McKesson is in the business of better health and we touch the lives of patients in virtually every aspect of healthcare. We partner with payors, hospitals, physician offices, pharmacies, pharmaceutical companies and others across the spectrum of care to build healthier organizations that deliver better care to patients in every setting. We believe in the importance of strong, vital organizations because we know that patients can only be healthy when our system is healthy.
Every single McKesson employee contributes to our mission—by joining McKesson you act as a catalyst in a chain of events that helps millions of people all over the globe. Talented, compassionate people are the future of our company—and of healthcare. At McKesson, you’ll collaborate on the products and solutions that help us carry out our mission to improve lives and advance healthcare. Working here is your opportunity to shape an industry that’s vital to us all.
We understand the importance of a system that works together. Your expertise, drive and passion can help us improve everything we touch, from providers to payors to pharmacies. Join our team of leaders to begin a rewarding career.
Wherever you contribute here at McKesson, you will have the ability to make a real impact in the lives of others.
The Senior Director will provide leadership, strategic direction, and oversight for maturing McKesson’s centralized enterprise wide IT Governance, Risk and Compliance (GRC) program within the enterprise Information Security and Risk Management (ISRM) function.
This position is responsible for objectively identifying, evaluating and reporting on information security risks in a manner that meets compliance and regulatory requirements, and aligns with and supports the risk posture of the enterprise.
The new Senior Director must be well-regarded throughout the business, and is expected to maintain a culture of performance and transparency, improve efficiency and quality, and continually build trust and credibility throughout the organization.
This position can be based at our Alpharetta, GA or Scottsdale, AZ office.
As McKesson’s Sr. Director, IT Governance, Risk & Compliance, the key responsibilities will include:
Strategic Planning – This executive will leverage the corporate defined strategy to develop a detailed roadmap and plan to mature our enterprise IT GRC program
Monitor the industry landscape to understand and prepare for upcoming changes in the business environment including compliance regulations and security technologies
Communicate an understanding of McKesson’s IT governance, risk and compliance landscape to senior leadership at the Corporate and BU levels
Socialize the roadmap and plan and build consensus and support with business and IT leaders.
Program Management and Operations – This executive will manage the enterprise IT Governance Risk and Compliance program and operations, including:
Policy Management, Training & Awareness:
Develop, maintain and publish (launch) enterprise information security policies and standards
Maintain mandatory compliance training, and enhance targeted training programs for high risk teams (e.g. application security, system administrators etc)
Lead social engineering awareness program, including phishing awareness
Refine enterprise processes to track, monitor and report on key IT Risks and recommend programs to achieve a risk target.
Partner closely with the ISRM Cybersecurity team to identify and manage threats in relation to the key risks.
Ensure that security programs are designed for compliance with relevant laws, regulations and policies, and to minimize or eliminate risk and audit findings.
Validate compliance with relevant laws, regulations and policies such as HIPAA, PCI and support for SOX
Oversee attestation services in support of ~500 customer requests per year e.g. SOC1/2 reports, HiTrust, ISO27001 etc
Oversee the issues management and policy exception processes
3rd Party Assurance:
Lead the 3rd party assurance program to help manage and monitor the risks with the third party service providers McKesson uses. Develop an appropriate scalable framework and operating model in terms of automation, staffing vs outsourcing, and also determining the level of centralization vs execution at the individual Business Units.
Collaboration, Reporting and Financial Management
Coordinate closely with the ISRM Program Management team to provide regular metrics and reporting to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of security.
Collaborate with other Corporate functions including Internal Audit, Legal and Compliance, Privacy and Enterprise Sourcing, to ensure that the organization maintains a strong security posture.
Liaise with Business Information Security Officers (BISOs) who are accountable for the Cybersecurity and IT Risk & Compliance Management program within McKesson’s business units
Develop and manage a security budget and develop strategic plans to invest resources to efficiently reduce cybersecurity risk.