Information Technology Cybersecurity Lead

Carollo Engineers is an internationally recognized environmental engineering firm that specializes in the planning, design, and construction of water and wastewater facilities. We are seeking an Information Technology Cybersecurity Lead. The Cybersecurity Lead will help guide the overall planning, assessment, implementation, administration, operation, and continuous evaluation of the organization’s security and risk/audit programs. This role oversees the security of data and information assets across all infrastructure systems, applications, and internal IT projects, with a focus on security architecture, risk assessment, testing, auditing, and vulnerability assessment. The ideal candidate will possess comprehensive expertise in all facets of IT Security, demonstrate consultative problem-solving abilities, and have a genuine passion for technology, consistently staying updated with the latest developments. This individual will excel in collaborating with team members across various departments, actively listening to and understanding their needs, and exhibiting a high level of responsiveness.

At Carollo you’ll make an impact at an organization that does meaningful work, fosters a collaborative team culture, and creates a diverse, inclusive environment where you feel like you belong. You’ll work alongside a collaborative and dynamic team of professionals that is truly passionate about our work. Carollo’s vision is to be the BEST water consulting firm and you’ll find that Carollo is also the best place for you to build your career.

• Develop and oversee the implementation of process, procedure, and documentation programs designed to instill and enhance overall data and information security.
• Conduct risk assessments, evaluate alternative strategies, develop recommendations, and ensure responsive communication with business representatives, security management, and third-party vendors.
• Provide technical expertise and guide the administration of security tools that control and monitor information security and ensure Data Loss Prevention, Role Based Access Controls, and Identity Management.
• Develop, direct, and improve the Data Protection (DP) and Data Loss Prevention (DLP) programs and associated governance activities including metrics, issue tracking and remediation, and programs supporting Client policies and standards.
• Develop and maintain appropriate response playbooks, facilitate routine exercises, and ensure a sound communication process for all cyber risk/threat events.
• Provide application and data security solutions to business units, and project teams that enhance the ability to conduct business transactions in a secure manner.
• Analyze application security needs based on the sensitivity or proprietary nature of the data, and ensure that all systems are utilized for management-approved purposes only.
• Work with IT Leadership and Management to develop and execute Cyber Risk and Security strategy. Assist management in defining and setting appropriate, implementable policies.
• Collaborate with IT groups (Technical Support, Applications, Infrastructure, Tools, etc.) for planning, designing, and testing on projects and initiatives.
• Lead overall project initiative(s) and assist in planning, implementing, and testing company BC/DR efforts including, where appropriate, partnering with other IT functional leads and external service providers.
• Assist in the development, maintenance and publishing of all corporate-level information security standards, procedures and guidelines, including compliance monitoring procedures; assist in resolving security policy issues and implementing security procedures.
• Research, evaluate, recommend, plan implementation of, and test new or improved information security software or devices; Analyze new or enhanced software application or tool implementations for impacts to existing security software and devices.
• Communicate unresolved security exposures as well as misuse or noncompliance situations to management; Recommend, and implement remedial measures
• Participate in investigations of suspected information security issues or in compliance reviews as requested by auditors.
• Develop and deliver security guidance and training (security awareness) to technical staff members. Perform security program presentations, both internally and externally as needed; Serve as an expert security resource to the company at large and provide security consultative support as required.
• Review to outline improvements for Litigation Hold and eDiscovery-related data audit and collection requirements stemming from Carollo Legal/Risk Management Services
• Updates job knowledge by participating in educational opportunities, reading professional publications, maintaining personal networks, participating in professional organizations, coordinating hardware and software evaluations with vendors.

Required Skills

• Demonstrated experience in designing and implementing enterprise-class security solutions; Ability to translate the information security domain to IT and business domains, as well as communicate complex technologies in a clear and concise manner.
• Design, architecture, and implementation of centralized security technology solutions at mid/large enterprises; operations experience in identity management, key management, or other security domains.
• Leadership role in the development or delivery of information security services and in-depth knowledge of key information security domains, including authentication, authorization, access control and encryption.
• Knowledge of industry standards and frameworks (e.g. ISO/IEC, NIST, and CMMC); Project Management skills and experience mapping and securing business processes / data flows.
• Must be fully knowledgeable and able to design, plan, and support deployment efforts around IT security solutions using four or more of the following technologies -
  • Network Security, End Point & Mobile Security, Virtualization Security, Identity & Access Management, Security Management and Operations, Encryption & VPN, Application Security (including web and database), Anti-Malware Solutions, Web & Email Gateways, and Single Sign On (SSO).
• Experience in Information Security Incident Response, IaaS/SaaS environments, and broad understanding of all aspects of IT and enterprise systems interoperability.
• Strong knowledge and real-world expertise in all Microsoft technologies and solutions including but not limited to Windows Server 200x/201x, Active Directory, Domain Controller, System Center (SCCM), File Servers, DFS, Azure, Office365, etc.
• Strong knowledge in Windows-based authentication and authorization services, Group Policy (GPO) for enterprise, server, and workstation groups based on AD/OU sets.
• Superior understanding of, and expertise in Windows-based AD environments, AD Domain Service, and ADFS including support for Single Sign On (SSO) requirements for 3rd party and internal applications.
• Understanding of TCP/IP, SNMP, SMTP, SSL, SSH, DNS, DHCP, LDAP, Samba and Kerberos concepts, enterprise LAN, WAN including broad-based internet and MPLS & SD-WAN networks.
• Knowledge of routing protocols and experience with vendor technologies from Fortinet and Cisco is a plus.
• Experience with enterprise monitoring tools/applications.
• Experience with web/content filtering products, and anti-spam/anti-virus solutions.
• Experience in designing and implementing security controls using native Microsoft Windows tools and 3rd party solutions.

Required Experience

• • 10-12 years of direct, related experience in IT Security with 4-5 years of progressively increasing responsibilities (Security Architect to Security Lead roles).
  • One or more of industry-recognized security certifications such as CISSP, SSCP, GIAC Security Expert (GSE), GIAC Certified Incident Handler (GCIH), GIAC Certified Forensic Analyst (GCFA) or CISM.
  • Relevant (significant) experience with cyber security programs, network and computing infrastructure, cloud architectures and implementations.
  • Expert understanding and ability to communicate specific business, technology, and enterprise cyber security requirements to appropriate groups; Excellent communicator at all levels of the organization.
  • Thought leadership capabilities in the evaluation of cyber security risks and mitigation solutions.
  • Demonstrated knowledge of network, application, platform, and database technologies and strong knowledge of infrastructure-related processes and controls.
  • Knowledge of related industry standards, frameworks, and best practices, such as NIST Cyber Security Framework, CMMC, and ISO27001 including associated regulatory requirements.
  • Demonstrated experience performing Risk assessments, Control assessments or Audits; working knowledge of Governance, Risk, and Compliance tools.

• 15 years or more total experience in IT and Cybersecurity
• CISSP or GSE certification.

$100,000 to $150,000 annually. This is the lowest to highest salary we in good faith believe we would pay for this role at the time of this posting. We may ultimately pay more or less than the posted range, and the range may be modified in the future. An employee’s pay within the salary range will be based on several factors including, but limited to, relevant education, qualifications, certifications, experience, skills, seniority, geographic location, performance, and business or organizational needs.

Carollo is committed to providing employees with a competitive, comprehensive benefits program that provides the care employees and their families need to lead healthy, productive lives. Carollo’s benefits package includes paid time off and holidays, comprehensive health insurance coverage, pre-tax savings account options for healthcare, dependent care and commuter expenses, disability insurance and life insurance options for you and your dependents. We also offer free Caregiver Support, Travel Assistance, counseling services and discount programs. Other compensation that may be available includes: 401(k) company contribution matching, tuition reimbursement, discretionary bonuses, career advancement bonuses, professional registration bonuses, employee referral bonuses, and compensatory time for exempt employees. Flexible work arrangements may also be available.