Cybersecurity Manager
Civil & Environmental Consultants, Inc. · Coraopolis, PA · 3 wk ago
Information TechnologyFull-time
About the role
The Cybersecurity Manager will lead the establishment and maturation of CEC's information security program, focusing on NIST CSF 2.0 alignment and CMMC Level 1 compliance.
Responsibilities
- Lead the design, documentation, and implementation of CEC's enterprise cybersecurity program, using NIST CSF 2.0 as the guiding framework.
- Conduct a comprehensive policy gap analysis, develop, publish, and maintain a complete set of cybersecurity policies, standards, and procedures, and drive adoption across all 35+ offices and business units.
- Partner with the CIO, Legal, COO, and CEO to establish governance structures, define organizational risk tolerance, and align security investments with business objectives.
- Create and maintain a formal cybersecurity roadmap with prioritized initiatives, measurable success metrics, and executive-level reporting.
- Lead CEC's CMMC Level 1 compliance initiative, coordinating requirements across IT, operations, and legal to achieve successful annual self-attestation and SPRS submission by end of 2027.
- Conduct and maintain a structured cybersecurity risk register; lead periodic risk assessments and develop actionable remediation plans.
- Monitor the evolving regulatory and threat landscape relevant to the AEC industry and advise leadership on required responses.
- Support internal and external audit activities related to information security and data protection.
- Collaborate with Legal on data privacy obligations, contractual security requirements, and third-party data handling agreements.
- Evaluate CEC's current security controls, tools, and processes; identify gaps and recommend improvements across on-premises, cloud (Microsoft Azure/M365), and hybrid environments.
- Oversee a vulnerability management program including regular scanning, risk-based prioritization, and remediation tracking.
- Develop, document, and exercise an incident response plan; lead tabletop exercises and post-incident reviews to strengthen organizational readiness.
- Manage third-party and vendor risk assessments, ensuring security requirements are reflected in contracts and vendor management practices.
- Design and deliver a company-wide security awareness and training program tailored to staff roles and risk profiles across all office locations.
- Serve as CEC's primary cybersecurity subject matter expert and advisor to business units, project teams, and executive leadership.
- Champion a culture of security awareness, shared accountability, and continuous improvement across the organization.
Requirements
- Bachelor’s degree in Cybersecurity, Information Systems, Computer Science, or a related field; additional experience may be substituted.
- 6+ years of progressive experience in cybersecurity or information security, with demonstrated experience building or maturing a formal security program within an enterprise environment.
- Strong working knowledge of the NIST Cybersecurity Framework (CSF 2.0) and hands-on experience applying it in a real-world organizational context.
- Working knowledge of CMMC Level 1 requirements, the FAR 52.204-21 basic safeguarding controls, and the annual self-attestation and SPRS submission process.
- Experience conducting risk assessments, developing information security policies and standards, and managing vulnerability management programs.
- Strong interpersonal, written, and oral communication skills; demonstrated ability to translate complex technical and regulatory concepts into clear, actionable guidance for executive and non-technical audiences.
- Effective prioritization and project management skills with the ability to manage multiple concurrent initiatives with a high degree of autonomy.
Preferred
- Relevant professional certifications CISSP, CISM, CRISC, or equivalent.
- Familiarity with Microsoft security tools and other common solutions including Sophos MDR, Mimecast, Tenable IO, Microsoft Defender, Azure Security Center, Entra ID / Conditional Access, Purview, and M365 compliance features.
- Experience working in or providing security services to a professional services, engineering, or AEC-sector firm.
- Experience with the DoD’s SPRS system and CMMC ecosystem, including C3PAO relationships and third-party assessment readiness (relevant for future Level 2 aspirations).