Cyber Risk & Remediation Service Lead
States considered: PA
Role Description
POSITION SUMMARY
Zoetis is seeking a Cyber Risk & Remediation service lead who will be accountable for the enterprise cyber risk operating cadence, building and maintaining the cyber risk register, driving risk treatment decisions, and ensuring risks are remediated within defined timelines. This leader owns and matures programs spanning Cyber Risk & Remediation, M&A Security risk, and Security Awareness & Training. The role partners closely with technology and business teams to identify risk, assign accountable owners, track remediation progress, and provide clear reporting to Cyber leadership.
POSITION RESPONSIBILITIES
Cyber Risk Governance & Risk Register Ownership
- Establish the cyber risk governance model (risk taxonomy, scoring/ratings, risk acceptance thresholds, escalation paths).
- Create, own, and maintain the Cyber Risk Register, ensuring each risk has:
- defined risk statement and business impact
- inherent/residual rating
- accountable risk owner
- treatment plan (mitigate/accept/transfer/avoid)
- target remediation date / SLA and evidence of closure
- Lead recurring risk review forums with technology and business stakeholders; drive risk decisions and document outcomes.
Remediation Program Leadership:
- Partner with infrastructure, application, and engineering teams to create and prioritize remediation plans.
- Define remediation SLAs by severity and risk tier and ensure adherence; proactively remove blockers impacting remediation progress.
- Oversee enterprise cyber exposure management for infrastructure and platforms, including governance of Minimum Security Baselines (MSBs) and continuous security assessment capabilities (e.g., vulnerability and configuration scanning, posture monitoring, and exposure discovery).
- Translate technical findings into actionable cyber risks, ensuring they are tracked through remediation programs, reported through governance forums, and escalated to technology and business stakeholders when remediation SLAs or risk tolerance thresholds are exceeded.
M&A Security Risk
- Lead cyber risk activities for M&A: due diligence security findings intake, risk register entry, ownership assignment, and remediation/integration tracking through closure.
- Standardize M&A security assessment and reporting templates.
- Oversee the implementation and tracking of security controls.
Security Awareness, Training, and Phishing (Human Risk)
- Own and lead the enterprise Security Awareness & Training program, including development of role-based, targeted, and risk-informed training initiatives.
- Oversee the phishing simulation program, driving measurable reductions in risky user behaviors and strengthening the organization’s human security posture.
- Develop and maintain human risk metrics and KRIs, integrating insights into enterprise cyber risk reporting and informing continuous improvement of awareness strategies.
Metrics & Continuous Improvement:
- Produce executive-ready reporting on risk posture, top risks, remediation SLA performance, and program effectiveness.
- Enable on-demand metrics using industry standard frameworks (MITRE, NIST, etc.)
- Establish strong partnership and trust across business units and stakeholders.
Mentorship & Leadership:
- Lead and develop a team and/or matrixed resources supporting cyber risk governance, remediation oversight, and human-risk programs.
- Operate as a player-coach, capable of both leading the program and personally contributing to key initiatives such as risk analysis, governance facilitation, remediation coordination, and executive reporting.
- Create and maintain policies, protocols, and standard operating procedures that enable consistent and scalable cyber risk management practices.
- Manage vendors and partners supporting awareness platforms, phishing simulations, and cyber risk workflow tooling.
- Foster a culture of accountability, operational excellence, and continuous learning, encouraging collaboration and knowledge sharing across the team.
EDUCATION AND EXPERIENCE
Indicate the formal education, certification or license required and/or preferred. Include the minimum number of years of relevant experience required for the position (where legally permissible).
Education:
- Bachelor’s degree in Computer Sciences, Information Security, Information Systems, Engineering, Sciences or relevant professional experience.
Experience:
- 5+ years of experience in information security, technology risk, or enterprise risk, with demonstrated ownership of addressing risk across a global organization and driving cross-functional remediation to closure within defined timelines.
- 3+ years of people leadership and/or senior program leadership in a global environment, with demonstrated ability to influence and deliver outcomes through matrixed teams.
- 8+ years of experience (or equivalent depth of expertise) in cyber/technology risk management, with emphasis on human risk programs (awareness, training, phishing) and broader cyber risk governance (risk identification, assessment, tracking, and treatment).
TECHNICAL SKILLS REQUIREMENTS
- Demonstrated ability to build and operate a cyber risk register and drive closure within defined remediation timelines (SLAs), including governance, escalation, and evidence-based closure.
- Experience running Security Awareness & Training and phishing programs with measurable outcomes (completion, behavior change, reporting rates, reduced susceptibility).
- Experience supporting security due diligence and M&A integration risk tracking, including intake of findings, ownership assignment, and remediation through closure.
- Ability to interpret and communicate technical risk using vulnerability and control data—comfortable with trends, prioritization, and executive-level reporting; able to leverage analytics/data visualization tools (e.g., Power BI, Tableau) personally or through team support.
- Working knowledge of common security frameworks and compliance requirements (e.g., NIST, ISO 27001, PCI-DSS, HIPAA) and ability to map findings to controls and risk statements.
- Proven experience coordinating remediation across technical and business teams, managing SLAs, improving remediation workflows, and driving accountability, without needing to be the deepest VM analyst.
- Solid understanding of vulnerability management concepts and lifecycle (discovery, validation, prioritization, exception handling, remediation, verification) with the ability to review team output and challenge/coach appropriately.
- Understanding of security policy, enterprise security strategy, architecture concepts, and governance practices, including risk acceptance and exception processes.
- Broad knowledge of security technologies and principles and risk considerations across on-prem and cloud; familiarity with control frameworks and basic threat modeling concepts.
- Ability to translate emerging issues (vulnerabilities/exploit trends) into practical guidance, playbooks, and operational improvements—partnering with SMEs as needed.
- Comfort operating in complex enterprise environments: able to troubleshoot at a high level, ask the right technical questions, and mobilize the right experts (hands-on depth not required).
- Strong program/project management skills with the ability to manage multiple priorities, run governance cadences, and deliver measurable outcomes.
- Strong written/verbal communication and influence skills; able to present clearly, negotiate effectively, and drive decisions across levels and functions.
- High standards of ethics, professionalism, and integrity.
- Experience in regulated industries (e.g., pharmaceuticals) is desirable.
- Ability to articulate business-focused security outcomes that guide program direction and improve risk posture.
PHYSICAL POSITION REQUIREMENTS
- Primarily office-based work involving sitting, computer use, and meetings.
- Ability to work flexible hours as needed to coordinate with global teams and support audit readiness activities.
- Occasional travel may be required for audits, regulatory meetings, or integration activities.
- No unusual physical demands or attendance requirements expected.
Travel Requirements: 5%-10%
Full time
Regular
Colleague
Any unsolicited resumes sent to Zoetis from a third party, such as an Agency recruiter, including unsolicited resumes sent to a Zoetis mailing address, fax machine or email address, directly to Zoetis employees, or to Zoetis resume database will be considered Zoetis property. Zoetis will NOT pay a fee for any placement resulting from the receipt of an unsolicited resume.
Zoetis will consider any candidate for whom an Agency has submitted an unsolicited resume to have been referred by the Agency free of any charges or fees. This includes any Agency that is an approved/engaged vendor but does not have the appropriate approvals to be engaged on a search.
Notice: Zoetis Recruiters will contact candidates via email from an address ending in @zoetis.com and may also initially connect with candidates through LinkedIn, including LinkedIn InMail. Zoetis does not use Gmail, Outlook, Yahoo, or other web-based/generic email domains to communicate about job opportunities, interviews, or offers of employment. If you receive a recruitment-related email message claiming to be from Zoetis that does not come from @zoetis.com, please treat it as suspicious. For your security, do not reply, click links, open attachments, share personal or financial information, or send money in response to unexpected or questionable recruitment communications.
Zoetis is committed to equal opportunity in the terms and conditions of employment for all employees and job applicants without regard to race, color, religion, sex, sexual orientation, age, gender identity or gender expression, national origin, disability or veteran status or any other protected classification. Disabled individuals are given an equal opportunity to use our online application system. We offer reasonable accommodations as an alternative if requested by an individual with a disability. Please contact Zoetis Colleague Services at [email protected] to request an accommodation. Zoetis also complies with all applicable national, state and local laws governing nondiscrimination in employment as well as employment eligibility verification requirements of the Immigration and Nationality Act. All applicants must possess or obtain authorization to work in the US for Zoetis. Zoetis retains sole and exclusive discretion to pursue sponsorship for the acquisition or maintenance of nonimmigrant status and employment eligibility, considering factors such as availability of qualified US workers. Individuals requiring sponsorship must disclose this fact. Please note that Zoetis seeks information related to job applications from candidates for jobs in the U.S. solely via the following: (1) our company website at www.Zoetis.com/careers site, or (2) via email to/from addresses using only the Zoetis domain of “@zoetis.com”. In addition, Zoetis does not use Google Hangout for any recruitment related activities. Any solicitation or request for information related to job applications with Zoetis via any other means and/or utilizing email addresses with any other domain should be disregarded. In addition, Zoetis will never ask candidates to make any type of personal financial investment related to gaining employment with Zoetis.
