[Hiring] Business Information Security Office Lead @Cencora

Role Description

The Business Information Security Office Lead serves as the strategic bridge between business/IT stakeholders and security teams, ensuring that security architecture principles, security requirements, risk management practices, and governance, risk, and compliance (GRC) requirements are deeply embedded into technology implementations, enterprise processes, and organizational decision-making. This role owns and drives secure architecture reviews, provides authoritative guidance on design patterns, risk treatment strategies, and compliance obligations — ultimately reducing risk exposure across multiple platforms and business domains.

Responsibilities

• Lead Security Architecture Design & Review
  • Drive and contribute to the end-to-end secure architecture review process for on-prem, cloud, and hybrid applications/infrastructure.
  • Support the use of and contribute to security architecture patterns, blueprints, and reference models that align with enterprise strategy and evolving threat landscapes.
  • Evaluate proposed technical designs and system integrations to ensure security requirements are met, providing prescriptive architectural and control recommendations.
  • Perform security reviews for operational and architectural changes.
• Drive Enterprise Risk Management
  • Lead and support comprehensive risk assessments — including threat modeling, control gap analysis, compensating control and risk quantification — for complex, high-impact projects and initiatives.
  • Support the maintenance of the risk register, ensuring identified risks are documented, assigned ownership is appropriate, tracked through remediation, and reported to leadership.
  • Propose and validate risk mitigation and treatment strategies, balancing security requirements with business objectives and risk appetite.
• Support Governance Activities the GRC Program
  • Support and advance the organization's Governance, Risk, and Compliance (GRC) program, ensuring alignment with regulatory requirements and industry frameworks (e.g., NIST CSF/800-53, ISO 27001/27002, SOC 2, GDPR, HIPAA, CMMC).
  • Lead the evidence gathering, control testing, and documentation processes for internal and external audits, regulatory examinations, and certification efforts.
  • Develop, refine, and enforce security policies, standards, and guidelines in collaboration with legal, compliance, and business stakeholders.
• Serve as Primary Security Officer & Risk Contact
  • Act as the authoritative resource for security architecture and risk management across business initiatives, ensuring requirements are understood, prioritized, and implemented effectively.
  • Embed security and risk considerations early in the technology and project lifecycle (shift-left approach), partnering with solution architects, engineering, and product teams.
• Communicate & Report on Risk Posture
  • Translate complex security architecture risks and GRC findings into business terms for project managers, executive leadership, and board-level audiences.
  • Drive the development and maintenance of dashboards and reports tracking key risk indicators (KRIs), vulnerability trends, audit findings, control effectiveness, compliance status across assigned domains, etc.
  • Present periodic risk and compliance briefings to senior leadership and governance committees.
• Support Incident Response & Resilience
  • Assist in planning and coordinating remediation and recovery efforts during security incidents, with a focus on architectural root-cause analysis and control improvement.
  • Incorporate lessons learned from incidents into architecture standards and risk assessments to strengthen the organization's security posture.
• Mentor & Build Organizational Capability
  • Provide guidance, coaching, and knowledge-sharing to junior architects, BISO staff, and cross-functional team members to elevate organizational security and risk management maturity.
  • Foster a risk-aware culture through training, awareness programs, and stakeholder engagement.

Qualifications

• Bachelor's degree in Information Security, Computer Science, Risk Management, or a related field.
• 7–10 years of progressive experience in security architecture, IT risk management, and/or GRC.
• Deep knowledge of cybersecurity frameworks and regulatory standards including OWASP, NIST CSF, NIST 800-53, ISO 27001/27002, SOC 2, GDPR, and HIPAA.
• Demonstrated experience designing and reviewing secure architectures across cloud (AWS, Azure, GCP), hybrid, and on-premises environments.
• Proven ability to conduct threat modeling, risk quantification, and control assessments for complex enterprise environments.
• Hands-on experience with GRC platforms and tools (e.g., ServiceNow, Archer, OneTrust, or similar).
• Ability to influence cross-functional teams and communicate security architecture and risk concepts — both verbally and in writing — to business leaders, technical teams, and executive stakeholders.
• Experience developing and maintaining security policies, standards, and risk registers.

Preferred Skills

• Experience implementing and improving cybersecurity solutions and supporting operational processes.
• Experience in infrastructure/network engineering and IT operations.
• Experience designing and implementing Zero Trust architecture principles at scale.
• Familiarity with DevSecOps practices and integrating security into CI/CD pipelines.
• Experience with risk quantification methodologies (e.g., FAIR).
• Knowledge of cloud-native security services and infrastructure-as-code security scanning.
• Experience supporting M&A due diligence or third-party risk management from an architecture and GRC perspective.

Certifications

• CISSP, CISM, or CCSP — required (or obtained within 12 months of hire).
• CRISC (Certified in Risk and Information Systems Control) — highly preferred.
• Additional certifications valued: CGEIT, TOGAF, SABSA, AWS/Azure Security Specialty.

Benefits

• Comprehensive suite of benefits focusing on physical, emotional, financial, and social aspects of wellness.
• Support for working families, including backup dependent care, adoption assistance, infertility coverage, family building support, behavioral health solutions, paid parental leave, and paid caregiver leave.
• Variety of training programs, professional development resources, and opportunities to participate in mentorship programs, employee resource groups, volunteer activities, and more.