Security Risk & Operational Resilience Lead

Role Overview

The Security Risk & Operational Resilience Lead is responsible for designing, operationalizing, and continuously improving Construction Resources' enterprise security governance, risk, and incident readiness programs.

This role serves as the program owner for GRC, incident readiness, and control effectiveness, ensuring that security policies, controls, and response processes are not only defined-but measurable, tested, and consistently executed across the organization.

The position operates as a bridge between cybersecurity engineering, IT operations, and executive leadership, aligning stakeholders while maintaining clear separation from direct ownership of security tools or infrastructure. The ideal candidate is a strategic, hands-on leader who can translate security requirements into operational execution and measurable outcomes across a complex, growing enterprise.

Key Responsibilities

Governance, Risk & Compliance (GRC) Program
• Develop, implement, and continuously mature Construction Resources' enterprise GRC program, including risk management, control frameworks, compliance monitoring, and reporting.
• Maintain alignment with industry standards and regulatory requirements, including NIST CSF, ISO 27001, SOC 2, and PCI-DSS.
• Lead enterprise risk assessments and manage a central risk register, including prioritization, ownership assignment, and remediation tracking.
• Build and deliver security metrics, dashboards, and executive reporting to support informed decision-making at the leadership and Board level.

Security Program Execution & Control Effectiveness
• Define and implement a control validation and assurance program to verify security controls are operating effectively across identity, endpoint, network, and data domains.
• Establish standardized methods for collecting control evidence, validation results, and remediation tracking, leveraging enterprise tools such as Jira Service Management (JSM).
• Partner with cybersecurity engineering and IT operations to ensure controls are embedded into operational workflows, not treated as standalone compliance activities.
• Drive measurable improvement in control effectiveness, coverage, and time-to-remediation metrics across the organization.
• Lead enterprise cybersecurity auditing activities across frameworks and control areas (e.g., PCI-DSS, identity/access, network, and data security), ensuring audit readiness, evidence validation, gap identification, and timely remediation.

Security Policy & Standards Management
• Own the lifecycle of security policies, standards, and procedures, ensuring they are current, actionable, and aligned with business and regulatory requirements.
• Drive adoption and operationalization of policies across technology and business teams.
• Conduct periodic policy reviews, gap assessments, and effectiveness evaluations to ensure policies result in real-world security improvements.

Incident Response Program & Readiness
• Own the Incident Response (IR) program framework, including governance, policies, and playbooks aligned to industry best practices.
• Define and maintain incident classification, escalation, and communication models integrated with enterprise operational systems.
• Serve as Incident Commander for high-severity events, coordinating cross-functional response efforts while partnering with engineering leads responsible for technical containment and recovery.
• Lead post-incident reviews, root cause analysis governance, and corrective action tracking to ensure continuous improvement.
• Conduct regular tabletop exercises with executives, technical teams, and business leaders to validate response readiness.

Security Operations Integration
• Establish and maintain integration between security programs and operational systems, including ticketing, monitoring, and collaboration platforms.
• Define standardized security workflows for detection, escalation, and major incident handling, ensuring consistent routing, ownership, and visibility.
• Partner with cybersecurity engineering and IT operations to improve incident triage, escalation consistency, and response effectiveness across business units.

Mergers & Acquisitions (M&A) Security Integration
• Lead cybersecurity due diligence for acquisitions, including risk assessments and evaluation of security posture.
• Define and execute standardized integration playbooks (Day 1, Day 30, Day 90) to onboard acquired entities into CR's security program.
• Track integration risks and remediation activities through formal governance and reporting structures.
• Prioritize integration of identity, endpoint protection, network segmentation, and compliance alignment.

Cross-Functional Leadership & Collaboration
• Serve as a trusted advisor to senior leadership on security risk, compliance, and operational readiness.
• Build strong relationships with business units to embed security into operational processes and strategic initiatives.
• Partner closely with Technology, Legal, Privacy, Internal Audit, and Corporate Development teams.
• Over time, support the development and mentorship of GRC and security program resources as the function scales.

Scope Boundaries & Collaboration Model

This role is responsible for program ownership, governance, and operational readiness, and collaborates closely with technical and operational teams.

This role does not directly own:
• Security tool administration (e.g., SIEM, EDR, network security platforms)
• Infrastructure, network, or endpoint engineering

Instead, the role partners with:
• Cybersecurity engineering leadership for design and implementation of technical controls
• IT operations teams for execution of remediation and system-level changes

Qualifications
• 10+ years of progressive experience in Information Security, GRC, or related fields
• 5+ years of experience leading security programs or cross-functional initiatives
• Strong knowledge of security frameworks (NIST CSF, ISO 27001) and regulatory requirements (PCI-DSS preferred)
• Proven ability to develop and operationalize enterprise GRC and incident response programs
• Experience driving measurable outcomes through metrics, reporting, and governance
• Strong collaboration and communication skills across technical and business audiences
• Relevant certifications preferred (CISSP, CISM, CRISC or equivalent)

Work Location

Hybrid - This role may work remotely but is expected to attend meetings and work from Construction Resources offices as needed.

BENEFITSMedical
Dental
Vision
Employer Paid Basic Employee Life and AD&D Insurance
Employer Paid Long Term Disability
Flexible Spending Accounts
Voluntary Short-Term Disability
Voluntary Life and AD&D Insurance
Voluntary Accident Insurance
Voluntary Critical Illness Insurance

PHYSICAL DEMANDS
The physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this job.

While performing the duties of this job, the employee is regularly required to speak or hear. The employee is frequently required to sit for extended periods of time, stand, walk, climb stairs, use hands to finger, handle or feel, and reach with hands and arms. Specific vision abilities required by this job include close vision, distance vision, color vision, peripheral vision, depth perception and ability to adjust focus.

POSITION TYPE/EXPECTED HOURS OF WORK
This is a full-time position that requires overtime as business needs dictate.

OTHER DUTIES
Please note: this job description is not designed to cover or contain a comprehensive listing of activities, duties, or responsibilities that are required of the employee for this job. Duties, responsibilities, and activities may change at any time, with or without notice.