Cybersecurity Manager

As CEC's first dedicated cybersecurity professional, the Cybersecurity Manager will be responsible for establishing and leading the company's formal information security program. Reporting directly to the Chief Information Officer, this role is a high-impact individual-contributor position that works in close partnership with executive leadership - including Legal, the COO, and the CEO - to design and mature a cybersecurity framework aligned with the NIST Cybersecurity Framework (CSF) 2.0.

The immediate near-term priority for this role is completing a policy gap analysis and building out the policies, standards, and procedures required for full NIST CSF 2.0 alignment across all six functions. Following that foundation, the Cybersecurity Manager will drive CEC's goal to achieve CMMC Level 1 compliance and annual self-attestation by end of 2027, building the controls and organizational readiness required to meet that milestone.

This is a foundational role for a self-motivated security leader who is energized by building programs from the ground up and thrives in a collaborative, mission-driven environment.

RESPONSIBILITIES

Cybersecurity Program Development & Strategy

Lead the design, documentation, and phased implementation of CEC's enterprise cybersecurity program, using NIST CSF 2.0 as the guiding framework across the Govern, Identify, Protect, Detect, Respond, and Recover functions.
• Conduct a comprehensive policy gap analysis as a first priority; develop, publish, and maintain a complete set of cybersecurity policies, standards, and procedures and drive adoption across all 35+ offices and business units.
• Partner with the CIO, Legal, COO, and CEO to establish governance structures, define organizational risk tolerance, and align security investments with business objectives.
• Create and maintain a formal cybersecurity roadmap with prioritized initiatives, measurable success metrics, and executive-level reporting.

CMMC & Regulatory Compliance

• Lead CEC's CMMC Level 1 compliance initiative, coordinating requirements across IT, operations, and legal to achieve successful annual self-attestation and SPRS submission by end of 2027.
• Conduct and maintain a structured cybersecurity risk register; lead periodic risk assessments and develop actionable remediation plans.
• Monitor the evolving regulatory and threat landscape relevant to the AEC industry and advise leadership on required responses.
• Support internal and external audit activities related to information security and data protection.
• Collaborate with Legal on data privacy obligations, contractual security requirements, and third-party data handling agreements.

Security Operations & Infrastructure

• Evaluate CEC's current security controls, tools, and processes; identify gaps and recommend improvements across on-premises, cloud (Microsoft Azure/M365), and hybrid environments.
• Oversee a vulnerability management program including regular scanning, risk-based prioritization, and remediation tracking.
• Develop, document, and exercise an incident response plan; lead tabletop exercises and post-incident reviews to strengthen organizational readiness.
• Manage third-party and vendor risk assessments, ensuring security requirements are reflected in contracts and vendor management practices.

Security Awareness & Culture

• Design and deliver a company-wide security awareness and training program tailored to staff roles and risk profiles across all office locations.
• Serve as CEC's primary cybersecurity subject matter expert and advisor to business units, project teams, and executive leadership.
• Champion a culture of security awareness, shared accountability, and continuous improvement across the organization.
• Other duties as assigned.

Required

• Bachelor's degree in Cybersecurity, Information Systems, Computer Science, or a related field; additional experience may be substituted.
• 6+ years of progressive experience in cybersecurity or information security, with demonstrated experience building or maturing a formal security program within an enterprise environment.
• Strong working knowledge of the NIST Cybersecurity Framework (CSF 2.0) and hands-on experience applying it in a real-world organizational context.
• Working knowledge of CMMC Level 1 requirements, the FAR 52.204-21 basic safeguarding controls, and the annual self-attestation and SPRS submission process.
• Experience conducting risk assessments, developing information security policies and standards, and managing vulnerability management programs.
• Strong interpersonal, written, and oral communication skills; demonstrated ability to translate complex technical and regulatory concepts into clear, actionable guidance for executive and non-technical audiences.
• Effective prioritization and project management skills with the ability to manage multiple concurrent initiatives with a high degree of autonomy.

Preferred

• Relevant professional certifications: CISSP, CISM, CRISC, or equivalent.
• Familiarity with Microsoft security tools and other common solutions including Sophos MDR, Mimecast, Tenable IO, Microsoft Defender, Azure Security Center, Entra ID / Conditional Access, Purview, and M365 compliance features.
• Experience working in or providing security services to a professional services, engineering, or AEC-sector firm.
• Experience with the DoD's SPRS system and CMMC ecosystem, including C3PAO relationships and third-party assessment readiness (relevant for future Level 2 aspirations).

We have experts! CEC is consistently ranked as a Top 500 Design Firm and Top 200 Environmental Firm by Engineering News-Record. We are looking for people who enjoy using their education and experience to solve difficult technical problems and work on interesting projects. You can accomplish this while working with a team of professionals who are equally motivated to provide high levels of service to our clients and to teach you along the way.

We have support! We have a variety of Employee Resource Groups, including CEC Community - focused on giving back to the communities in which we work; CEC Ignite - focused on helping professionals early in their careers to develop their pathway; CEC iDEA - focused on inclusion, diversity, equality, and acceptance; and CEC Women - focused on creating internal and external opportunities for women to network and leverage professional experience!

We care about our people! People and Culture are two of the five elements of our strategic plan. When you care about your people, they will want to grow a career with you - that is our goal. CEC offers you a small-firm work environment with large-firm opportunities. Not only will we help you develop professionally, but we will also provide an opportunity to become an owner of the firm and share in its success.

CEC offers a matching 401(k); profit sharing; a performance bonus; company stock; medical, dental, and vision insurance; short and long-term disability; tuition assistance; professional development; and work-life balance.

CEC is an equal opportunity employer. CEC does not discriminate in recruiting, hiring or promotion based on race, color, religion, sex, national origin, age, disability, protected veteran status or any other basis or characteristic prohibited by applicable federal, state, or local law.

THIRD PARTY RECRUITERS

If CEC has not expressly requested recruiting services or contractually engaged with you for recruiting services on a specific position, any resumes or candidate profiles sent to CEC shall be considered unsolicited. Therefore, any such submissions will be considered property of CEC, with no associated fees due to your firm.