Cyber and Data Security Manager

ERG is a research and consulting firm that provides a wide range of support to federal, state, and commercial clients. ERG offers multidisciplinary teams with nationally recognized skills in engineering, science, economics, public health, informational technology, and communications. We hire people with the best minds and then provide them with a vibrant and flexible environment in which to develop their careers. The qualified individual must be highly motivated with the skills to prioritize, perform, and communicate effectively in a fast-paced environment.

ERG is seeking an experienced Cyber and Data Security Manager with a minimum of 10 years working in IT security operations including 3+ years of hands-on experience implementing and maintaining controls under NIST SP 800-171 (CMMC Level 2) within a U.S. Government contractor environment where CUI is processed. The ideal candidate will be responsible for developing, maintaining and updating comprehensive compliance documents and procedures, for growing our security capabilities.

Job Description:

• Develop, maintain, and update comprehensive compliance documentation including System Security Plan (SSPs), Plans of Action and Milestones (POA&M), implement policies and procedures and other supporting artifacts to ensure adherence to security standards
• Collaborate with both internal resources as well as external consultants and auditors, to facilitate compliance reviews, assessments and gap analyses
• Prepare for and facilitate CMMC assessments, including self-assessments and third-party audits by Certified Third-Party assessor Organizations (C3PAO)
• Ensure that our information security assets, policies, and processes are reliable, available, provide confidentiality, and are generally safe from unauthorized use and intrusion
• Provide day-to-day security support around the infrastructure and procedures used to protect and secure Controlled Unclassified Information (CUI), including ERG's related computer systems, data, and network
• Perform risk analysis on threats, security alerts, and other suspicious systems or network activity
• Lead incident response efforts, including investigation, containment, and recovery
• Identify and analyze existing processes and procedures to meet new IT Security goals and objectives
• Evaluate security incidents to determine impact & escalate appropriately
• Monitor, aggregate, label, and manage artifacts related to the Security Program assessment and external audits
• Develop, document, and assist with implementing ISO 270001 and NIST/CMMC framework standards, procedures, processes, and guidelines
• Plan and monitor security measures for the protection of computer systems, networks, and information, including the use of Security Information and Event Management (SIEM) products
• Develop and deliver cyber-related training programs for employees and stakeholders
• Provide security awareness training on recognizing and reporting potential indicators of external insider threats
• Ensure integrity and security of company data
• Support ERG's Change & Configuration Control Board (CCB) through actions such as documenting change requests and participating in regular CCB meetings

Qualifications and Skills:

• Bachelor's degree in computer science, Cyber / Information Security, or a related field
• 10+ years working in IT security operations, including a minimum of 3 years in a Corporate IT environment, in a hands-on role dedicated to information security compliance, systems security, IT risk management, IT audit, or similarly related
• Must be able to obtain/maintain US DOD Security Clearance
• Experience in recommending and implementing policies and procedures to ensure adherence to security standards, including the requirements of NIST SP 800-171 and CMMC Level 2
• Demonstrated hands-on experience with NIST 800-171 and ISO 27001 Controls
• Experience performing security audits with specialized SIEM tools (i.e., CrowdStrike, Arctic Wolf, Microsoft Sentinel) in the following environments: Microsoft GCC High, Microsoft 365, Azure AD, and Virtual Desktop
• Ability to interpret technical vulnerability findings and work to develop and implement remediation plans
• Strong knowledge of enterprise Information Security pillars including Perimeter security, Identity Management and Governance, Privileged Account Management, Compliance, Penetration testing, Encryption, Cloud Security, Incident Response, Vulnerability Management
• Ability to effectively communicate security-related concepts to a broad range of technical and non-technical professionals
• Hybrid position, ideally within commuting distance of one of ERG's Massachusetts, Northern Virginia, or North Carolina offices for occasional meetings
• Excellent project and time management skills with the ability to plan, organize, and manage tasks on time with minimal supervision

A Plus If You Have:

• Certified CMMC Professional (CCP), Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISM), Certified Information Systems Manager (CISA), GIAC (Global Information Assurance Certification)/GSNA (GIAC Systems & Network Auditors) or other similar certification(s)
• Demonstrated experience with NIST 800-53, NIST CSF, SANS / CIS Top 20, FedRAMP, FISMA, GDPR
• Security clearance (active or recent expiration)

$150,000 - $200,000 a year

ERG offers competitive salaries and excellent benefits, including health and dental insurance, life insurance, long-term disability, educational benefits, FSAs, a generous 401k plan, profit sharing, an EAP, 11-20 paid vacation days per year, 10 paid holidays per year, 56 hours or more of sick leave (based on the state you work in) per year (pro-rated for part-time) and more. The salary range for all positions depends on the years and type of experience.

ERG is an equal opportunity employer and complies with all applicable EEOC regulations. All qualified applicants will receive consideration for employment without regard to age, race, color, religion, sex, sexual preference, national origin, disability, or status as a protected veteran.

Please be aware, the only authentic corporate domain for ERG is https://www.erg.com. ERG may, on occasion, screen applicants via telephone or video interviews via Skype, Teams, GoToMeeting, or another type of video platform. However, any candidate extended a job offer might be asked to meet in person with an ERG employee before providing confidential personal information associated with new employment. If you're a qualified individual with a disability or a disabled veteran, you have the right to request a reasonable accommodation if you are unable or limited in your ability to use or access ERG's online application process as a result of your disability. To request accommodation, please contact Human Resources via email at Resumes-Lex@erg.com or call (781) 674-7293.