As CEC's first dedicated cybersecurity professional, the Cybersecurity Manager will be responsible for establishing and leading the company's formal information security program. Reporting directly to the Chief Information Officer, this role is a high-impact individual-contributor position that works in close partnership with executive leadership — including Legal, the COO, and the CEO — to design and mature a cybersecurity framework aligned with the NIST Cybersecurity Framework (CSF) 2.0.

The immediate near-term priority for this role is completing a policy gap analysis and building out the policies, standards, and procedures required for full NIST CSF 2.0 alignment across all six functions. Following that foundation, the Cybersecurity Manager will drive CEC's goal to achieve CMMC Level 1 compliance and annual self-attestation by end of 2027, building the controls and organizational readiness required to meet that milestone.

This is a foundational role for a self-motivated security leader who is energized by building programs from the ground up and thrives in a collaborative, mission-driven environment.

RESPONSIBILITIES

Cybersecurity Program Development & Strategy

• Lead the design, documentation, and phased implementation of CEC's enterprise cybersecurity program, using NIST CSF 2.0 as the guiding framework across the Govern, Identify, Protect, Detect, Respond, and Recover functions.
• Conduct a comprehensive policy gap analysis as a first priority; develop, publish, and maintain a complete set of cybersecurity policies, standards, and procedures and drive adoption across all 35+ offices and business units.
• Partner with the CIO, Legal, COO, and CEO to establish governance structures, define organizational risk tolerance, and align security investments with business objectives.
• Create and maintain a formal cybersecurity roadmap with prioritized initiatives, measurable success metrics, and executive-level reporting.

CMMC & Regulatory Compliance

• Lead CEC's CMMC Level 1 compliance initiative, coordinating requirements across IT, operations, and legal to achieve successful annual self-attestation and SPRS submission by end of 2027.
• Conduct and maintain a structured cybersecurity risk register; lead periodic risk assessments and develop actionable remediation plans.
• Monitor the evolving regulatory and threat landscape relevant to the AEC industry and advise leadership on required responses.
• Support internal and external audit activities related to information security and data protection.
• Collaborate with Legal on data privacy obligations, contractual security requirements, and third-party data handling agreements.

Security Operations & Infrastructure

• Evaluate CEC's current security controls, tools, and processes; identify gaps and recommend improvements across on-premises, cloud (Microsoft Azure/M365), and hybrid environments.
• Oversee a vulnerability management program including regular scanning, risk-based prioritization, and remediation tracking.
• Develop, document, and exercise an incident response plan; lead tabletop exercises and post-incident reviews to strengthen organizational readiness.
• Manage third-party and vendor risk assessments, ensuring security requirements are reflected in contracts and vendor management practices.

Security Awareness & Culture

• Design and deliver a company-wide security awareness and training program tailored to staff roles and risk profiles across all office locations.
• Serve as CEC's primary cybersecurity subject matter expert and advisor to business units, project teams, and executive leadership.
• Champion a culture of security awareness, shared accountability, and continuous improvement across the organization.
• Other duties as assigned.

Required

• Bachelor’s degree in Cybersecurity, Information Systems, Computer Science, or a related field; additional experience may be substituted.
• 6+ years of progressive experience in cybersecurity or information security, with demonstrated experience building or maturing a formal security program within an enterprise environment.
• Strong working knowledge of the NIST Cybersecurity Framework (CSF 2.0) and hands-on experience applying it in a real-world organizational context.
• Working knowledge of CMMC Level 1 requirements, the FAR 52.204-21 basic safeguarding controls, and the annual self-attestation and SPRS submission process.
• Experience conducting risk assessments, developing information security policies and standards, and managing vulnerability management programs.
• Strong interpersonal, written, and oral communication skills; demonstrated ability to translate complex technical and regulatory concepts into clear, actionable guidance for executive and non-technical audiences.
• Effective prioritization and project management skills with the ability to manage multiple concurrent initiatives with a high degree of autonomy.

Preferred

• Relevant professional certifications: CISSP, CISM, CRISC, or equivalent.
• Familiarity with Microsoft security tools and other common solutions including Sophos MDR, Mimecast, Tenable IO, Microsoft Defender, Azure Security Center, Entra ID / Conditional Access, Purview, and M365 compliance features.
• Experience working in or providing security services to a professional services, engineering, or AEC-sector firm.
• Experience with the DoD’s SPRS system and CMMC ecosystem, including C3PAO relationships and third-party assessment readiness (relevant for future Level 2 aspirations).