Security Risk & Operational Resilience Lead Role Overview The Security Risk & Operational Resilience Lead is responsible for designing, operationalizing, and continuously improving Construction Resources’ enterprise security governance, risk, and incident readiness programs. This role serves as the program owner for GRC, incident readiness, and control effectiveness, ensuring that security policies, controls, and response processes are not only defined—but measurable, tested, and consistently executed across the organization. The position operates as a bridge between cybersecurity engineering, IT operations, and executive leadership, aligning stakeholders while maintaining clear separation from direct ownership of security tools or infrastructure. The ideal candidate is a strategic, hands-on leader who can translate security requirements into operational execution and measurable outcomes across a complex, growing enterprise.   Key Responsibilities Governance, Risk & Compliance (GRC) Program • Develop, implement, and continuously mature Construction Resources’ enterprise GRC program, including risk management, control frameworks, compliance monitoring, and reporting. • Maintain alignment with industry standards and regulatory requirements, including NIST CSF, ISO 27001, SOC 2, and PCI-DSS. • Lead enterprise risk assessments and manage a central risk register, including prioritization, ownership assignment, and remediation tracking. • Build and deliver security metrics, dashboards, and executive reporting to support informed decision-making at the leadership and Board level.   Security Program Execution & Control Effectiveness • Define and implement a control validation and assurance program to verify security controls are operating effectively across identity, endpoint, network, and data domains. • Establish standardized methods for collecting control evidence, validation results, and remediation tracking, leveraging enterprise tools such as Jira Service Management (JSM). • Partner with cybersecurity engineering and IT operations to ensure controls are embedded into operational workflows, not treated as standalone compliance activities. • Drive measurable improvement in control effectiveness, coverage, and time-to-remediation metrics across the organization. • Lead enterprise cybersecurity auditing activities across frameworks and control areas (e.g., PCI-DSS, identity/access, network, and data security), ensuring audit readiness, evidence validation, gap identification, and timely remediation.   Security Policy & Standards Management • Own the lifecycle of security policies, standards, and procedures, ensuring they are current, actionable, and aligned with business and regulatory requirements. • Drive adoption and operationalization of policies across technology and business teams. • Conduct periodic policy reviews, gap assessments, and effectiveness evaluations to ensure policies result in real-world security improvements.   Incident Response Program & Readiness • Own the Incident Response (IR) program framework, including governance, policies, and playbooks aligned to industry best practices. • Define and maintain incident classification, escalation, and communication models integrated with enterprise operational systems. • Serve as Incident Commander for high-severity events, coordinating cross-functional response efforts while partnering with engineering leads responsible for technical containment and recovery. • Lead post-incident reviews, root cause analysis governance, and corrective action tracking to ensure continuous improvement. • Conduct regular tabletop exercises with executives, technical teams, and business leaders to validate response readiness.   Security Operations Integration • Establish and maintain integration between security programs and operational systems, including ticketing, monitoring, and collaboration platforms. • Define standardized security workflows for detection, escalation, and major incident handling, ensuring consistent routing, ownership, and visibility. • Partner with cybersecurity engineering and IT operations to improve incident triage, escalation consistency, and response effectiveness across business units.   Mergers & Acquisitions (M&A) Security Integration • Lead cybersecurity due diligence for acquisitions, including risk assessments and evaluation of security posture. • Define and execute standardized integration playbooks (Day 1, Day 30, Day 90) to onboard acquired entities into CR’s security program. • Track integration risks and remediation activities through formal governance and reporting structures. • Prioritize integration of identity, endpoint protection, network segmentation, and compliance alignment.   Cross-Functional Leadership & Collaboration • Serve as a trusted advisor to senior leadership on security risk, compliance, and operational readiness. • Build strong relationships with business units to embed security into operational processes and strategic initiatives. • Partner closely with Technology, Legal, Privacy, Internal Audit, and Corporate Development teams. • Over time, support the development and mentorship of GRC and security program resources as the function scales.   Scope Boundaries & Collaboration Model This role is responsible for program ownership, governance, and operational readiness, and collaborates closely with technical and operational teams. This role does not directly own: • Security tool administration (e.g., SIEM, EDR, network security platforms) • Infrastructure, network, or endpoint engineering Instead, the role partners with: • Cybersecurity engineering leadership for design and implementation of technical controls • IT operations teams for execution of remediation and system-level changes   Qualifications • 10+ years of progressive experience in Information Security, GRC, or related fields • 5+ years of experience leading security programs or cross-functional initiatives • Strong knowledge of security frameworks (NIST CSF, ISO 27001) and regulatory requirements (PCI-DSS preferred) • Proven ability to develop and operationalize enterprise GRC and incident response programs • Experience driving measurable outcomes through metrics, reporting, and governance • Strong collaboration and communication skills across technical and business audiences • Relevant certifications preferred (CISSP, CISM, CRISC or equivalent)   Work Location Hybrid – This role may work remotely but is expected to attend meetings and work from Construction Resources offices as needed. BENEFITS Medical Dental Vision Employer Paid Basic Employee Life and AD&D Insurance Employer Paid Long Term Disability Flexible Spending Accounts Voluntary Short-Term Disability Voluntary Life and AD&D Insurance Voluntary Accident Insurance Voluntary Critical Illness Insurance EEO At Construction Resources, our people are the driving force behind everything we do. Construction Resources is an equal opportunity employer that aspires to be the best in the business by building an associate experience that celebrates growth, development, and purpose. PHYSICAL DEMANDS The physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. While performing the duties of this job, the employee is regularly required to speak or hear. The employee is frequently required to sit for extended periods of time, stand, walk, climb stairs, use hands to finger, handle or feel, and reach with hands and arms. Specific vision abilities required by this job include close vision, distance vision, color vision, peripheral vision, depth perception and ability to adjust focus. POSITION TYPE/EXPECTED HOURS OF WORK This is a full-time position that requires overtime as business needs dictate. OTHER DUTIES Please note:  this job description is not designed to cover or contain a comprehensive listing of activities, duties, or responsibilities that are required of the employee for this job. Duties, responsibilities, and activities may change at any time, with or without notice. PRIVACY NOTICE We value your privacy and want to ensure transparency regarding the collection and processing of your personal data. As part of our recruitment process, we require your explicit consent to collect, store, and process your personal information, including but not limited to your resume, contact details, professional experience, and other relevant data. This data will be used solely for recruitment and hiring purposes in accordance with our privacy policy and applicable data protection regulations. Your information will be stored securely and will not be shared with third parties without your consent. By submitting your application, you agree to the collection and processing of your personal data for the purposes stated above. You may withdraw your consent at any time by contacting us at [email protected].