Senior Associate/Cybersecurity Consultant Due Diligence Advisory (Forensic Services practice)
Charles River Associates · Oakland, CA · 2 days ago
Information Technology$130k–$153k/yrInternship
About the role
CRA is seeking a Cybersecurity Consultant (Assessments / Due Diligence / Advisory) to support client engagements focused on evaluating and managing cybersecurity risk. In this role, you will lead and participate in client-facing assessments, including interviews, workshops, and executive readouts, while operating with a high degree of independence and confidence.
Responsibilities
- Lead and participate in client-facing assessments, including interviews, workshops, and executive readouts.
- Translate client discussions into clearly defined engagement scopes and Statements of Work (SOWs), aligning deliverables with frameworks such as the NIST CSF and transaction-specific objectives.
- Audit cybersecurity posture in transaction and investment contexts, distinguish material risks from broader program maturity gaps, and tailor findings to the needs of private equity, legal, and executive stakeholders.
- Execute cyber due diligence and proactive security assessments through documentation review, stakeholder interviews, and control evaluation.
- Support incident readiness reviews, tabletop exercises, and broader cyber resilience assessments to help clients evaluate preparedness, decision-making, and recovery capabilities before or after a cyber event.
- Work closely with CRA’s incident response team to identify recurring risk themes and control gaps from active and recently closed matters, and help translate those observations into follow-on proactive engagements including gap assessments, tabletop exercises, resilience reviews, and broader security uplift efforts.
- Produce high-quality, client-ready reports that include prioritized findings, risk-based recommendations, and executive-level summaries.
- Support senior team members in proposal development and business development efforts, while bridging technical cybersecurity findings into clear business risk narratives for legal, private equity, and executive audiences.
- Contribute to the development of repeatable assessment methodologies, templates, and client-facing deliverables across CRA’s proactive cybersecurity service offerings.
Requirements
- Approximately 5–7 years of experience in cybersecurity consulting, advisory, or due diligence.
- Experience supporting cyber resilience assessments, incident readiness reviews, tabletop exercises, or related preparedness-focused engagements is a plus.
- Experience collaborating with incident response, forensic, or crisis management teams to translate post-incident observations into proactive assessment, readiness, or remediation-focused engagements is a plus.
Qualifications
- Client Presence & Communication: Comfortable leading discussions with CIOs, IT Directors, and legal stakeholders; Strong ability to guide conversations, ask structured questions, and manage meetings effectively; Excellent executive communication skills with clear, concise, and unambiguous delivery.
- Scoping & Advisory Skills: Experience drafting or contributing to Statements of Work (SOWs), engagement letters, and proposals; Ability to translate loosely defined client needs into structured deliverables and timelines; Strong commercial awareness, including understanding scope boundaries and identifying opportunities to expand engagements; Ability to tailor scopes and findings to transaction, diligence, or investment-focused objectives, including identifying issues that are likely to be material to legal, private equity, or executive decision-makers.
- Report Writing: Impeccable written communication skills, including grammar, structure, and formatting; Ability to produce logically consistent, defensible findings and recommendations; Experience delivering polished, client-ready cybersecurity risk reports; Ability to prioritize findings based on business impact, articulate critical versus lower-priority issues, and develop executive-ready narratives that support practical decision-making.
- Cybersecurity Frameworks: Strong working knowledge of: NIST Cybersecurity Framework (primary); Supporting frameworks such as CIS Benchmarks, ISO 27001, SOC 2 Type II, HIPAA, and HITRUST; Ability to map controls, identify gaps, and translate findings into business risk and impact; Ability to evaluate how controls operate together across governance, identity, endpoint, cloud, recovery, and monitoring layers as part of a broader security program or resilience assessment.
- Technical & Domain Knowledge: Broad understanding of core cybersecurity domains, including: Identity & Access Management (e.g., Active Directory, Entra ID); Endpoint security (e.g., EDR/MDR solutions such as CrowdStrike); Vulnerability management tools (e.g., Tenable, Qualys); Backup and recovery strategies (RTO/RPO, immutability); Email security (phishing protection, DMARC, MFA); Asset inventory, device management, and patch lifecycle practices; Comfort reviewing supporting documentation such as security policies and standards, architecture diagrams, control evidence, recovery procedures, and technical configurations in order to assess design and operating effectiveness.
- Tooling Familiarity (Preferred): Exposure to tools such as CrowdStrike, Tanium, Microsoft 365, Azure/Entra ID, and AWS; Ability to evaluate and interpret tooling deployment, configuration, and coverage in an advisory context rather than operate as a dedicated implementation engineer.