CVS Health
Staff Cloud Security Engineer, Vulnerability Management
Full details on LinkedIn
The complete job description, requirements, and application details are available on the original posting.
About CVS Health
CVS Health Corporation is a leading American healthcare company headquartered in the U.S. It ranks as the world's second-largest healthcare company, following UnitedHealth Group. Founded in 1963 in Lowell, Massachusetts, CVS Health operates several well-known brands, including CVS Pharmacy, CVS Caremark, and Aetna. The company has evolved from a discount health and beauty retailer to a comprehensive healthcare provider. CVS Health offers a wide range of services and products, including a vast retail pharmacy chain that sells health and beauty items, prescription drugs, and over-the-counter products. The company also manages pharmacy benefits through CVS Caremark and provides health insurance services via Aetna. Additionally, CVS Health operates MinuteClinics, which offer in-store healthcare services for common illnesses. The company has grown significantly through strategic acquisitions, expanding its reach and capabilities in the healthcare sector.
Security at CVS Health
Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.
Security Philosophy
“CVS Health's AppSec mission is to protect customer, shareholder, patient, and member data through its Vulnerability Disclosure Program. They aim to develop secure engineering practices by collaborating with engineering and business teams and integrating security controls into CI/CD pipelines. Their risk philosophy involves translating technical risk into business impact. Stated goals include automating manual reporting tasks and remediating verified issues based on severity. However, public statements describing a unified AppSec mission beyond vulnerability disclosure and job responsibilities, or explicit statements about a "developer-first"approach, are not publicly available.”
Security Team
[CORRECTION per HS-ISAC verification: Current CISO is Alan Rosa, NOT Chandra McMahon. McMahon was prior CISO. Below content is pre- research and contains stale leadership references.] /Key public-facing leaders include Chandra McMahon, Senior Vice President and Chief Information Security Officer, and Tilak Mandadi, Executive Vice President, Ventures and Chief Experience and Technology Officer. Chandra McMahon states that "The CISO role has rapidly transformed from a technical guardian to a strategic business leader."The exact AppSec team size and its organizational structure (centralized/embedded) are not publicly available. As of, there are 5 active 'devsecops' job postings. Common skill patterns from job postings include developing and enforcing engineering security policies, experience with remediation of vulnerabilities from Static Analysis and Open Source Scanning, and expertise with Docker, Kubernetes, Security-as-Code, and Infrastructure-as-Code.
Key Initiatives
CVS Health has no public evidence of a Security Champions program. They practice "Shift Left"by integrating security controls into CI/CD pipelines, including automated scanning, policy enforcement, remediation workflows, and designing automated workflows for security processes. Their vulnerability management process involves encouraging reporting through their Vulnerability Disclosure Program, with verified issues passed to development teams for remediation based on severity. However, specific SLAs or MTTR numbers are not publicly available. For Secure SDLC Artifacts, familiarity with OWASP Application Security Verification Standard is mentioned in job postings, but explicit statements about threat modeling, mandatory security reviews, or annual penetration testing are not publicly available. No public citations within the last 6 months reference new AppSec programs, tool rollouts, or policy changes.
Preparing for an AppSec interview?
Get the weekly briefing 2,000+ security pros trust.