Lead Director - Third Party Security, Assessment Operations

About The Position

Requirements

• 10+ years of progressive Information Security experience, with a strong foundation across risk management, architecture, and engineering domains.
• 7+ years of direct leadership experience managing security professionals in both direct and matrixed reporting structures.
• 5+ years of experience building and leading Third Party Security Risk or Vendor Risk Management programs at enterprise scale.
• 5+ years of experience leading detailed control testing, regulatory audits, and compliance assessments.
• 3+ years of experience implementing security controls within third party environments supporting large, complex enterprises.
• Bachelor’s degree or equivalent experience (High School Diploma and 4 years relevant experience)

Nice To Haves

• Exceptional communication and executive presentation skills; ability to translate technical risk into business language for non-technical audiences.
• Strong command of risk analysis frameworks and the ability to derive well-defined mitigation strategies from assessment findings.
• Demonstrated ability to lead and influence without direct authority across cross-functional, matrixed organizations.
• Superior organizational and process management skills; experience building and scaling high-performing teams.
• Proficiency with Third Party Risk platforms (e.g., Archer, SecurityScorecard, ServiceNow, BlackKite) and GRC tooling.
• Integration and adoption of AI-based tooling to facilitate time to market and defensible results

Responsibilities

• Own and continuously mature the enterprise Third Party Security program, including processes, and tooling.
• Direct staff in the identification, development, implementation, and maintenance of security assessment practices for all third parties — including vendors, suppliers, and business partners.
• Establish demand-driven resource models and align team capacity to portfolio volume and organizational priorities.
• Build, coach, and lead a high-performing team of security professionals spanning Individual Contributors, Managers, and Senior Managers.
• Lead the evaluation and assessment of emerging cyber threats, vulnerabilities, and attack vectors relevant to third party ecosystems.
• Direct detailed control testing, regulatory audit scenarios, and compliance validation activities for third party relationships.
• Develop and enforce risk-based remediation strategies derived from assessment findings and lessons learned.
• Implement and enforce security controls within third parties supporting large, complex, and diverse enterprise environments.
• Ensure organizational adherence to applicable local, national, and international regulatory requirements (e.g., HIPAA, PCI-DSS, NIST, ISO 27001/27036, SOC 2) within the scope of third party security.
• Provide authoritative security guidance to project teams, portfolio personnel, and business leaders to ensure alignment with CVS Health control standards.
• Monitor evolving regulatory and industry landscapes and proactively adjust program requirements to maintain compliance.
• Serve as a trusted advisor to senior business and technology executives on third party cyber security matters.
• Communicate risk posture, program performance metrics, and remediation status to executive leadership through compelling, data-driven presentations.
• Act as the primary point of enablement for Third Party Security Assessment Operations across the organization.
• Develop and sustain strategic relationships across functional business, IT, and vendor leadership teams.
• Establish organizational capabilities to track program progress, surface issues, and remove obstacles in alignment with the CVS Health mission.
• Define and monitor KPIs and KRIs to measure program effectiveness and drive continuous improvement.
• Identify and implement technology solutions and automation opportunities to scale assessment operations.

Benefits

• medical
• dental
• vision coverage
• paid time off
• retirement savings options
• wellness programs