BISO Director

Evernorth BISO roles are key leadership Technology roles aligning with our business functions to acts as a conduit between the Cigna Information Protection cybersecurity service delivery and business Technology.

Acting as the primary delegate for the business line Chief Information Security Officer, the BISO is responsible for maintaining a strategic relationship with the business function to ensure that ongoing continuity of cybersecurity the evolving organization.

Strategically you will be responsible for ensuring delivery of the last mile execution’ of global Cigna Information Protection Shared Services, developing and measuring capabilities whilst leading risk management activities for a portion of our Evernorth business.

Key Responsibilities

Understand the business unit and accompanying strategy to continuously monitor threat trends and business change to anticipate and plan for future impact of cyber risk on each business function.

Leverage Shared Service Integrated Cyber Risk Management Framework to help the business effectively manage business risk.

This includes partnering with business line CIOs and technology stakeholders to educate and integrate risk management activities in first and second line of defense governance.

Develop organizational wide Cyber / Information Security risk views by collaborating with internal control groups e.g. Audit, Compliance, Enterprise Risk Management, Legal and Privacy.

Coordinate with Shared Services to provide localized risk and vulnerability management information and reporting and embed Cyber / Information Security into business operational governance forums enabling data driven decision making.

Provide oversight and coordination of delivery of global Cyber & Privacy portfolio risk mitigation projects and programs into business line.

Conversely feed the portfolio by registering local business line residual risk outputs driving controls mitigation activity.

Partner with the Security Assurance team to evolve Cigna Information Protection security policies and processes, aligning to local business requirements and operate the policy exceptions management process.

Coordinate security education & awareness initiatives in line with policy framework, integrate with the Shared Service overall thematic awareness program.

Embed secure development practices, working with local business and technology teams to implement enterprise tooling and processes to ensure secure code implementation.

Embed risk management practices into Agile / DevSecOps pipelines to minimize production vulnerabilities.

Champion local incident responses & handling processes, provide business context and local expertise in incident scenarios.

Coordinate with Shared Service owner to manage local incident management postmortem activities and track residual findings to resolution.

Maintain and manage local regulatory incident response reporting requirements. Engage with Shared Services to carry out forensics security investigations work integrating processes with business and legal / compliance stakeholders.

Partner with Global Architecture Shared Services organizations to implement standard security solutions and capabilities, providing expert change solution design in local business line.

Conversely feed global Architecture roadmaps by capturing local requirements.

Support business line mergers, acquisitions, and divestiture activities in line with the Shared Services playbook designed to reduce change risk.

Lead local business Cigna Information Protection teams as well as matrix manage Shared Services peers. Ensure in person employee engagement by motivating team, running personalized development programs, and creating an empowering culture aligned with Cigna values.

Qualifications and Experience

A BA / BS in business or technical related field. MBSs are an added benefit, but not required.

Proven track record of successfully influencing and leading peer and matrix teams where direct and in-direct reporting relationships exists.

Strong leadership qualities and business acumen able to deal with all levels of the organization. Demonstrable experience developing and leading organizations autonomously.

Appreciation of global organizational culture variances.

Minimum 10+ years of Information Security / Cyber experience. Ability to translate information security and technical controls into business terms that are easily understood.

CISSP or other security related certification preferred (CISM, etc.).

Minimum 5+ years of Cyber leadership experience with Fortune 500 company in areas of Cyber Operations (preferred), Audit, Risk, Program Management.

Implementation level knowledge of information security standards and frameworks (e.g. ISO / IEC 27001 / 27002, PCI-DSS, NIST Cybersecurity Framework, Fedramp, etc.

and attestation reports (e.g. SOC 1 / 2). Awareness of Governance, Risk and Compliance and workflow management tools.

Experience within the Insurance, Financial Services, and / or Healthcare industry preferred.