Head of Cybersecurity GRC

Company Overview:

At Crescent we are investors and operators delivering value to shareholders through a disciplined returnsdriven growth through acquisition strategy and consistent return of capital. Our longlife balanced portfolio combines stable cash flows from lowdecline production with deep highquality development inventory. Our activities are focused in Texas and the Rocky Mountain region.

Job Summary:

The Head of Cybersecurity & GRC is a senior leadership position responsible for safeguarding the organizations digital assets operational infrastructure and sensitive data across IT and OT environments. This role leads the strategy and oversight of the cybersecurity program and enterprise risk management framework grounded in NIST CSF and aligned with upstream oil and gas business needs.

This leader will ensure that cybersecurity and compliance practices are embedded across the organization while enabling innovation and operational continuity. The ideal candidate brings a balance of technical expertise strategic leadership and deep upstream oil & gas experience particularly with production drilling field operations and industrial control systems (ICS/SCADA). This position will require continuous learning and ongoing stewardship and prioritization of resources to effectively align safeguards over technology components relative to the anticipated threat landscape. This individual will play a critical role in accelerating our journey toward becoming a datadriven technologyenabled enterprise especially in the context of the energy sectors transformation.

Key Responsibilities:

• Cybersecurity Strategy & Operations:
  • Develop and lead the enterprise cybersecurity strategy with a strong foundation in the NIST Cybersecurity Framework (CSF).
  • Oversee security operations incident response vulnerability management and threat intelligence for IT and OT environments.
  • Implement layered defense strategies including network segmentation endpoint protection identity and access management (IAM) and security monitoring (SIEM/SOAR).
• Governance Risk & Compliance (GRC)
  • Design and operate an enterprise GRC program to manage cyber regulatory operational and thirdparty risk.
  • Lead compliance with relevant standards and regulations (e.g. NIST SOX TSA Pipeline Security Directives SEC cyber disclosure FERC PHMSA).
  • Oversee internal/external audits risk assessments insurance questionnaires and policy development ensuring alignment with corporate and industry standards
• OT Security & Upstream Operations
  • Collaborate with operations engineering and field teams to secure industrial control systems (ICS) SCADA and edge devices across upstream assets.
  • Establish riskbased security controls for field operations without compromising uptime or performance.
  • Build and foster OT cybersecurity awareness and partnerships across HSE Production Drilling and Asset teams.
• Leadership & Stakeholder Engagement
  • Serve as a trusted advisor to executive leadership on cyber risk digital trust and security investments.
  • Develop and lead a highperforming cybersecurity and GRC team spanning security engineering compliance risk and awareness functions.
  • Build relationships across IT Legal Operations and External Affairs to embed cybersecurity into core business processes and programs.
  • Facilitate regular cybersecurity and risk reporting to the Board Audit Committee translating technical risks into business impact and ensuring executive alignment on risk posture and mitigation strategies
  • Develop and foster external relationships with organizations and key contributors that support and may enhance the ongoing cybersecurity posture and overall operational resilience (e.g. ONEISAC DHS CISA FBI etc.
• Security Architecture & Technology Oversight
  • Oversee security architecture for cloud onprem and hybrid environments ensuring secure adoption of platforms like Snowflake Azure and SaaS tools.
  • Evaluate and implement cybersecurity tools technologies and services to strengthen the enterprise security posture.
  • Lead security reviews of new projects platforms and partnerships (M&A joint ventures field digitization efforts).
  • Coordinate and review the risk profiles associated with technology vendors and service providers (third & fourth party).

Qualifications & Experience:

• Education:

1. Bachelors degree in Information Security Computer Science Engineering or a related field is required. Masters degree is a strong plus.
2. CISSP certification required. Additional certifications such as CISM CRISC CISA or relevant GIAC; NIST CSF Implementation credentials are a strong plus.

• Experience:

1. 7 years of cybersecurity and/or GRC leadership experience with a minimum of 5 years in a senior role overseeing enterprise programs.
2. Deep understanding of upstream oil and gas operations including field systems SCADA and industrial environments.
3. Demonstrated success building and running security programs based on the NIST Cybersecurity Framework.
4. Handson experience managing regulatory compliance and incident response in highstakes operational settings

• Skills & Competencies:

1. Strong knowledge of cyber risk management threat modeling incident handling and security architecture.
2. Deep understanding of the intersection of IT and OT cybersecurity in energy and industrial sectors.
3. Proven ability to communicate risk to executive stakeholders board members and crossfunctional leaders.
4. Strategic thinker with a pragmatic businessaligned approach to cybersecurity and compliance.

Work Environment & Physical Requirements:

• Primarily officebased with occasional travel to field offices and operational sites as needed.
• Potential exposure to remote and highrisk environments requiring adherence to safety protocols.
• May involve walking climbing bending or handling equipment during site visits.
• Possible exposure to varying weather conditions (heat cold rain) while onsite at the field offices.
• Availability for emergency response and incident management including afterhours support when required.

Crescent Energy is an equal opportunity employer. All qualified applicants will be considered for employment without regard to race color religion gender/pregnancy gender identity or expression sexual orientation national origin genetics disability age veteran status or any other legally protected status. Crescent Energy is also committed to compliance with all fair employment practices regarding citizenship and immigration status. If you require accommodation to complete the application process please let us know by contacting Kimberly Kalsey at