Cybersecurity Engineer

Summary/Objectives

The Cybersecurity Engineer partners directly with clients to design implement and sustain practical audit-ready programs across compliance frameworks (emphasis on CMMC Level 2). The role blends client advisory with hands-on control implementation: conducting gap assessments building and maintaining core documentation (SSP POA&M risk register policies) guiding evidence collection in a GRC platform and working closely with Service Desk and Engineering to plan and execute remediation. As the teams specialist this role will often own complex compliance-driven fixes end-to-end - from scoping and change control through validation and evidence capture - while enabling repeatable runbooks that frontline teams can execute going forward.

Essential Functions

Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

• Lead readiness efforts across compliance frameworks including scoping boundaries data flows asset inventories and inherited controls.
• Be the face of the compliance practice to our clients assisting them with compliance readiness.
• Help grow the compliance portion of our business by providing pre-sales support and to define and deliver services.
• Develop and maintain compliance artifacts (SSP POA&M risk register policies and procedures incident response plan configuration baselines vendor risk documents).
• Guide clients through GRC workflows: control mapping evidence plans test steps due dates.
• Translate requirements into technical hardening with Engineering (for example Microsoft 365 and Entra ID Conditional Access and MFA Defender and Intune PIM and least privilege logging and SIEM backup and BCDR endpoint baselines).
• Plan and coordinate remediation packages with Service Desk tiers and Engineering and Projects - defining scope risk change windows rollback and validation criteria.
• Execute remediation directly when appropriate especially for complex or high-risk controls.
• Create operational runbooks and playbooks for repeatable compliance fixes and train Service Desk and Engineering on execution and escalation paths.
• Validate and evidence outcomes post-remediation.
• Establish metrics and scorecards (for example control maturity open finding aging patch SLAs policy adoption and - where applicable - NIST 800-171 and SPRS scoring) and present progress to client and internal leadership.
• Coach stakeholders (IT Security HR Legal Procurement Leadership) on roles governance cadence risk acceptance exceptions and continuous improvement.
• Prepare for assessments and audits (mock interviews sampling evidence quality assurance assessor Q and A practice corrective action planning).
• Maintain documentation quality - templates remain current version-controlled and aligned to evolving guidance and regulations.
• Support incident readiness (tabletops roles evidence preservation log retention and time sync) and drive after-action improvements.
• Advise pre-sales and SOW scoping and contribute to proposals level-of-effort estimates and statements of applicability.
• Pursue continuing education and share updates on framework changes assessor expectations and technology and security best practices.

Supervisory Responsibility

No direct reports. Acts as a specialist and escalation point for compliance-driven remediation and may mentor junior analysts and engineers and lead cross-functional project teams for client engagements.

Work Environment

Hybrid or remote professional environment with periodic on-site client visits (office light industrial and public-sector facilities). Routine use of computers phones conferencing tools and standard office equipment. Occasional access to secure areas or data centers per client policy.

Physical Demands

Ability to remain in a stationary position for extended periods operate a computer and communicate effectively. On client visits ability to walk facilities climb short ladders or stairs and occasionally lift up to 25 lbs (for example endpoint or network equipment) for control validation or device inventory.

Position Type/Expected Hours of Work

Full-time exempt. Core hours typically 8:00 a.m.-5:00 p.m. Central with flexibility for client time zones and change windows. Occasional evening or weekend work during assessments cutovers or incident support.

Travel

Up to 10% travel on average (maximum) primarily within the Southeastern U.S. with occasional national travel for assessments training or conferences.

Required Education and Experience

• 2 or more years building or operating security and compliance programs aligned to compliance frameworks. Experience with CMMC Level 2 in regulated environments required.
• Demonstrated experience producing SSPs POA&Ms risk registers policies and procedures evidence plans and control tests.
• Proficiency with at least one major GRC platform including control mapping and evidence workflows.
• Familiarity with Microsoft 365 and Entra ID security (Conditional Access and MFA PIM and least privilege) Defender and Intune DLP and Purview endpoint hardening logging and SIEM concepts and backup and BCDR fundamentals.
• Strong consulting skills: discovery facilitation clear writing executive-level briefings expectation-setting and change management.

Preferred Education and Experience

• One or more relevant credentials: CMMC-AB Certified Professional ISO 27001 Lead Implementer or Lead Auditor CISSP or CISM Security Plus or CySA Plus or CASP Plus Microsoft SC-400 or AZ-500 GIAC GCCC or similar.
• Experience preparing organizations for third-party assessments (C3PAO or other assessor interviews sampling corrective action plans).
• Exposure to additional frameworks (for example HIPAA PCI ISO 27001) for cross-mapping and harmonization.

Work Authorization/Security Clearance (if applicable)

• Must be authorized to work in the United States.
• Ability to pass background checks including CJIS screening and fingerprinting where required.
• U.S. citizenship may be required for certain client engagements involving controlled information.

AAP/EEO Statement

RJ Young provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race color religion age sex national origin disability status genetics protected veteran status sexual orientation gender identity or expression or any other characteristic protected by federal state or local laws.

This policy applies to all terms and conditions of employment including recruiting hiring placement promotion termination layoff recall transfer leaves of absence compensation and training.

Other Duties

Please note that the job description is not designed to cover or contain a comprehensive listing of activities duties or responsibilities that are required of the employee for this job. Duties responsibilities and activities may change at any time with or without notice.