Security Risk & Operational Resilience Lead

About The Position

Requirements

• 10+ years of progressive experience in Information Security, GRC, or related fields
• 5+ years of experience leading security programs or cross-functional initiatives
• Strong knowledge of security frameworks (NIST CSF, ISO 27001) and regulatory requirements (PCI-DSS preferred)
• Proven ability to develop and operationalize enterprise GRC and incident response programs
• Experience driving measurable outcomes through metrics, reporting, and governance
• Strong collaboration and communication skills across technical and business audiences

Nice To Haves

• Relevant certifications preferred (CISSP, CISM, CRISC or equivalent)

Responsibilities

• Develop, implement, and continuously mature Construction Resources’ enterprise GRC program, including risk management, control frameworks, compliance monitoring, and reporting.
• Maintain alignment with industry standards and regulatory requirements, including NIST CSF, ISO 27001, SOC 2, and PCI-DSS.
• Lead enterprise risk assessments and manage a central risk register, including prioritization, ownership assignment, and remediation tracking.
• Build and deliver security metrics, dashboards, and executive reporting to support informed decision-making at the leadership and Board level.
• Define and implement a control validation and assurance program to verify security controls are operating effectively across identity, endpoint, network, and data domains.
• Establish standardized methods for collecting control evidence, validation results, and remediation tracking, leveraging enterprise tools such as Jira Service Management (JSM).
• Partner with cybersecurity engineering and IT operations to ensure controls are embedded into operational workflows, not treated as standalone compliance activities.
• Drive measurable improvement in control effectiveness, coverage, and time-to-remediation metrics across the organization.
• Lead enterprise cybersecurity auditing activities across frameworks and control areas (e.g., PCI-DSS, identity/access, network, and data security), ensuring audit readiness, evidence validation, gap identification, and timely remediation.
• Own the lifecycle of security policies, standards, and procedures, ensuring they are current, actionable, and aligned with business and regulatory requirements.
• Drive adoption and operationalization of policies across technology and business teams.
• Conduct periodic policy reviews, gap assessments, and effectiveness evaluations to ensure policies result in real-world security improvements.
• Own the Incident Response (IR) program framework, including governance, policies, and playbooks aligned to industry best practices.
• Define and maintain incident classification, escalation, and communication models integrated with enterprise operational systems.
• Serve as Incident Commander for high-severity events, coordinating cross-functional response efforts while partnering with engineering leads responsible for technical containment and recovery.
• Lead post-incident reviews, root cause analysis governance, and corrective action tracking to ensure continuous improvement.
• Conduct regular tabletop exercises with executives, technical teams, and business leaders to validate response readiness.
• Establish and maintain integration between security programs and operational systems, including ticketing, monitoring, and collaboration platforms.
• Define standardized security workflows for detection, escalation, and major incident handling, ensuring consistent routing, ownership, and visibility.
• Partner with cybersecurity engineering and IT operations to improve incident triage, escalation consistency, and response effectiveness across business units.
• Lead cybersecurity due diligence for acquisitions, including risk assessments and evaluation of security posture.
• Define and execute standardized integration playbooks (Day 1, Day 30, Day 90) to onboard acquired entities into CR’s security program.
• Track integration risks and remediation activities through formal governance and reporting structures.
• Prioritize integration of identity, endpoint protection, network segmentation, and compliance alignment.
• Serve as a trusted advisor to senior leadership on security risk, compliance, and operational readiness.
• Build strong relationships with business units to embed security into operational processes and strategic initiatives.
• Partner closely with Technology, Legal, Privacy, Internal Audit, and Corporate Development teams.
• Support the development and mentorship of GRC and security program resources as the function scales.

Benefits

• Medical
• Dental
• Vision
• Employer Paid Basic Employee Life and AD&D Insurance
• Employer Paid Long Term Disability
• Flexible Spending Accounts
• Voluntary Short-Term Disability
• Voluntary Life and AD&D Insurance
• Voluntary Accident Insurance
• Voluntary Critical Illness Insurance