The SPLC is seeking a Senior Engineer of Cybersecurity Program & Risk who is passionate about social justice!

The Cybersecurity Program & Risk Senior Engineer is responsible for developing implementing and maintaining theorganizations cybersecurity program aligned with the NIST Cybersecurity Framework (CSF) 2.0. This position managescybersecurity policies and procedures facilitates risk and business impact workshops with business stakeholders manages third-party security vendors and coordinates incident response and business continuity planning. The role validates program effectiveness through external penetration testing and maturity metrics ensuring the organizations cyberposture is continuously improved.

This position does not include supervisory responsibilities but requires strong cross-functional collaboration with IT business leaders and external partners and may provide mentorship to more junior level staff.

Who You Are

Cybersecurity expert with hands-on experience designing operating and maturing enterprise security programs that align controls and practices to NIST CSF 2.0 and Zero Trust Architecture principles.

Experienced in enterprise risk management threat modeling and adversary analysis using frameworks such as MITRE ATT&CK and Microsoft STRIDE with focused on strong incident response and leading tabletop exercises and post-incident reviews.

Comfortable managing vendors MSSPs penetration testing engagements and third-party security reviews.

Proactive data-driven and metrics-focused collaborator with the ability to translate technical risk into business-focused reporting while also looking for opportunities to reduce operational risk and streamline processes.

Analytical mindset that looks is capable of examining the process and focuses on risk mitigation by calling out gaps in training or process proposing solutions including tools or training and constantly examining the process against the needs of SPLC.

Mission Vision & Values Alignment. Demonstrates an understanding of and a commitment to SPLCs mission vision and values.

What Youll Do

Develop maintain and enforce organizational cybersecurity policies standards and procedures. Align cybersecuritypractices and controls with NIST CSF 2.0 and Zero Trust Architecture maturity goals. Facilitate business impact analyses (BIAs) and risk assessment workshops with stakeholders to prioritize risk treatment.

Maintain and track the enterprise cyber risk register. Coordinate external penetration tests and other independentassessments to validate program effectiveness. Monitor remediation of findings and report status to leadership. Evaluate threat risks using MITRE ATT&CK Framework Microsoft STRIDE Framework etc.

Accountable for managing day-to-day aspects of security vendor business relationships ensuring alerts reports and SLAs are reviewed and validated. Oversee the cybersecurity awareness and phishing testing program delivered by training partners. Support vendor risk management reviews and ensure third-party security practices meet organizational standards.

Maintain and update incident response (IR) and business continuity planning (BCP) playbooks. Plan and coordinatetabletop exercises across IT and business units. Partner with IT operations and the MSSP during incident escalation and post-incident reviews. Identify/recommend/implement opportunities to streamline/automate protective posture and defensive responses to stay ahead of hackers who often use automated scripts that far surpass traditional manual cybersecurity measures.

Develop cybersecurity dashboards and maturity metrics to track progress against program objectives. Deliver prioritized quarterly risk and program updates to the CIO and leadership team. Translate technical risks into business-focused reporting for non-technical stakeholders. Monitor measure and evaluate efficacy of cybersecurity program elements/controls to eliminate/mitigate/reduce risk to business data/systems and ultimately business operations.

Perform other duties as required or assigned which are within the scope of the duties in this job classification.

Minimum Qualifications

We are committed to equitable hiring practices therefore you must meet the minimum qualifications to be considered for the role.

• Minimum 5 years of cybersecurity engineering governance risk and compliance and vendor oversight;
• One or more of the following certifications are required: CISSP CISM CRISC CISA or equivalent; and
• High school diploma or GED.

Compensation & Benefits

This is an exempt role and the minimum starting salary is $112286 annually. Salary will be commensurate with experience.

Click here to view the benefits available to SPLC staff.

Where & How Youll Work

This role has the following work designation options:

• Local Remote: Will work remotely but is expected to attend work-related activities that occur at the SPLC offices or in the states in which the SPLC operates.
• Telework: Will work at an SPLC office at least three days per week and may work two days per week from an alternative work location.
• This position will report to the Director Cybersecurity.

Other Special Considerations

This job is performed under general office conditions and is not subject to any strenuous physical demands or dangerous conditions.

This position is represented by the Washington-Baltimore News Guild.

Disclaimer:

The statements herein are intended to describe the general nature and level of work being performed by the employee in this position. These statements are notintended to be construed as an exhaustive list of all responsibilities duties and skills required of a person in this position.

An Equal-Opportunity Employer with a Commitment to Diversity

Southern Poverty Law Center (SPLC) is proud to be an equal opportunity employer and as an organization committed to diversity and the perspective of all voices we considerapplicants equally without regard to age caregiver status color disability ethnicity gender gender expression gender identity marital status national origin on the basis ofgenetic information political affiliation pregnancy or veteran status.