Cybersecurity Engineer at RJ Young

Summary/Objectives

The Cybersecurity Engineer partners directly with clients to design, implement, and sustain practical, audit-ready programs across compliance frameworks (emphasis on CMMC Level 2). The role blends client advisory with hands-on control implementation: conducting gap assessments, building and maintaining core documentation (SSP, POA&M, risk register, policies), guiding evidence collection in a GRC platform, and working closely with Service Desk and Engineering to plan and execute remediation. As the team’s specialist, this role will often own complex compliance-driven fixes end-to-end - from scoping and change control through validation and evidence capture - while enabling repeatable runbooks that frontline teams can execute going forward.

Essential Functions

Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

• Lead readiness efforts across compliance frameworks including scoping, boundaries, data flows, asset inventories, and inherited controls.
• Be the face of the compliance practice to our clients assisting them with compliance readiness.
• Help grow the compliance portion of our business by providing pre-sales support and to define and deliver services.
• Develop and maintain compliance artifacts (SSP, POA&M, risk register, policies and procedures, incident response plan, configuration baselines, vendor risk documents).
• Guide clients through GRC workflows: control mapping, evidence plans, test steps, due dates.
• Translate requirements into technical hardening with Engineering (for example Microsoft 365 and Entra ID, Conditional Access and MFA, Defender and Intune, PIM and least privilege, logging and SIEM, backup and BCDR, endpoint baselines).
• Plan and coordinate remediation packages with Service Desk tiers and Engineering and Projects - defining scope, risk, change windows, rollback, and validation criteria.
• Execute remediation directly when appropriate, especially for complex or high-risk controls.
• Create operational runbooks and playbooks for repeatable compliance fixes and train Service Desk and Engineering on execution and escalation paths.
• Validate and evidence outcomes post-remediation.
• Establish metrics and scorecards (for example control maturity, open finding aging, patch SLAs, policy adoption, and - where applicable - NIST 800-171 and SPRS scoring) and present progress to client and internal leadership.
• Coach stakeholders (IT, Security, HR, Legal, Procurement, Leadership) on roles, governance cadence, risk acceptance, exceptions, and continuous improvement.
• Prepare for assessments and audits (mock interviews, sampling, evidence quality assurance, assessor Q and A practice, corrective action planning).
• Maintain documentation quality - templates remain current, version-controlled, and aligned to evolving guidance and regulations.
• Support incident readiness (tabletops, roles, evidence preservation, log retention and time sync) and drive after-action improvements.
• Advise pre-sales and SOW scoping and contribute to proposals, level-of-effort estimates, and statements of applicability.
• Pursue continuing education and share updates on framework changes, assessor expectations, and technology and security best practices.

Supervisory Responsibility

No direct reports. Acts as a specialist and escalation point for compliance-driven remediation and may mentor junior analysts and engineers and lead cross-functional project teams for client engagements.

Work Environment

Hybrid or remote professional environment with periodic on-site client visits (office, light industrial, and public-sector facilities). Routine use of computers, phones, conferencing tools, and standard office equipment. Occasional access to secure areas or data centers per client policy.

Physical Demands

Ability to remain in a stationary position for extended periods, operate a computer, and communicate effectively. On client visits, ability to walk facilities, climb short ladders or stairs, and occasionally lift up to 25 lbs (for example endpoint or network equipment) for control validation or device inventory.

Position Type/Expected Hours of Work

Full-time, exempt. Core hours typically 8:00 a.m.-5:00 p.m. Central, with flexibility for client time zones and change windows. Occasional evening or weekend work during assessments, cutovers, or incident support.

Travel

Up to 10% travel on average (maximum), primarily within the Southeastern U.S., with occasional national travel for assessments, training, or conferences.

Required Education and Experience

• 2 or more years building or operating security and compliance programs aligned to compliance frameworks. Experience with CMMC Level 2 in regulated environments required.
• Demonstrated experience producing SSPs, POA&Ms, risk registers, policies and procedures, evidence plans, and control tests.
• Proficiency with at least one major GRC platform including control mapping and evidence workflows.
• Familiarity with Microsoft 365 and Entra ID security (Conditional Access and MFA, PIM and least privilege), Defender and Intune, DLP and Purview, endpoint hardening, logging and SIEM concepts, and backup and BCDR fundamentals.
• Strong consulting skills: discovery, facilitation, clear writing, executive-level briefings, expectation-setting, and change management.

Preferred Education and Experience

• One or more relevant credentials: CMMC-AB Certified Professional, ISO 27001 Lead Implementer or Lead Auditor, CISSP or CISM, Security Plus or CySA Plus or CASP Plus, Microsoft SC-400 or AZ-500, GIAC GCCC or similar.
• Experience preparing organizations for third-party assessments (C3PAO or other assessor interviews, sampling, corrective action plans).
• Exposure to additional frameworks (for example HIPAA, PCI, ISO 27001) for cross-mapping and harmonization.

Work Authorization/Security Clearance (if applicable)

• Must be authorized to work in the United States.
• Ability to pass background checks, including CJIS screening and fingerprinting where required.
• U.S. citizenship may be required for certain client engagements involving controlled information.

AAP/EEO Statement

RJ Young provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state, or local laws.

This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation, and training.

Other Duties

Please note that the job description is not designed to cover or contain a comprehensive listing of activities, duties, or responsibilities that are required of the employee for this job. Duties, responsibilities, and activities may change at any time with or without notice.