Senior Director of Cyber Risk Management

Our team members are at the heart of everything we do. At Cencora, we are united in our responsibility to create healthier futures, and every person here is essential to us being able to deliver on that purpose. If you want to make a difference at the center of health, come join our innovative company and help us improve the lives of people and animals everywhere. Apply today

Position Summary:

The Senior Director of Cyber Risk Management will lead the organization's efforts to identify, assess, manage, and mitigate cyber risks while ensuring the effective operation of Governance, Risk, and Compliance (GRC) functions. This role will oversee critical areas of risk management, including risk/issue management, GRC tooling, security policy development, GRC reporting, audit findings management, firewall/change requests, policy exceptions, and risk intake quality assurance (QA). The ideal candidate will bring strategic vision, operational excellence, and leadership to align cybersecurity practices with business objectives and regulatory requirements.

Reporting to the Vice President of Information Security, this role will collaborate across business units, IT, and cybersecurity teams to ensure risks are effectively addressed and compliance standards are met.

Key Responsibilities:

Risk and Issue Management:

• Lead the identification, assessment, and prioritization of cyber risks and issues across the enterprise.

• Implement and maintain processes for tracking, mitigating, and resolving risks and issues.

• Ensure effective risk intake processes, including quality assurance (QA) reviews of submitted risks to validate accuracy, completeness, and alignment with organizational risk criteria.

• Develop frameworks for consistent risk classification, prioritization, and escalation to appropriate stakeholders.

GRC Tooling:

• Manage the implementation, optimization, and ongoing maintenance of Governance, Risk, and Compliance (GRC) tooling (e.g., ServiceNow).

• Ensure GRC tools are configured to support risk management workflows, reporting, and compliance tracking.

• Collaborate with internal teams to enhance tool functionality, automate processes, and improve user experience.

Security Policy and Standards:

• Develop, implement, and maintain information security policies, standards, and procedures aligned with industry frameworks (e.g., NIST CSF, ISO 27001, CIS Controls).

• Ensure policies and standards address regulatory requirements, contractual obligations, and emerging threats.

• Collaborate with business units to ensure adoption and compliance with security policies and standards.

• Periodically review and update policies to reflect changes in the threat landscape, business operations, or regulatory requirements.

GRC Reporting:

• Oversee the creation and delivery of GRC reports to senior leadership, stakeholders, and regulatory bodies.

• Develop and maintain dashboards that provide visibility into risk management metrics, compliance status, and security performance.

• Ensure reporting aligns with organizational objectives and informs decision-making at all levels.

Audit Findings Management:

• Manage the lifecycle of IT audit findings, ensuring timely remediation and closure.

• Collaborate with internal teams to address findings from internal audits, external audits, and regulatory assessments.

• Track audit findings in GRC tools and provide regular updates to stakeholders on remediation progress.

• Identify trends in audit findings and recommend improvements to reduce recurring issues.

Firewall/Change Requests:

• Oversee the review and approval process for firewall and security-related change requests.

• Ensure change requests align with security policies, standards, and risk management practices.

• Collaborate with IT and network teams to validate the security impact of proposed changes.

• Maintain documentation and tracking of change requests for audit and reporting purposes.

Policy Exceptions:

• Manage the policy exception process, including intake, review, approval, and tracking.

• Evaluate exception requests to ensure risks are understood and compensating controls are in place.

• Provide recommendations to senior leadership for high-risk exceptions and escalate appropriately.

• Periodically review approved exceptions to assess ongoing relevance and compliance.

Risk Intake and QA:

• Oversee the risk intake process, ensuring risks are accurately documented and categorized.

• Conduct QA reviews of submitted risks to verify completeness, accuracy, and alignment with policies and frameworks.

• Ensure risk intake processes are streamlined and integrated with broader GRC workflows.

• Provide training and guidance to teams to improve risk intake quality and consistency.

Leadership Responsibilities:

• Build and lead a high-performing team responsible for cyber risk management and GRC functions.

• Foster a culture of collaboration, accountability, and continuous improvement within the team and across the organization.

• Serve as a trusted advisor to senior leadership, providing insights and recommendations on risk management strategies.

• Collaborate with cross-functional teams, including IT, Legal, Compliance, and Audit, to align cyber risk management efforts with organizational goals.

Qualifications:

Education and Experience:

• Bachelor's degree in Cybersecurity, Information Security, Risk Management, Business Administration, or a related field (Master's degree preferred).

• 10+ years of experience in cybersecurity, risk management, or governance roles, with at least 5 or more years in a leadership capacity.

• Strong experience managing GRC tools (e.g., ServiceNow) and implementing risk management workflows.

Skills and Competencies:

• Deep understanding of information security frameworks and standards (e.g., NIST CSF, ISO 27001, SOC 2, CIS Controls).

• Proven ability to manage complex risk and issue management processes across large organizations.

• Expertise in developing and maintaining security policies, standards, and procedures.

• Strong analytical skills with the ability to interpret risk data and generate actionable insights.

• Exceptional communication and interpersonal skills, with the ability to convey complex information to technical and non-technical audiences.

• Experience managing audit findings, policy exceptions, and change control processes.

• Familiarity with regulatory requirements and reporting standards (e.g., GDPR, CCPA, HIPAA).

Certifications (Preferred):

• Certified Information Systems Security Professional (CISSP)

• Certified Information Security Manager (CISM)

• Certified Information Systems Auditor (CISA)

• Governance, Risk, and Compliance (GRC) certifications (e.g., GRCP, GRCA)

• ITIL or Change Management certifications

We provide compensation, benefits, and resources that enable a highly inclusive culture and support our team members' ability to live with purpose every day. In addition to traditional offerings like medical, dental, and vision care, we also provide a comprehensive suite of benefits that focus on the physical, emotional, financial, and social aspects of wellness. This encompasses support for working families, which may include backup dependent care, adoption assistance, infertility coverage, family building support, behavioral health solutions, paid parental leave, and paid caregiver leave. To encourage your personal growth, we also offer a variety of training programs, professional development resources, and opportunities to participate in mentorship programs, employee resource groups, volunteer activities, and much more. For details, visit

*This Salary Range reflects a National Average for this job. The actual range may vary based on your locale. Ranges in Colorado/California/Washington/New York/Hawaii/Vermont/Minnesota/Massachusetts/Illinois State-specific locations may be up to 10% lower than the minimum salary range, and 12% higher than the maximum salary range.

Cencora is committed to providing equal employment opportunity without regard to race, color, religion, sex, sexual orientation, gender identity, genetic information, national origin, age, disability, veteran status or membership in any other class protected by federal, state or local law.

The company's continued success depends on the full and effective utilization of qualified individuals. Therefore, harassment is prohibited and all matters related to recruiting, training, compensation, benefits, promotions and transfers comply with equal opportunity principles and are non-discriminatory.

Cencora is committed to providing reasonable accommodations to individuals with disabilities during the employment process which are consistent with legal requirements. If you wish to request an accommodation while seeking employment, please call or email We will make accommodation determinations on a request-by-request basis. Messages and emails regarding anything other than accommodations requests will not be returned

.