The SPLC is seeking a Senior Engineer of Cybersecurity Program & Risk who is passionate about social justice!

The Cybersecurity Program & Risk Senior Engineer is responsible for developing, implementing, and maintaining the organization's cybersecurity program aligned with the NIST Cybersecurity Framework (CSF) 2.0. This position manages cybersecurity policies and procedures, facilitates risk and business impact workshops with business stakeholders, manages third-party security vendors, and coordinates incident response and business continuity planning. The role validates program effectiveness through external penetration testing and maturity metrics, ensuring the organizations cyber posture is continuously improved.

This position does not include supervisory responsibilities but requires strong cross-functional collaboration with IT, business leaders, and external partners and may provide mentorship to more junior level staff.

Who You Are

Cybersecurity expert with hands-on experience designing, operating, and maturing enterprise security programs that align controls and practices to NIST CSF 2.0 and Zero Trust Architecture principles.

Experienced in enterprise risk management, threat modeling and adversary analysis using frameworks such as MITRE ATT&CK and Microsoft STRIDE with focused on strong incident response and leading tabletop exercises and post-incident reviews.

Comfortable managing vendors, MSSPs, penetration testing engagements, and third-party security reviews.

Proactive, data-driven and metrics-focused collaborator, with the ability to translate technical risk into business-focused reporting while also looking for opportunities to reduce operational risk and streamline processes.

Analytical mindset that looks is capable of examining the process and focuses on risk mitigation by calling out gaps in training or process, proposing solutions including tools or training, and constantly examining the process against the needs of SPLC.

Mission, Vision & Values Alignment. Demonstrates an understanding of and a commitment to SPLC's mission, vision and values.

What You'll Do

Develop, maintain, and enforce organizational cybersecurity policies, standards, and procedures. Align cybersecurity practices and controls with NIST CSF 2.0 and Zero Trust Architecture maturity goals. Facilitate business impact analyses (BIAs) and risk assessment workshops with stakeholders to prioritize risk treatment.

Maintain and track the enterprise cyber risk register. Coordinate external penetration tests and other independent assessments to validate program effectiveness. Monitor remediation of findings and report status to leadership. Evaluate threat risks using MITRE ATT&CK Framework, Microsoft STRIDE Framework, etc.

Accountable for managing day-to-day aspects of security vendor business relationships, ensuring alerts, reports, and SLAs are reviewed and validated. Oversee the cybersecurity awareness and phishing testing program delivered by training partners. Support vendor risk management reviews and ensure third-party security practices meet organizational standards.

Maintain and update incident response (IR) and business continuity planning (BCP) playbooks. Plan and coordinate tabletop exercises across IT and business units. Partner with IT operations and the MSSP during incident escalation and post-incident reviews. Identify/recommend/implement opportunities to streamline/automate protective posture and defensive responses to stay ahead of hackers who often use automated scripts that far surpass traditional manual cybersecurity measures.

Develop cybersecurity dashboards and maturity metrics to track progress against program objectives. Deliver prioritized quarterly risk and program updates to the CIO and leadership team. Translate technical risks into business-focused reporting for non-technical stakeholders. Monitor, measure, and evaluate efficacy of cybersecurity program elements/controls to eliminate/mitigate/reduce risk to business data/systems and ultimately business operations.

Perform other duties as required or assigned which are within the scope of the duties in this job classification.

Minimum Qualifications 

We are committed to equitable hiring practices, therefore you must meet the minimum qualifications to be considered for the role.

• Minimum 5 years of cybersecurity engineering governance, risk and compliance and vendor oversight;
• One or more of the following certifications are required: CISSP, CISM, CRISC, CISA, or equivalent; and
• High school diploma or GED.

Compensation & Benefits

This is an exempt role, and the minimum starting salary is $112,286 annually. Salary will be commensurate with experience.

Click here to view the benefits available to SPLC staff.

Where & How You'll Work 

This role has the following work designation options:

• Local Remote: Will work remotely but is expected to attend work-related activities that occur at the SPLC offices or in the states in which the SPLC operates.
• Telework: Will work at an SPLC office at least three days per week and may work two days per week from an alternative work location.
• This position will report to the Director, Cybersecurity.

Other Special Considerations 

This job is performed under general office conditions and is not subject to any strenuous physical demands or dangerous conditions.

This position is represented by the Washington-Baltimore News Guild.

Disclaimer:

The statements herein are intended to describe the general nature and level of work being performed by the employee in this position. These statements are not intended to be construed as an exhaustive list of all responsibilities, duties, and skills required of a person in this position.

An Equal-Opportunity Employer with a Commitment to Diversity

Southern Poverty Law Center (SPLC) is proud to be an equal opportunity employer, and as an organization committed to diversity and the perspective of all voices, we consider applicants equally without regard to age, caregiver status, color, disability, ethnicity, gender, gender expression, gender identity, marital status, national origin, on the basis of genetic information, political affiliation, pregnancy, or veteran status.