Vice President Information Security

Relocation to Birmingham, Alabama Required

Build Your Career. Build America's Future.

Vulcan Materials Company is the nation's largest producer of construction aggregates and a major producer of aggregates-based construction materials, including asphalt and ready-mixed concrete. When you join Vulcan, it's more than starting an exciting career - you get to make a difference for millions of people every day across the country.

When you join Vulcan, you join a dynamic culture in which career development is encouraged, excellence is rewarded, and diversity is valued. No matter the role or the location across the country, every member of the Vulcan team lives through the Vulcan Way: doing the right thing, the right way, at the right time.

Based in Birmingham, Alabama

The Vice President of Information Security is responsible for establishing and maintaining the enterprise vision, strategy, architecture, and a multi-year roadmap that ensures that the company's information assets are protected. Key elements of this role are communicating security at a strategic and tactical level and evangelizing security across the business to drive the adoption of security best practices and impact of the cybersecurity on the business, Establishing a world-class information security capability in a growing company, proactively working with business and business partners to implement practices that meet policies and standards for cybersecurity, and leading a dedicated high performing team and external managed service providers. This position reports to the CIO.

What You'll Do:

• Ensure that Vulcan Materials Company's information assets are adequately protected.

• Work with the senior leaders across the business to assess and communicate acceptable levels of risk.

• Identify, evaluate, and report on information security risks, practices, and projects and provide subject matter expertise on security standards and best practices (e.g., NIST, Dodd-Frank, SOX, PCI, etc.).

• Develop, mentor, and manage a high-performing staff of information security professionals.

• Support the Chief Information Officer in developing the Board's understanding of security beyond a 'compliance-only' view and transition to information security as a business advantage.

• Lead the development of up-to-date information security policies, procedures, standards, and guidelines, and oversee their approval, dissemination, and maintenance.

• Ensure that the security management program is in compliance with applicable laws, regulations, and contractual requirements.

• Develop and enhance an up-to-date cybersecurity management framework based on the following: National Institute of Standards and Technology (NIST) Cyber Security Framework, COBIT/Risk IT, and Secure Controls Framework (SCF).

• Act as the champion for the enterprise information security program and foster a security-aware culture.

• Oversee the evaluation, selection, and implementation of information security solutions that are innovative, cost-effective, and minimally disruptive.

• Partner with enterprise and solutions architects, infrastructure, and applications teams to ensure that technologies are developed and maintained according to security policies and guidelines.

• Manage regular intrusion detection and vulnerability reporting, internal and external IT audit reviews, and the coordination of all required fixes.

• Develop business metrics to measure the effectiveness of the security management program, and increase the maturity of the program over time.

• Monitor the industry and external environment for emerging threats and advise relevant stakeholders on appropriate courses of action.

• Liaise with law enforcement and other advisory bodies as necessary to ensure that the organization maintains a strong security posture.

• Oversee incident response planning and the investigation of security breaches, and assist with any associated disciplinary, public relations, and legal matters.

• Oversee and lead the creation, communication, and implementation of a process for managing vendor risk and other third-party risk.

• Lead due diligence and post integration activities related to information security for all M&A activity.

• Work with procurement to ensure that cybersecurity requirements are included in contracts by liaising with legal and procurement organizations

• Direct the creation of a targeted cybersecurity awareness training program

• Provide clear risk-mitigating directives for projects with components in IT, including the mandatory application of controls

• Assist with the identification of non-IT managed IT services in use ("shadow IT") and facilitate a corporate IT onboarding program to bring these services into the scope of the IT function

• Build and nurture external communication consisting of industry peers, ecosystem partners, vendors, and other relevant parties to address common trends, findings, incidents, and cybersecurity risks

• Collaborate and liaise with the data privacy office to ensure that data privacy requirements are included where applicable.

• Demonstrate responsibility and ownership for data privacy from an IT and systems perspective

• Identify and manage the remediation of vulnerabilities across all IT systems and assets.

• Ensure that security is embedded in the project delivery process by providing the appropriate cybersecurity policies, practices, and guidelines

• Develop and implement comprehensive data loss prevention (DLP) strategies and policies to safeguard sensitive information across the organization.

• Monitor and analyze network traffic, user behavior, and data movement to proactively identify potential insider threats and security breaches.

• Collaborate closely with IT, security, and legal teams to investigate and respond promptly to security incidents and insider threats.

• Conduct regular risk assessments and security audits to identify vulnerabilities and gaps in data protection measures, ensuring continuous improvement.

• Manage and optimize rules and policies related to CASB, email DLP, and USB protections to enhance data security effectiveness.

• Stay abreast of the latest security threats, vulnerabilities, and best practices in data loss prevention and insider threat detection, integrating new knowledge into existing strategies.

• Identify potential security risks through comprehensive risk assessments, analyze their impact, and develop robust mitigation strategies to address them.

• Own policies related to IT security and ensure these are timely reviewed and updated.

• Conduct security audits and assessments of cloud-based systems regularly to ensure compliance with security policies, standards, and industry regulations.

• Lead incident response and management efforts by developing and maintaining an incident response plan and procedures, coordinating investigations, and minimizing the impact of security incidents.

• Provide expert security recommendations, advising on best practices, configurations, and enhancements to cloud infrastructure, applications, and services.

• Collaborate with cross-functional teams, including IT, development, and business units, to evaluate security risks, develop remediation plans, and ensure secure deployment and configuration of cloud resources.

• Expand data classification/data retention rules to ensure compliance with data privacy requirements.

• Develop and deliver security awareness training and educational materials to foster a culture of security best practices among employees.

• Maintain comprehensive incident reporting and documentation, analyzing root causes of security incidents, preparing detailed reports, and making recommendations for improvement based on lessons learned.

Skills You'll Need:

• BA, BS, or Master's degree in computer science, engineering, or a related field; (graduate degree preferred).

• Minimum 10 years of IT and/or business leadership experience, and 5 years of information security/cybersecurity experience.

• A proven track record in developing information security policies and procedures, data loss prevention technologies, network security, encryption, data classification, and successful execution.

• Comprehensive understanding of regulatory requirements and industry standards related to data protection and privacy (e.g., CCPA, HIPAA, PCI, PI, DSS).

• Familiarity with security frameworks (e.g., NIST, CIS), industry regulations (e.g., CCPA), and compliance requirements.

• Extensive knowledge of business risk, risk assessment, and risk-based decision-making.

• Able to communicate security, privacy, and risk-related concepts to both technical and non-technical audiences (in business terms), including board level.

• A natural influencer and coalition builder; passionate about building high-performing teams.

• Ability to inspire and motivate cross-functional, interdisciplinary teams to achieve tactical and strategic goals; an innovative leader, problem solver, and consultant.

• Ability to evangelize IT security to make it a critical part of business operations; build trust and respect for the security function.

• Experienced with contract and vendor negotiations.

• Demonstrated experience and success in senior leadership roles in risk management, cybersecurity, and IT or OT security

• Knowledge of security, risk, and control frameworks and standards such as ISO 27001 and 27002, SANS-CAG, NIST, FISMA, COBIT, COSO, and ITIL.

• Knowledge and understanding of relevant legal and regulatory requirements, such as the Sarbanes-Oxley Act (SOX), SEC Cybersecurity risk, privacy, and incident disclosures, California Consumers Privacy Act, Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry/Data Security Standard.

• Knowledge of security incident response, threat intelligence, and security monitoring tools.

• Excellent analytical and problem-solving skills, with the ability to interpret complex data and identify anomalous behavior.

• Understanding of cloud, SaaS, and IoT architectures, and their implications on information security strategy.

• Technical acumen including but not limited to: OSI, IT infrastructure, cloud, application development languages, tools and frameworks, database technologies, web technologies, next-gen mobile, network architecture, enterprise architecture, and directory services.

• Security technology acumen and experience including but not limited to firewall, intrusion detection, cyber-attack tools and defenses, encryption, certificate authority, web filtering, anti-malware, anti-phishing, identity and access management, and multi-factor authentication.

• Professional certifications preferred, such as a CISSP, CISM, and CISA.

• Proficiency in data analytics and reporting.

What You'll Like About Us:

Great Company Culture. Our people share a competitive drive for excellence in an environment of trust, teamwork, open-mindedness, and communication.

Safe. Industry leader in health and safety standards. We are committed to creating a safe work environment and protecting all employees and customers.

Meaningful Work. What sets us apart is the work we do impact daily lives - and every employee contributes. Our aggregates produced are used to build roads, schools, hospitals, airports, and housing throughout the United States.

Health Benefits. Medical, Dental, and Vision programs, plus much more. Rest and Relaxation. Paid vacation, personal floating days, and paid holidays. Prepare for the Future. 401(k) with company match and contribution.

Training and Development. We see our development programs and helping our employees meet their goals as a key part of our business.

Vulcan Materials Company is committed to employing a diverse workforce. You will receive consideration without regard to race, color, religion, sex, national origin, age, sexual orientation, gender identity, gender expression, veteran status, or disability. You also have the right to be free from discrimination for medical needs arising from pregnancy, childbirth, or related medical conditions.