Program Manager - Energy Services Government Oversight

Third level of the Cybersecurity Governance & Risk Analyst classification hierarchy. Employees at this level solve more complex problems in multiple areas of specialization with general supervision.

Responsibilities
*Develop interpretations of Federal Compliance Programs (i.e. NERC CIP TSA DFARS) using a variety of inputs such as regulatory guidance and industry benchmarking to produce unambiguous descriptions of compliance obligations for internal stakeholders to use as guidance for implementation
*Develop modifications to the Federal Compliance Programs for cybersecurity policy that are triggered by: new and/or changing Compliance Requirements newly published guidance from regulators and by internal requests for improvements
*Prepare evidence and review reports on the results of internal reviews of compliance evidence including categorization of findings and recommendations to be addressed
*Perform Evidence Reviews
*Support implementations of technologies to augment Duke Energys Federal Compliance Programs to drive consistency efficiency and sustainability in the pursuit of both compliance and operational goals
*Perform internal consulting with business area personnel to ensure that they understand plan for and implement compliance requirements
*Perform training change management and communication support for ongoing compliance activities
*Influence and improve awareness of new compliance requirements development through industry and regulatory interaction
*Demonstrates working knowledge of IT/OT and Cybersecurity policy standards processes controls and functional areas in relation to the NIST framework and other industry accepted standards:
*Competent in the use of IT/OT and Cybersecurity tools procedures and research capabilities
*Monitor and evaluate the effectiveness of the enterprises cybersecurity safeguards to ensure they provide the intended level of protection.
*Perform or assist in security reviews and identify security gaps in security architecture resulting in recommendations for inclusion in risk mitigation strategy.
*Perform assist in and/or analyze cyber defense trend reporting
*Correlate incident data to identify specific vulnerabilities and make recommendations that enable expeditious remediation
*Assist in the assessment of the effectiveness of security controls
*Collaborate with Cybersecurity leadership and architects to make sure security technologies processes and people align with Dukes strategic plan and budget
*Influence Dukes security standards security baselines performance metrics plan and initiate periodic performance reviews for the cybersecurity architecture and assessment team and vendors
*Communicates with customers to understand compliance requirements
*Communicates problems and resolutions to manager and/or customers
*Provides input on process improvements to IT/OT compliance program
*Communicate compliance information in a clear and concise manner

Required/Basic Qualifications
*Bachelors degree in Cybersecurity or Other Related Degree
*5 years related work experience
*In lieu of Bachelors degree(s) AND 5 year(s) related work experience listed above High School/GED AND 9 year(s) related work experience
Desired Qualifications
*Masters degree in Cybersecurity
*In addition to desired degree 5 years related work experience
*CISA and/or CISSP
Additional Preferred Qualifications
*Experience in Cybersecurity preferably with risk identification and management audit and compliance policy development and maintenance evaluation of control requirements security and related industry regulatory issues
*Knowledge in validating the organization against policies/guidelines/procedures/regulations/laws to ensure compliance
*Knowledge in reviewing service performance reports identifying any significant issues and variances initiating where necessary corrective actions and ensuring that all outstanding issues are followed up
*Ability to evaluate analyze and synthesize large quantities of data (which may be fragmented and contradictory) into high quality fused targeting/intelligence products.
*Expert knowledge of Cybersecurity frameworks such as NIST
*Knowledge of risk management processes (e.g. methods for assessing and mitigating risk).
*Skill in developing security compliance processes and/or audits for external services (e.g. cloud service providers data center)
*Participate in Risk Governance process to provide security risks mitigations and input on other technical risks
*Works directly with customers external contractors and vendors to ensure project goals are met and/or issues are escalated classified and documented properly
*Interface with internal and external auditors for risk assessment
*Validate minimum security requirements are being followed according to Cybersecurity standards
*Review or conduct audits of information technology (IT) programs and projects
*Able to work effectively with defined direction
*Demonstrated ability to work independently with supervisory review and direction
*Demonstrated excellent listening and communication skills; able to present complex information in an understandable manner both verbal and written to peer levels within the organization and multiple levels within the organization as well as regulatory entities and other utility representatives
*Demonstrated ability to absorb change and continue with positive results
*Exhibits confidence and a proper level of assertiveness when needed; displays maturity in approach and ability to effectively handle stress and frustration
*Ensure that all acquisitions procurements and outsourcing efforts address information security requirements consistent with organization goals.
*Skill in conducting audits or reviews of technical systems.
*Knowledge of risk management processes (e.g. methods for assessing and mitigating risk).
*Knowledge of laws regulations policies and ethics as they relate to cybersecurity and privacy.
*Knowledge of Personally Identifiable Information (PII) data security standards.
*Knowledge of Payment Card Industry (PCI) data security standards.
*Skill in performing impact/risk assessments.
*Skill in processing collected data for followon analysis.
*Provide input to the Risk Management Framework process activities and related documentation (e.g. system lifecycle support plans concept of operations operational procedures and maintenance training materials).
*Review authorization and assurance documents to confirm the level of risk is within acceptable limits for each software application system and network.
*Provide input to the Risk Management Framework process activities and related documentation (e.g. system lifecycle support plans concept of operations operational procedures and maintenance training materials).
*Review authorization and assurance documents to confirm the level of risk is within acceptable limits for each software application system and network.
*Ensure that all acquisitions procurements and outsourcing efforts address information security requirements consistent with organization goals.
*Skill in conducting audits or reviews of technical systems.
*Knowledge of risk management processes (e.g. methods for assessing and mitigating risk).
*Knowledge of laws regulations policies and ethics as they relate to cybersecurity and privacy.
*Knowledge of Personally Identifiable Information (PII) data security standards.
*Knowledge of Payment Card Industry (PCI) data security standards.
*Skill in performing impact/risk assessments.
*Skill in processing collected data for followon analysis.
*Demonstrates good listening skills and puts forth the effort to understand others points of view. Has the ability to manage confidential information with a high degree of integrity. Responds well to supervisors is easy to challenge and develop and is easily coachable. Able to work effectively with defined direction
*Perform cyber defense trend analysis and reporting.
*Skill in creating and utilizing mathematical or statistical models.
*Research current technology to understand capabilities of required system or network.
*Knowledge of information technology (IT) supply chain security and supply chain risk management policies requirements and procedures.
Working Conditions
*Hybrid Mobility Classification Work will be performed from both remote and onsite locations after the onboarding period.