BISO Business Information Security Office Lead

Job Description

Company: Cencora

Location: Darby, US

Our team members are at the heart of everything we do.
At Cencora, we are united in our responsibility to create healthier futures, and every person here is essential to us being able to deliver on that purpose.
If you want to make a difference at the center of health, come join our innovative company and help us improve the lives of people and animals everywhere.
Apply today!
Job Details Purpose & Impact
The Business Information Security Office Lead serves as the strategic bridge between business/IT stakeholders and security teams, ensuring that security architecture principles, security requirements, risk management practices, and governance, risk, and compliance (GRC) requirements are deeply embedded into technology implementations, enterprise processes, and organizational decision-making.
This role owns and drives secure architecture reviews, provides authoritative guidance on design patterns, risk treatment strategies, and compliance obligations – ultimately reducing risk exposure across multiple platforms and business domains.

Responsibilities
Lead Security Architecture Design & Review
• Drive and contribute tothe end-to-end secure architecture review process for on-prem, cloud, and hybrid applications/infrastructure, ensuring adherence to secure design principles, reference architectures, security requirements and compliance standards.

• Support the use of and contribute tosecurity architecture patterns, blueprints, and reference modelsthat align with enterprise strategy and evolving threat landscapes.

• Evaluate proposed technical designs and system integrations to ensure security requirements are met, providing prescriptive architectural and control recommendations.

• Perform security reviews for operational and architectural changes
Drive Enterprise Risk Management
• Leadand support comprehensive risk assessments- including threat modeling, control gap analysis, compensating control and risk quantification – for complex, high-impact projects and initiatives.

• Support the maintenance of the risk register, ensuring identified risks are documented, assigned ownership is appropriate, tracked through remediation, and reported to leadership.

• Propose and validaterisk mitigation and treatment strategies, balancing security requirements with business objectives and risk appetite.

Support Governance Activities the GRC Program
• Support and advance the organization’sGovernance, Risk, and Compliance (GRC) program, ensuring alignment with regulatory requirements and industry frameworks (e.
g.
,NIST CSF/800-53, ISO 27001/27002, SOC 2, GDPR, HIPAA, CMMC).

• Lead theevidence gathering, control testing, and documentationprocesses for internal and external audits, regulatory examinations, and certification efforts.

• Develop, refine, and enforcesecurity policies, standards, and guidelinesin collaboration with legal, compliance, and business stakeholders.

Serve as Primary Security Officer & Risk Contact
• Act as the authoritative resource for security architecture and risk management across business initiatives, ensuring requirements are understood, prioritized, and implemented effectively.

• Embed security and risk considerationsearly in the technology and project lifecycle(shift-left approach), partnering with solution architects, engineering, and product teams.

Communicate & Report on Risk Posture
• Translate complex security architecture risks and GRC findings intobusiness termsfor project managers, executive leadership, and board-level audiences – highlighting operational, financial, and reputational impacts.

• Drive the development and maintenance ofdashboards and reportstracking key risk indicators (KRIs), vulnerability trends, audit findings, control effectiveness, compliance status across assigned domains, etc.

• Presentperiodic risk and compliance briefingsto senior leadership and governance committees.

• Build deep institutional knowledge through continuous engagement with business and IT stakeholders to ensure alignment to information security expectations.

Support Incident Response & Resilience
• Assist in planning and coordinatingremediation and recovery effortsduring security incidents, with a focus on architectural root-cause analysis and control improvement.

• Incorporate lessons learned from incidents intoarchitecture standards and risk assessmentsto strengthen the organization’s security posture.

Mentor & Build Organizational Capability
• Provide guidance, coaching, and knowledge-sharing to junior architects, BISO staff, and cross-functional team members to elevate organizational security and risk management maturity.

• Foster arisk-aware culturethrough training, awareness programs, and stakeholder engagement.

Required Qualifications
• Bachelor’s degree in Information Security, Computer Science, Risk Management, or a related field.

• 7-10 years of progressive experiencein security architecture, IT risk management, and/or GRC.

• Deep knowledge of cybersecurity frameworks and regulatory standardsincluding OWASP, NIST CSF, NIST 800-53, ISO 27001/27002, SOC 2, GDPR, and HIPAA.

• Demonstrated experiencedesigning and reviewing secure architecturesacross cloud (AWS, Azure, GCP), hybrid, and on-premises environments.

• Proven ability to conductthreat modeling, risk quantification, and control assessmentsfor complex enterprise environments.

• Hands-on experience withGRC platforms and tools(e.
g.
, ServiceNow , Archer, O.

Source: Jobilize