Manager Information Security, Governance & Risk

Reporting to the Senor Vice President, Information Technology, the Manager, Information Security, Governance & Risk will serve as the enterprise authority on information security, risk, and governance across CareRx’s technology estate. This strategic leadership role is responsible for defining and maturing the organization's information security program, overseeing security operations, and embedding robust IT governance and risk management frameworks across the enterprise. 

This individual will be expected to provide executive-level insights, interface regularly with legal, compliance, audit, privacy, and procurement functions, and act as a key advisor to the SVP, IT and executive leadership on all security-related decisions. The ideal candidate is a seasoned cybersecurity and GRC leader with demonstrated success operating in a regulated, multi-site healthcare or pharmacy environment. 

Enhanced Key Responsibilities 

Enterprise Information Security Governance 

• Own and evolve the organization’s enterprise information security governance framework in alignment with ISO 27001, NIST CSF, and PHIPA/PIPEDA requirements. 
• Lead the creation, maintenance, and enforcement of enterprise-wide security policies, controls, and standards, and ensure alignment with business strategy and regulatory obligations. 
• Develop the annual Security Program Roadmap with KPIs, milestones, and funding requirements. 
• Establish and chair a cross-functional Information Security Steering Committee. 

Strategic IT Risk Management 

• Lead the implementation of a formal IT Risk Management Framework, incorporating qualitative and quantitative risk assessments, treatment plans, and residual risk monitoring. 
• Develop and maintain the IT risk register, aligned to business impact, and facilitate executive-level risk reviews. 
• Partner with Legal, Privacy, and Procurement to assess third-party risks and oversee TRA/PIA processes. 
• Respond to customer and regulator security audits, assessments, and due diligence inquiries. 

Cybersecurity Architecture & Oversight 

• Oversee enterprise security architecture and work with infrastructure, network, and application teams to ensure secure design and deployment practices. 
• Maintain visibility into cloud security posture (e.g., Azure, M365, SaaS platforms) and drive adoption of zero-trust principles. 
• Lead or escalate major security incidents, including root cause analysis, executive reporting, and lessons learned reviews. 

Audit, Compliance & Regulatory Engagement 

• Act as the primary liaison for internal and external audits, ensuring timely evidence collection and closure of audit findings. 
• Lead compliance readiness across PHIPA, PIPEDA, PCI-DSS, NI 52-109, and emerging cybersecurity regulatory frameworks. 
• Continuously monitor and report compliance status to executive leadership and board-level committees as required. 

Security Awareness & Culture Building 

• Design and operationalize a security awareness and training program that fosters a culture of shared accountability. 
• Track and report program effectiveness metrics and lead targeted campaigns in response to risk trends and incidents. 

Metrics, Reporting, and Executive Engagement 

• Define and manage enterprise security KPIs and risk metrics; deliver regular executive dashboards and board-level reports. 
• Prepare quarterly security posture briefings for IT and business leadership. 
• Participate in enterprise planning to ensure security alignment with digital transformation and pharmacy modernization initiatives. 

 Minimum Qualifications 

• 10+ years in progressive roles in Information Security, Risk Management, or IT Governance. 
• Proven leadership in developing and executing enterprise security programs. 
• Deep understanding of IT controls frameworks (NIST, ISO 27001, SOC 2, CIS), regulatory standards (PHIPA, PIPEDA), and cloud security models. 
• Certifications strongly preferred: CISSP, CISM, CRISC, CISA, or equivalent. 
• Strong working knowledge of TRA/PIA processes, third-party risk, and incident response planning. 

 Preferred Attributes 

• Experience in healthcare, pharmacy, or other regulated industries with sensitive data exposure. 
• Track record of building high-performing, cross-functional teams and delivering measurable improvements in risk posture. 
• Ability to communicate complex concepts clearly to non-technical stakeholders and C-suite executives. 
• Integrity in handling sensitive information and compliance obligations. 
• Collaboration across departments including Legal, Privacy, IT, and Clinical Operations. 
• Innovation in driving modern, cloud-first security strategies. 
• Empathy for the needs of patients, staff, and business partners in balancing security with usability. 
• Accountability through strong follow-through, ownership of risk mitigation, and transparent reporting. 

Application Process: 

CareRx welcomes and encourages applications from people with disabilities. Accommodations are available upon request for candidates taking part in all aspects of the selection process. Interested, qualified candidates are encouraged to apply. 

All applicants must successfully pass satisfactory background screening (depending on the role - Criminal Record Check, Vulnerable Sector Check, Credit Check, Driver’s Abstract, Education Verification, Current Professional Registration) and referencing. Background screening will be completed after an offer of employment has been extended and accepted.