New

Senior Associate/Cybersecurity Consultant Due Diligence Advisory (Forensic Services practice)

Boston, MA, United States; Chicago, IL, United States; Dallas, Texas, United States; Houston, Texas, United States; New York, NY, United States; Oakland, CA, United States; Washington, DC, United States

About Charles River Associates

Charles River Associates is a leading global consulting firm that provides economic, financial, and business management expertise to major law firms, corporations and governments around the world. CRA advises clients on economic and financial matters pertaining to litigation and regulatory proceedings, and guides corporations through critical business strategy and performance-related issues. Since 1965, clients have engaged CRA for its combination of industry experience and rigorous, fact-based analysis that provide clients with clear, implementable solutions to complex business concerns.

Position Overview

CRA is seeking a Cybersecurity Consultant (Assessments / Due Diligence / Advisory) to support client engagements focused on evaluating and managing cybersecurity risk. In this role, you will lead and participate in client-facing assessments, including interviews, workshops, and executive readouts, while operating with a high degree of independence and confidence.

You will be responsible for translating client discussions into clearly defined engagement scopes and Statements of Work (SOWs), aligning deliverables with frameworks such as the NIST CSF and transaction-specific objectives.  This includes the ability to assess cybersecurity posture in transaction and investment contexts, distinguish material risks from broader program maturity gaps, and tailor findings to the needs of private equity, legal, and executive stakeholders. The role includes executing cyber due diligence and proactive security assessments through documentation review, stakeholder interviews, and control evaluation. The role may also support incident readiness reviews, tabletop exercises, and broader cyber resilience assessments to help clients evaluate preparedness, decision-making, and recovery capabilities before or after a cyber event. The role will also work closely with CRA’s incident response team to identify recurring risk themes and control gaps from active and recently closed matters, and help translate those observations into follow-on proactive engagements including gap assessments, tabletop exercises, resilience reviews, and broader security uplift efforts.

This position requires producing high-quality, client-ready reports that include prioritized findings, risk-based recommendations, and executive-level summaries. You will also support senior team members in proposal development and business development efforts, while bridging technical cybersecurity findings into clear business risk narratives for legal, private equity, and executive audiences. You will also contribute to the development of repeatable assessment methodologies, templates, and client-facing deliverables across CRA’s proactive cybersecurity service offerings.

The ideal candidate demonstrates a strong advisory mindset, the ability to independently manage client conversations, and the capability to connect multiple cybersecurity domains—including identity and access management, endpoint security, vulnerability management, backup and recovery, email security, and asset management—into a cohesive and defensible security program assessment. The ideal candidate should also be able to translate technical observations into clear business, legal, and transaction-oriented risk narratives for executive and client stakeholders.

Desired Qualifications

  • Experience:
    • Approximately 5–7 years of experience in cybersecurity consulting, advisory, or due diligence
    • Experience supporting cyber resilience assessments, incident readiness reviews, tabletop exercises, or related preparedness-focused engagements is a plus.
    • Experience collaborating with incident response, forensic, or crisis management teams to translate post-incident observations into proactive assessment, readiness, or remediation-focused engagements is a plus.
  • Client Presence & Communication:
    • Comfortable leading discussions with CIOs, IT Directors, and legal stakeholders
    • Strong ability to guide conversations, ask structured questions, and manage meetings effectively
    • Excellent executive communication skills with clear, concise, and unambiguous delivery
  • Scoping & Advisory Skills:
    • Experience drafting or contributing to Statements of Work (SOWs), engagement letters, and proposals
    • Ability to translate loosely defined client needs into structured deliverables and timelines
    • Strong commercial awareness, including understanding scope boundaries and identifying opportunities to expand engagements
    • Ability to tailor scopes and findings to transaction, diligence, or investment-focused objectives, including identifying issues that are likely to be material to legal, private equity, or executive decision-makers.
  • Report Writing:
    • Impeccable written communication skills, including grammar, structure, and formatting
    • Ability to produce logically consistent, defensible findings and recommendations
    • Experience delivering polished, client-ready cybersecurity risk reports
    • Ability to prioritize findings based on business impact, articulate critical versus lower-priority issues, and develop executive-ready narratives that support practical decision-making.
  • Cybersecurity Frameworks:
    • Strong working knowledge of:
      • NIST Cybersecurity Framework (primary)
      • Supporting frameworks such as CIS Benchmarks, ISO 27001, SOC 2 Type II, HIPAA, and HITRUST
    • Ability to map controls, identify gaps, and translate findings into business risk and impact
    • Ability to evaluate how controls operate together across governance, identity, endpoint, cloud, recovery, and monitoring layers as part of a broader security program or resilience assessment.
  • Technical & Domain Knowledge:
    • Broad understanding of core cybersecurity domains, including:
      • Identity & Access Management (e.g., Active Directory, Entra ID)
      • Endpoint security (e.g., EDR/MDR solutions such as CrowdStrike)
      • Vulnerability management tools (e.g., Tenable, Qualys)
      • Backup and recovery strategies (RTO/RPO, immutability)
      • Email security (phishing protection, DMARC, MFA)
      • Asset inventory, device management, and patch lifecycle practices
      • Comfort reviewing supporting documentation such as security policies and standards, architecture diagrams, control evidence, recovery procedures, and technical configurations in order to assess design and operating effectiveness.
    • Ability to connect these domains into a comprehensive security program narrative
  • Tooling Familiarity (Preferred):
    • Exposure to tools such as CrowdStrike, Tanium, Microsoft 365, Azure/Entra ID, and AWS.
    • Ability to evaluate and interpret tooling deployment, configuration, and coverage in an advisory context rather than operate as a dedicated implementation engineer.
  • Additional Qualifications:
    • Strong organizational and time management skills, with the ability to manage multiple workstreams simultaneously
    • High level of ownership, attention to detail, and ability to deliver work independently with minimal oversight
    • Ability to help develop reusable assessment content, templates, and client-ready materials that support scalable proactive service delivery across multiple engagement types.
  • Nice-to-Have:
    • Certifications such as CISSP, CISM, CISA, PMP, or similar

To Apply

To be considered for a position in the United States or Canada, we require the following:

  • Resume – please include current address, personal email and telephone number;
  • Cover letter – please describe your interest in CRA and how this role matches your goals.

If you are interested in applying for one of our international locations, please visit our Careers site to view and apply for available jobs.

Career Growth and Benefits 

  • CRA’s robust skills development programs, including a commitment to offering 100 hours of training annually through formal and informal programs, encourage you to thrive as an individual and team member. Beginning with research and analysis skill building, training continues with technical training, presentation skills, internal seminars, and career mentoring and performance coaching from an assigned senior colleague. Additional leadership and collaboration opportunities exist through internal firm development activities.
  • We offer a comprehensive total rewards program including a superior benefits package, wellness programming to support physical, mental, emotional and financial well-being, and in-house immigration support for foreign nationals and international business travelers.

Work Location Flexibility

CRA creates a work environment that enables our colleagues to benefit from being together in the office to best deliver on our promise of career growth, mentorship and inclusivity. At the same time, we recognize that individuals realize a range of benefits when working from home periodically. We currently expect that individuals spend at least 3 to 4 days a week working in the office (which may include traveling to another CRA office or to client meetings), with specific days determined in coordination with your practice or team.

Our Commitment to Equal Employment Opportunity

Charles River Associates is an equal opportunity employer (EOE). All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, age, disability, status as a protected veteran, or any other protected characteristic under applicable law.

 

 

 

Salary and other compensation

A good-faith estimate of the annual base salary range for this position is $130,000 - $152,500. Starting pay within this range may vary based on factors such as education level, experience, skills, geographic location, market conditions, and other qualifications of the successful candidate. This position may be eligible for additional bonus incentive compensation. CRA offers a comprehensive benefits package, subject to eligibility requirements, which may include: medical, dental, and vision insurance; 401(k) retirement plan with employer match; life and disability insurance; paid time off (vacation, sick leave, holidays); paid parental leave; wellness programs and employee assistance resources; and commuter benefits.

Create a Job Alert

Interested in building your career at Charles River Associates? Get future opportunities sent straight to your email.

Apply for this job

*

indicates a required field

Phone
Resume/CV*

Accepted file types: pdf, doc, docx, txt, rtf

Cover Letter

Accepted file types: pdf, doc, docx, txt, rtf


Education

Select...
Select...
Select...
Select...

Select...
Select...

Please indicate below any languages with which you have business-level fluency.

Select...
Select...
Select...
Privacy Notice *

CRA is committed to maintaining the accuracy, confidentiality and security of your personal information. CRA’s Privacy Notice describes the personal data that CRA collects from or about you, how it is used and with whom it is disclosed to. Please click to view CRA’s Privacy Notice, and acknowledge receipt.

Voluntary Self-Identification

For government reporting purposes, we ask candidates to respond to the below self-identification survey. Completion of the form is entirely voluntary. Whatever your decision, it will not be considered in the hiring process or thereafter. Any information that you do provide will be recorded and maintained in a confidential file.

As set forth in Charles River Associates’s Equal Employment Opportunity policy, we do not discriminate on the basis of any protected group status under any applicable law.

Select...
Select...
Race & Ethnicity Definitions

If you believe you belong to any of the categories of protected veterans listed below, please indicate by making the appropriate selection. As a government contractor subject to the Vietnam Era Veterans Readjustment Assistance Act (VEVRAA), we request this information in order to measure the effectiveness of the outreach and positive recruitment efforts we undertake pursuant to VEVRAA. Classification of protected categories is as follows:

A "disabled veteran" is one of the following: a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or a person who was discharged or released from active duty because of a service-connected disability.

A "recently separated veteran" means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service.

An "active duty wartime or campaign badge veteran" means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.

An "Armed forces service medal veteran" means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.

Select...

Voluntary Self-Identification of Disability

Form CC-305
Page 1 of 1
OMB Control Number 1250-0005
Expires 04/30/2026

Why are you being asked to complete this form?

We are a federal contractor or subcontractor. The law requires us to provide equal employment opportunity to qualified people with disabilities. We have a goal of having at least 7% of our workers as people with disabilities. The law says we must measure our progress towards this goal. To do this, we must ask applicants and employees if they have a disability or have ever had one. People can become disabled, so we need to ask this question at least every five years.

Completing this form is voluntary, and we hope that you will choose to do so. Your answer is confidential. No one who makes hiring decisions will see it. Your decision to complete the form and your answer will not harm you in any way. If you want to learn more about the law or this form, visit the U.S. Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

How do you know if you have a disability?

A disability is a condition that substantially limits one or more of your “major life activities.” If you have or have ever had such a condition, you are a person with a disability. Disabilities include, but are not limited to:

  • Alcohol or other substance use disorder (not currently using drugs illegally)
  • Autoimmune disorder, for example, lupus, fibromyalgia, rheumatoid arthritis, HIV/AIDS
  • Blind or low vision
  • Cancer (past or present)
  • Cardiovascular or heart disease
  • Celiac disease
  • Cerebral palsy
  • Deaf or serious difficulty hearing
  • Diabetes
  • Disfigurement, for example, disfigurement caused by burns, wounds, accidents, or congenital disorders
  • Epilepsy or other seizure disorder
  • Gastrointestinal disorders, for example, Crohn's Disease, irritable bowel syndrome
  • Intellectual or developmental disability
  • Mental health conditions, for example, depression, bipolar disorder, anxiety disorder, schizophrenia, PTSD
  • Missing limbs or partially missing limbs
  • Mobility impairment, benefiting from the use of a wheelchair, scooter, walker, leg brace(s) and/or other supports
  • Nervous system condition, for example, migraine headaches, Parkinson’s disease, multiple sclerosis (MS)
  • Neurodivergence, for example, attention-deficit/hyperactivity disorder (ADHD), autism spectrum disorder, dyslexia, dyspraxia, other learning disabilities
  • Partial or complete paralysis (any cause)
  • Pulmonary or respiratory conditions, for example, tuberculosis, asthma, emphysema
  • Short stature (dwarfism)
  • Traumatic brain injury
Select...

PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete.