resource for security architecture and risk management across business initiatives ensuring requirements are understood prioritized and implemented effectively.
• Embed security and risk considerationsearly in the technology and project lifecycle(shift-left approach) partnering with solution architects engineering and product teams.

Communicate & Report on Risk Posture

• Translate complex security architecture risks and GRC findings intobusiness termsfor project managers executive leadership and board-level audiences highlighting operational financial and reputational impacts.
• Drive the development and maintenance ofdashboards and reportstracking key risk indicators (KRIs) vulnerability trends audit findings control effectiveness compliance status across assigned domains etc.
• Presentperiodic risk and compliance briefingsto senior leadership and governance committees.
• Build deep institutional knowledge through continuous engagement with business and IT stakeholders to ensure alignment to information security expectations.

Support Incident Response & Resilience

• Assist in planning and coordinatingremediation and recovery effortsduring security incidents with a focus on architectural root-cause analysis and control improvement.
• Incorporate lessons learned from incidents intoarchitecture standards and risk assessmentsto strengthen the organizations security posture.

Mentor & Build Organizational Capability

• Provide guidance coaching and knowledge-sharing to junior architects BISO staff and cross-functional team members to elevate organizational security and risk management maturity.
• Foster arisk-aware culturethrough training awareness programs and stakeholder engagement.

Required Qualifications

• Bachelors degree in Information Security Computer Science Risk Management or a related field.
• 710 years of progressive experiencein security architecture IT risk management and/or GRC.
• Deep knowledge of cybersecurity frameworks and regulatory standardsincluding OWASP NIST CSF NIST 800-53 ISO 27001/27002 SOC 2 GDPR and HIPAA.
• Demonstrated experiencedesigning and reviewing secure architecturesacross cloud (AWS Azure GCP) hybrid and on-premises environments.
• Proven ability to conductthreat modeling risk quantification and control assessmentsfor complex enterprise environments.
• Hands-on experience withGRC platforms and tools(e.g. ServiceNow Archer OneTrust or similar).
• Ability to influence cross-functional teams andcommunicate security architecture and risk concepts both verbally and in writing to business leaders technical teams and executive stakeholders.
• Experience developing and maintainingsecurity policies standards and risk registers.

Preferred Skills

• Experience implementing and improving cybersecurity solutions and supporting operational processes
• Experience in infrastructure/network engineering and IT operations
• Experience designing and implementingZero Trust architectureprinciples at scale.
• Familiarity withDevSecOps practicesand integrating security into CI/CD pipelines.
• Experience withrisk quantification methodologies(e.g. FAIR).
• Knowledge ofcloud-native security servicesand infrastructure-as-code security scanning.
• Experience supportingM&A due diligenceor third-party risk management from an architecture and GRC perspective.

Certifications

• CISSP CISM or CCSP required(or obtained within 12 months of hire).
• CRISC(Certified in Risk and Information Systems Control) highly preferred.
• Additional certifications valued: CGEIT TOGAF SABSA AWS/Azure Security Specialty.

What Cencora offers

We provide compensation benefits and resources that enable a highly inclusive culture and support our team members ability to live with purpose every addition to traditional offerings like medical dental and vision care we also provide a comprehensive suite of benefits that focus on the physical emotional financial and social aspects of wellness. This encompasses support for working families which may include backup dependent care adoption assistance infertility coverage family building support behavioral health solutions paid parental leave and paid caregiver leave. To encourage your personal growth we also offer a variety of training programs professional development resources and opportunities to participate in mentorship programs employee resource groups volunteer activities and much more. For details visit time

Equal Employment Opportunity

Cencora is committed to providing equal employment opportunity without regard to race color religion sex sexual orientation gender identity genetic information national origin age disability veteran status or membership in any other class protected by federal state or local law.

The companys continued success depends on the full and effective utilization of qualified individuals. Therefore harassment is prohibited and all matters related to recruiting training compensation benefits promotions and transfers comply with equal opportunity principles and are non-discriminatory.

Cencora is committed to providing reasonable accommodations to individuals with disabilities during the employment process which are consistent with legal requirements. If you wish to request an accommodation while seeking employment please call 888.692.2272 or email . We will make accommodation determinations on a request-by-request basis. Messages and emails regarding anything other than accommodations requests will not be returned

Affiliated Companies