• Own a meaningful slice of our defensive infrastructure end-to-end. • Design, execute, and follow through on security awareness programs and phishing simulations. • Participate in Endpoint Detection & Response rollout and ongoing operations. • Revamp our network protections for Zero Trust network access and DNS security. • Manage and operate our EASM platform, including continuous monitoring, finding triage, and remediation coordination. • Coordinate with our third-party penetration testing partner for scoping, logistics, findings review, and remediation tracking. • Monitor and respond to security alerts across our stack — SIEM, EDR telemetry, and related tooling. • Own relevant SOC 2 controls and participate in vendor evaluations, new tooling assessments, and ad hoc projects.

• Ensure that the organization operates in full accordance with federal and state laws, including HIPAA, CMS, and OIG guidelines. • Establish and maintain the foundational "Seven Elements" of an effective compliance program as defined by the OIG. • Draft, implement, and update compliance policies and procedures. • Ensure completion of Fraud, Waste, and Abuse (FWA), HIPAA, and General Compliance training within 90 days of hire and annually thereafter. • Oversee the organization’s status as a First Tier, Downstream, and Related Entity (FDR). • Manage the monthly screening process against OIG and GSA databases for all staff and contractors. • Audit the timeliness of Organization Determinations, Appeals, and Grievances.

Our team members are at the heart of everything we do. At Cencora, we are united in our responsibility to create healthier futures, and every person here is essential to us being able to deliver on that purpose. If you want to make a difference at the center of health, come join our innovative company and help us improve the lives of people and animals everywhere. Apply today! Job Details Purpose & Impact The Business Information Security Office Lead serves as the strategic bridge between business/IT stakeholders and security teams, ensuring that security architecture principles, security requirements, risk management practices, and governance, risk, and compliance (GRC) requirements are deeply embedded into technology implementations, enterprise processes, and organizational decision-making. This role owns and drives secure architecture reviews, provides authoritative guidance on design patterns, risk treatment strategies, and compliance obligations - ultimately reducing risk exposure across multiple platforms and business domains. Responsibilities Lead Security Architecture Design & Review - Drive and contribute to the end-to-end secure architecture review process for on-prem, cloud, and hybrid applications/infrastructure, ensuring adherence to secure design principles, reference architectures, security requirements and compliance standards. - Support the use of and contribute to security architecture patterns, blueprints, and reference models that align with enterprise strategy and evolving threat landscapes. - Evaluate proposed technical designs and system integrations to ensure security requirements are met, providing prescriptive architectural and control recommendations. - Perform security reviews for operational and architectural changes Drive Enterprise Risk Management - Lead and support comprehensive risk assessments - including threat modeling, control gap analysis, compensating control and risk quantification - for complex, high-impact projects and initiatives. - Support the maintenance of the risk register, ensuring identified risks are documented, assigned ownership is appropriate, tracked through remediation, and reported to leadership. - Propose and validate risk mitigation and treatment strategies, balancing security requirements with business objectives and risk appetite. Support Governance Activities the GRC Program - Support and advance the organization's Governance, Risk, and Compliance (GRC) program, ensuring alignment with regulatory requirements and industry frameworks (e.g., NIST CSF/800-53, ISO 27001/27002, SOC 2, GDPR, HIPAA, CMMC). - Lead the evidence gathering, control testing, and documentation processes for internal and external audits, regulatory examinations, and certification efforts. - Develop, refine, and enforce security policies, standards, and guidelines in collaboration with legal, compliance, and business stakeholders. Serve as Primary Security Officer & Risk Contact - Act as the authoritative resource for security architecture and risk management across business initiatives, ensuring requirements are understood, prioritized, and implemented effectively. - Embed security and risk considerations early in the technology and project lifecycle (shift-left approach), partnering with solution architects, engineering, and product teams. Communicate & Report on Risk Posture - Translate complex security architecture risks and GRC findings into business terms for project managers, executive leadership, and board-level audiences - highlighting operational, financial, and reputational impacts. - Drive the development and maintenance of dashboards and reports tracking key risk indicators (KRIs), vulnerability trends, audit findings, control effectiveness, compliance status across assigned domains, etc. - Present periodic risk and compliance briefings to senior leadership and governance committees. - Build deep institutional knowledge through continuous engagement with business and IT stakeholders to ensure alignment to information security expectations. Support Incident Response & Resilience - Assist in planning and coordinating remediation and recovery efforts during security incidents, with a focus on architectural root-cause analysis and control improvement. - Incorporate lessons learned from incidents into architecture standards and risk assessments to strengthen the organization's security posture. Mentor & Build Organizational Capability - Provide guidance, coaching, and knowledge-sharing to junior architects, BISO staff, and cross-functional team members to elevate organizational security and risk management maturity. - Foster a risk-aware culture through training, awareness programs, and stakeholder engagement. Required Qualifications - Bachelor's degree in Information Security, Computer Science, Risk Management, or a related field. - 7-10 years of progressive experience in security architecture, IT risk management, and/or GRC. - Deep knowledge of cybersecurity frameworks and regulatory standards including OWASP, NIST CSF, NIST 800-53, ISO 27001/27002, SOC 2, GDPR, and HIPAA. - Demonstrated experience designing and reviewing secure architectures across cloud (AWS, Azure, GCP), hybrid, and on-premises environments. - Proven ability to conduct threat modeling, risk quantification, and control assessments for complex enterprise environments. - Hands-on experience with GRC platforms and tools (e.g., ServiceNow , Archer, OneTrust, or similar). - Ability to influence cross-functional teams and communicate security architecture and risk concepts - both verbally and in writing - to business leaders, technical teams, and executive stakeholders. - Experience developing and maintaining security policies, standards, and risk registers. Preferred Skills - Experience implementing and improving cybersecurity solutions and supporting operational processes - Experience in infrastructure/network engineering and IT operations - Experience designing and implementing Zero Trust architecture principles at scale. - Familiarity with DevSecOps practices and integrating security into CI/CD pipelines. - Experience with risk quantification methodologies (e.g., FAIR). - Knowledge of cloud-native security services and infrastructure-as-code security scanning. - Experience supporting M&A due diligence or third-party risk management from an architecture and GRC perspective. Certifications - CISSP, CISM, or CCSP - required (or obtained within 12 months of hire). - CRISC (Certified in Risk and Information Systems Control) - highly preferred. - Additional certifications valued: CGEIT, TOGAF, SABSA, AWS/Azure Security Specialty. What Cencora offers We provide compensation, benefits, and resources that enable a highly inclusive culture and support our team members' ability to live with purpose every day. In addition to traditional offerings like medical, dental, and vision care, we also provide a comprehensive suite of benefits that focus on the physical, emotional, financial, and social aspects of wellness. This encompasses support for working families, which may include backup dependent care, adoption assistance, infertility coverage, family building support, behavioral health solutions, paid parental leave, and paid caregiver leave. To encourage your personal growth, we also offer a variety of training programs, professional development resources, and opportunities to participate in mentorship programs, employee resource groups, volunteer activities, and much more. For details, visit https://www.virtualfairhub.com/cencora Full time Equal Employment Opportunity Cencora is committed to providing equal employment opportunity without regard to race, color, religion, sex, sexual orientation, gender identity, genetic information, national origin, age, disability, veteran status or membership in any other class protected by federal, state or local law. The company's continued success depends on the full and effective utilization of qualified individuals. Therefore, harassment is prohibited and all matters related to recruiting, training, compensation, benefits, promotions and transfers comply with equal opportunity principles and are non-discriminatory. Cencora is committed to providing reasonable accommodations to individuals with disabilities during the employment process which are consistent with legal requirements. If you wish to request an accommodation while seeking employment, please call 888.692.2272 or email hrsc@cencora.com. We will make accommodation determinations on a request-by-request basis. Messages and emails regarding anything other than accommodations requests will not be returned Affiliated Companies Affiliated Companies: AmerisourceBergen Services Corporation

• Own cloud security engineering for AWS by defining guardrails and configuration baselines (e.g., IAM least privilege, network segmentation, encryption, logging), partnering on implementation, and driving remediation of cloud posture findings to closure. • Engineer security controls and governance for Kubernetes and containerized workloads (e.g., EKS): define and enforce admission policies, Pod Security standards, network policies, image governance, runtime protections, and secrets management patterns; partner with platform teams on implementation within clusters and supporting IAM. • Drive secure SDLC controls and engineering governance: integrate and operate scanning and policy gates for application code (SAST), dependencies (SCA), secrets, containers/images, and Infrastructure as Code (IaC); define practical remediation SLAs and exception/waiver workflows aligned to risk. • Define security policies, standards, and best practices for cloud and containerized environments, and translate them into implementable guardrails and reference patterns (policy-as-code, reference configurations, and developer guidance), including encryption/key management (e.g., KMS), secrets storage, and secure workload access patterns; validate adoption and baseline compliance in partnership with Infrastructure/Platform teams. • Partner with Compliance to align technical controls to HIPAA requirements and produce audit-ready evidence (configurations, screenshots/exports, control narratives, and remediation tracking) for cloud and container platforms. • Improve security visibility and detection in AWS and Kubernetes: define requirements, ensure high-quality logging, and create actionable detections/alerts in partnership with the SOC/SIEM owners. • Run vulnerability management across the stack for cloud and containerized applications: triage and prioritize findings for application code, Infrastructure as Code, container images, third-party dependencies, and OS packages; coordinate fixes with engineering/platform teams, validate remediation, and track risk-based exceptions. • Support incident response for cloud and container security events: perform technical triage, containment support, root cause analysis, and deliver preventative engineering changes. • Develop and maintain security-as-code standards and reusable guardrails (e.g., Terraform modules/policies) and automated checks/policy gates to enforce baseline compliance across AWS accounts and Kubernetes clusters; partner with Infrastructure/Platform teams to roll out and operationalize these controls at scale. • Independently manage security engineering deliverables from intake through delivery: clarify requirements, design solutions, document decisions/runbooks, and communicate status/risks to stakeholders. • Translate HITRUST MyCSF/HIPAA and internal security policies into measurable cloud and SDLC control requirements; validate control effectiveness through testing and evidence collection. • Contribute to security tool administration and continuous improvement (e.g., cloud posture management, vulnerability scanning, CI/CD scanning tools) by tuning rules, reducing false positives, and improving developer usability. • Participate in on-call/escalation processes as needed; maintain runbooks and support post-incident reviews and corrective actions. • Serve as a technical resource for peers through code/config reviews, pairing, and clear documentation; help raise the security bar through pragmatic standards and guidance. • Perform other duties as assigned.