VP, Cyber Defense & Threat Intelligence

We’re building a world of health around every individual — shaping a more connected, convenient and compassionate health experience. At CVS Health®, you’ll be surrounded by passionate colleagues who care deeply, innovate with purpose, hold ourselves accountable and prioritize safety and quality in everything we do. Join us and be part of something bigger – helping to simplify health care one person, one family and one community at a time.

Position Summary

The Vice President, Cyber Defense & Threat Intelligence is a senior executive responsible for designing, building, and operating CVS Health's global defensive cyber capability. This leader commands the enterprise Security Operations Center (SOC), Computer Security Incident Response Team (CSIRT), Cyber Threat Intelligence (CTI) program, Insider Risk Operations, Artificial Intelligence Security Operations (AI SecOps), Security Data Analytics, Penetration Testing, Red/Blue Team operations, and Crisis Incident Response — A unified platform protecting one of the nation's largest healthcare enterprises and the sensitive personal health information of more than 180 million Americans.

Reporting directly to the CISO, this role is the company's senior operational defender and primary technical authority during significant cyber events. The VP operates within CVS Health's CISO leadership team and will build a culture of precision, speed, and mission orientation across a multi-disciplinary team, translating intelligence into prevention and detection while ensuring that operational outcomes meet the expectations of regulators, the Board, and executive leadership.

Key Responsibilities

Security Operations Center (SOC)

• Own 24x7x365 enterprise SOC operations, ensuring continuous monitoring, detection, and triage across on-premises, cloud, and hybrid environments.
• Drive SOC maturity through automation, SOAR playbook development, and metrics-driven performance management — targeting measurable reductions in mean time to detect (MTTD) and mean time to respond (MTTR).
• Ensure SOC staffing, tooling, and process design meets HIPAA, PCI-DSS, and applicable state regulatory expectations for continuous monitoring of PHI/PII environments.
• Lead vendor and MSSP relationships supporting SOC augmentation, establishing clear SLAs and escalation protocols.

​Cyber Threat Intelligence (CTI)

• Establish and mature an enterprise CTI program that delivers operationally relevant, decision-ready intelligence to executive, technical, and legal stakeholders.
• Maintain active participation in sector-specific intelligence sharing communities (H-ISAC, FS-ISAC where applicable) and government partnerships (CISA, FBI, HHS/OCR).
• Develop geopolitical and nation-state threat awareness programs that inform executive decision-making and enterprise risk posture.
• Integrate CTI feeds directly into SOC detection logic, vulnerability prioritization, and red team planning.

Computer Security Incident Response Team (CSIRT)

• Lead CSIRT operations responsible for classification, investigation, containment, eradication, and recovery of all significant security events.
• Own incident response plans, runbooks, and tabletop exercise programs — ensuring alignment with legal counsel, privacy, compliance, and communications teams.
• Serve as primary technical authority for all Severity 1 and Severity 2 security incidents; ensure appropriate executive and regulatory notification in accordance with applicable breach notification laws (HIPAA, state data breach statutes, SEC cybersecurity disclosure rules).
• Maintain chain-of-custody and forensic evidence standards that support potential litigation, regulatory investigation, or law enforcement cooperation

Insider Risk Operations

• Build and operate a formal Insider Risk program capable of detecting, investigating, and responding to malicious, negligent, and compromised insider threats at enterprise scale.
• Partner with Human Resources, Legal, and Employee Relations to ensure insider risk investigations are legally defensible, appropriately scoped, and compliant with applicable employment law and privacy regulations.
• Design behavioral analytics and UBA/UEBA detection capabilities that distinguish anomalous from malicious activity while minimizing employee privacy intrusions.
• Develop escalation protocols for referral of insider cases to law enforcement or legal action where appropriate.

Artificial Intelligence Security Operations (AI SecOps)

• Establish CVS Health's enterprise AI Security Operations function — responsible for monitoring, detecting, and responding to threats targeting AI/ML systems, LLMs, agentic workflows, and AI-powered business processes.
• Develop detection and response capabilities for emerging AI threat vectors including prompt injection, model extraction, adversarial inputs, training data poisoning, and AI supply chain risk.
• Partner with the Enterprise AI Platform team to embed security monitoring into AI pipelines, model governance workflows, and API integrations.
• Develop and publish AI security incident response playbooks specific to healthcare regulatory context and PHI exposure risk.

Security Data Analytics & SIEM/SOAR Engineering

• Own the enterprise security data platform — including SIEM architecture, data lake engineering, telemetry ingestion pipelines, and security analytics — ensuring full visibility across the environment.
• Lead development of advanced detection analytics, behavioral models, and machine learning-assisted threat hunting capabilities.
• Establish and maintain security data governance standards, ensuring log retention, integrity, and availability consistent with legal hold, regulatory, and forensic requirements.

Drive measurable improvement in detection fidelity — reducing false positive rates while increasing signal quality across all detection layers.

Penetration Testing

• Manage the enterprise penetration testing program — including internal assessments, application testing, red team operations, and third-party engagements — on a risk-prioritized schedule.
• Ensure testing scope covers traditional infrastructure, cloud-native environments, AI/ML systems, mobile applications, API surfaces, and physical security where relevant.
• Drive clear, actionable reporting of findings to technical owners and executive leadership, with tracked remediation metrics.
• Maintain compliance with regulatory testing requirements (e.g., PCI-DSS penetration testing mandates, HIPAA technical safeguard assessments).

Adversarial Operations

• Lead a mature adversary simulation program that continuously stress-tests CVS Health's detection and response capability against real-world threat actor TTPs, including nation-state and financially motivated adversaries.
• Operate Purple Team exercises that close the loop between red team findings and blue team detection improvements — with documented, measurable outcomes.
• Ensure red team operations are appropriately scoped, legally authorized, and operationally deconflicted with SOC to avoid unintended disruption.
• Leverage MITRE ATT&CK framework as the common language for adversary emulation, detection coverage assessment, and security control validation.

Incident Crisis Response & Executive Communication

• Serve as the senior operational executive during declared cyber crises — coordinating technical response, legal liaison, executive briefings, and regulatory notification timelines in close collaboration with the SVP, Deputy CISO and other CISO leadership team members.
• Develop and maintain the enterprise Cyber Crisis Management Plan in coordination with Enterprise Risk Management, Legal, Communications, and Board-level stakeholders.
• Own communications to the CISO, SVP, CFO, CEO, Board Audit Committee, and external regulators during significant incidents — ensuring precision, legal accuracy, and appropriate confidentiality.
• Lead post-incident review processes that produce legally defensible records, root cause analysis, and measurable control improvements.

Leadership & Organizational Responsibilities

• Recruit, develop, and retain a high-performing, diverse team of cyber defense professionals across SOC, CSIRT, threat intelligence, and offensive/defensive security disciplines.
• Establish a culture of continuous improvement, threat-informed defense, and mission orientation that operates effectively under pressure.
• Develop annual operating budgets, headcount plans, and vendor strategy for all functions within scope; present business cases for investment with clear ROI framing.
• Represent cyber defense operations in executive forums, Board presentations, regulatory examinations, and external audits.
• Partner with the CISO and SVP, Deputy CISO on enterprise security strategy, architecture, and policy

— ensuring all cyber defense operations are aligned with enterprise-wide security direction and that the VP's functional scope is clearly delineated from adjacent leadership mandates.

• Serve as a visible external representative of CVS Health's security posture through industry conferences, regulatory engagement, and peer collaboration.

Required

• 15+ years of progressive cybersecurity leadership experience, with a minimum of 8 years in senior leadership roles overseeing enterprise-scale security operations.
• Demonstrated experience leading or significantly maturing a 24x7 SOC, CSIRT, and/or threat intelligence function in a large, complex enterprise environment.
• Proven track record of leading significant cyber incident response events — including ransomware, nation-state, and insider threat scenarios — at enterprise scale.
• Deep technical fluency across core cyber defense domains: SIEM/SOAR, endpoint detection and response (EDR), network security monitoring, cloud security monitoring (AWS, Azure, GCP), and threat intelligence platforms.
• Strong executive communication skills — able to translate complex technical findings into precise, actionable, and legally defensible communications for C-suite and Board audiences.
• Experience operating in highly regulated industries with significant personal data obligations (healthcare, financial services, retail, or equivalent).
• Familiarity with HIPAA Security Rule, NIST CSF, NIST SP 800-53, CIS Controls, MITRE ATT&CK, and applicable state data breach notification laws.
• Experience leading insider risk or behavioral analytics programs with appropriate HR/Legal partnership.

Preferred

• Healthcare industry experience with direct exposure to HIPAA/HITECH compliance, OCR investigation response, and healthcare-specific threat actor activity.
• Experience building or maturing AI/ML security operations capabilities — including detection of prompt injection, adversarial ML, and AI supply chain risk.
• Background in red team or offensive security operations (OSCP, GXPN, or equivalent).
• Legal or compliance background, or demonstrated experience working closely with legal counsel in incident response, regulatory notification, and litigation support contexts.
• Experience testifying before regulatory bodies, law enforcement, or legislative committees.
• Prior experience at CISO level or as a direct CISO report in a Fortune 50 or equivalent organization

Certifications (Preferred)

CISSP

CISM

GCIA / GCIH / GREM

GCFE / GCFA (Forensics)

OSCP / GXPN (Offensive)

AWS/Azure/GCP Security Specialty

SANS GSOM / GSE

CISA

Pay Range

The typical pay range for this role is:

$0.00 - $0.00

This pay range represents the base hourly rate or base annual full-time salary for all positions in the job grade within which this position falls.  The actual base salary offer will depend on a variety of factors including experience, education, geography and other relevant factors.  This position is eligible for a CVS Health bonus, commission or short-term incentive program in addition to the base pay range listed above.  This position also includes an award target in the company’s equity award program. 

Our people fuel our future. Our teams reflect the customers, patients, members and communities we serve and we are committed to fostering a workplace where every colleague feels valued and that they belong.

Great benefits for great people

We take pride in offering a comprehensive and competitive mix of pay and benefits that reflects our commitment to our colleagues and their families.

This full‑time position is eligible for a comprehensive benefits package designed to support the physical, emotional, and financial well‑being of colleagues and their families. The benefits for this position include medical, dental, and vision coverage, paid time off, retirement savings options, wellness programs, and other resources, based on eligibility.

Additional details about available benefits are provided during the application process and on Benefits Moments.

We anticipate the application window for this opening will close on: 05/11/2026

Qualified applicants with arrest or conviction records will be considered for employment in accordance with all federal, state and local laws.

For more details click Job Post.