Senior Engineer, Cybersecurity Program & Risk

About the position The SPLC is seeking a Senior Engineer of Cybersecurity Program & Risk who is passionate about social justice! The Cybersecurity Program & Risk Senior Engineer is responsible for developing, implementing, and maintaining the organization's cybersecurity program aligned with the NIST Cybersecurity Framework (CSF) 2.0. This position manages cybersecurity policies and procedures, facilitates risk and business impact workshops with business stakeholders, manages third-party security vendors, and coordinates incident response and business continuity planning. The role validates program effectiveness through external penetration testing and maturity metrics, ensuring the organizations cyber posture is continuously improved. This position does not include supervisory responsibilities but requires strong cross-functional collaboration with IT, business leaders, and external partners and may provide mentorship to more junior level staff. Who You Are Cybersecurity expert with hands-on experience designing, operating, and maturing enterprise security programs that align controls and practices to NIST CSF 2.0 and Zero Trust Architecture principles. Experienced in enterprise risk management, threat modeling and adversary analysis using frameworks such as MITRE ATT&CK and Microsoft STRIDE with focused on strong incident response and leading tabletop exercises and post-incident reviews. Comfortable managing vendors, MSSPs, penetration testing engagements, and third-party security reviews. Proactive, data-driven and metrics-focused collaborator, with the ability to translate technical risk into business-focused reporting while also looking for opportunities to reduce operational risk and streamline processes. Analytical mindset that looks is capable of examining the process and focuses on risk mitigation by calling out gaps in training or process, proposing solutions including tools or training, and constantly examining the process against the needs of SPLC. Mission, Vision & Values Alignment. Demonstrates an understanding of and a commitment to SPLC's mission, vision and values. Responsibilities • Develop, maintain, and enforce organizational cybersecurity policies, standards, and procedures. Align cybersecurity practices and controls with NIST CSF 2.0 and Zero Trust Architecture maturity goals. Facilitate business impact analyses (BIAs) and risk assessment workshops with stakeholders to prioritize risk treatment. • Maintain and track the enterprise cyber risk register. Coordinate external penetration tests and other independent assessments to validate program effectiveness. Monitor remediation of findings and report status to leadership. Evaluate threat risks using MITRE ATT&CK Framework, Microsoft STRIDE Framework, etc. • Accountable for managing day-to-day aspects of security vendor business relationships, ensuring alerts, reports, and SLAs are reviewed and validated. Oversee the cybersecurity awareness and phishing testing program delivered by training partners. Support vendor risk management reviews and ensure third-party security practices meet organizational standards. • Maintain and update incident response (IR) and business continuity planning (BCP) playbooks. Plan and coordinate tabletop exercises across IT and business units. Partner with IT operations and the MSSP during incident escalation and post-incident reviews. Identify/recommend/implement opportunities to streamline/automate protective posture and defensive responses to stay ahead of hackers who often use automated scripts that far surpass traditional manual cybersecurity measures. • Develop cybersecurity dashboards and maturity metrics to track progress against program objectives. Deliver prioritized quarterly risk and program updates to the CIO and leadership team. Translate technical risks into business-focused reporting for non-technical stakeholders. Monitor, measure, and evaluate efficacy of cybersecurity program elements/controls to eliminate/mitigate/reduce risk to business data/systems and ultimately business operations. • Perform other duties as required or assigned which are within the scope of the duties in this job classification. Requirements • Minimum 5 years of cybersecurity engineering governance, risk and compliance and vendor oversight; • One or more of the following certifications are required: CISSP, CISM, CRISC, CISA, or equivalent; and • High school diploma or GED. Apply tot his job