ActiveJobs

Cyber Risk & Remediation Service Lead

Zoetis · Malvern

Full-timeOn-sitePosted 17 July 2026
Apply on Company Site →

Job description

States considered: PA Role Description POSITION SUMMARY Zoetis is seeking a Cyber Risk & Remediation service lead who will be accountable for the enterprise cyber risk operating cadence, building and maintaining the cyber risk register, driving risk treatment decisions, and ensuring risks are remediated within defined timelines. This leader owns and matures programs spanning Cyber Risk & Remediation, M&A Security risk, and Security Awareness & Training. The role partners closely with technology and business teams to identify risk, assign accountable owners, track remediation progress, and provide clear reporting to Cyber leadership. POSITION RESPONSIBILITIES Cyber Risk Governance & Risk Register Ownership Establish the cyber risk governance model (risk taxonomy, scoring/ratings, risk acceptance thresholds, escalation paths). Create, own, and maintain the Cyber Risk Register, ensuring each risk has:defined risk statement and business impact inherent/residual rating accountable risk owner treatment plan (mitigate/accept/transfer/avoid) target remediation date / SLA and evidence of closure Lead recurring risk review forums with technology and business stakeholders; drive risk decisions and document outcomes. Remediation Program Leadership: Partner with infrastructure, application, and engineering teams to create and prioritize remediation plans. Define remediation SLAs by severity and risk tier and ensure adherence; proactively remove blockers impacting remediation progress. Oversee enterprise cyber exposure management for infrastructure and platforms, including governance of Minimum Security Baselines (MSBs) and continuous security assessment capabilities (e.g., vulnerability and configuration scanning, posture monitoring, and exposure discovery). Translate technical findings into actionable cyber risks, ensuring they are tracked through remediation programs, reported through governance forums, and escalated to technology and business stakeholders when remediation SLAs or risk tolerance thresholds are exceeded. M&A Security Risk Lead cyber risk activities for M&A: due diligence security findings intake, risk register entry, ownership assignment, and remediation/integration tracking through closure. Standardize M&A security assessment and reporting templates. Oversee the implementation and tracking of security controls. Security Awareness, Training, and Phishing (Human Risk) Own and lead the enterprise Security Awareness & Training program, including development of role-based, targeted, and risk-informed training initiatives. Oversee the phishing simulation program, driving measurable reductions in risky user behaviors and strengthening the organization’s human security posture. Develop and maintain human risk metrics and KRIs, integrating insights into enterprise cyber risk reporting and informing continuous improvement of awareness strategies. Metrics & Continuous Improvement: Produce executive-ready reporting on risk posture, top risks, remediation SLA performance, and program effectiveness. Enable on-demand metrics using industry standard frameworks (MITRE, NIST, etc.) Establish strong partnership and trust across business units and stakeholders. Mentorship & Leadership: Lead and develop a team and/or matrixed resources supporting cyber risk governance, remediation oversight, and human-risk programs. Operate as a player-coach, capable of both leading the program and personally contributing to key initiatives such as risk analysis, governance facilitation, remediation coordination, and executive reporting. Create and maintain policies, protocols, and standard operating procedures that enable consistent and scalable cyber risk management practices. Manage vendors and partners supporting awareness platforms, phishing simulations, and cyber risk workflow tooling. Foster a culture of accountability, operational excellence, and continuous learning, encouraging collaboration and knowledge sharing across the team. EDUCATION AND EXPERIENCE Indicate the formal education, certification or license required and/or preferred. Include the minimum number of years of relevant experience required for the position (where legally permissible). Education: Bachelor’s degree in Computer Sciences, Information Security, Information Systems, Engineering, Sciences or relevant professional experience. Experience: 5+ years of experience in information security, technology risk, or enterprise risk, with demonstrated ownership of addressing risk across a global organization and driving cross-functional remediation to closure within defined timelines. 3+ years of people leadership and/or senior program leadership in a global environment, with demonstrated ability to influence and deliver outcomes through matrixed teams. 8+ years of experience (or equivalent depth of expertise) in cyber/technology risk management, with emphasis on human risk programs (awareness, training, phishing) and broader cyber risk governance (risk identification, assessment, tracking, and treatment). TECHNICAL SKILLS REQUIREMENTS Demonstrated ability to build and operate a cyber risk register and drive closure within defined remediation timelines (SLAs), including governance, escalation, and evidence-based closure. Experience running Security Awareness & Training and phishing programs with measurable outcomes (completion, behavior change, reporting rates, reduced susceptibility). Experience supporting security due diligence and M&A integration risk tracking, including intake of findings, ownership assignment, and remediation through closure. Ability to interpret and communicate technical risk using vulnerability and control data—comfortable with trends, prioritization, and executive-level reporting; able to leverage analytics/data visualization tools (e.g., Power BI, Tableau) personally or through team support. Working knowledge of common security frameworks and compliance requirements (e.g., NIST, ISO 27001, PCI-DSS, HIPAA) and ability to map findings to controls and risk statements. Proven experience coordinating remediation across technical and business teams, managing SLAs, improving remediation workflows, and driving accountability, without needing to be the deepest VM analyst. Solid understanding of vulnerability management concepts and lifecycle (discovery, validation, prioritization, exception handling, remediation, verification) with the ability to review team output and challenge/coach appropriately. Understanding of security policy, enterprise security strategy, architecture concepts, and governance practices, including risk acceptance and exception processes. Broad knowledge of security technologies and principles and risk considerations across on-prem and cloud; familiarity with control frameworks and basic threat modeling concepts. Ability to translate emerging issues (vulnerabilities/exploit trends) into practical guidance, playbooks, and operational improvements—partnering with SMEs as needed. Comfort operating in complex enterprise environments: able to troubleshoot at a high level, ask the right technical questions, and mobilize the right experts (hands-on depth not required). Strong program/project management skills with the ability to manage multiple priorities, run governance cadences, and deliver measurable outcomes. Strong written/verbal communication and influence skills; able to present clearly, negotiate effectively, and drive decisions across levels and functions. High standards of ethics, professionalism, and integrity. Experience in regulated industries (e.g., pharmaceuticals) is desirable. Ability to articulate business-focused security outcomes that guide program direction and improve risk posture. PHYSICAL POSITION REQUIREMENTS Primarily office-based work involving sitting, computer use, and meetings. Ability to work flexible hours as needed to coordinate with global teams and support audit readiness activities. Occasional travel may be required for audits,

Verified and listed by ActiveJobs. Applications are made directly on Zoetis's own career page — we never sit in the middle.