The Software Engineering Institute (SEI) helps advance software engineering principles and practices and serves as a national resource in software engineering, computer security, and process improvement. The SEI works closely with defense and government organizations, industry, and academia to continually improve software-intensive systems. Our core purpose is to help organizations improve software engineering capabilities and develop or acquire the right software, defect free, within budget and on time, every time.
PositionSummary for Senior Risk Engineer:
The CERT Program is part of the SEI, a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania and Arlington, Virginia. At CERT, we engage in state of the art research and development to improve the state of cybersecurity. As a Senior Cyber Security Engineer, we value your background in cybersecurity risk, policy, and governance.
The Cyber Risk Management (CRM) team develops solutions and advises public and private customers in matters pertaining to risk management. Our focus is to connect the board room to cyber risk management elements of the organization through more effective policies and practices. In this role, you will be apart of this team and work with fellow engineers to advance the state of practice. The CRM team develops solutions in the form of frameworks, models, tools, policies, practices, technical guidance, and training that allow organizations to assess, analyze, and manage organizational, operational, strategic, and technical risks to mission-critical assets, processes, systems, and infrastructures. The goal of the team is to promote innovation and collaboration across customer programs and within SEI.
You are focused, have a track record of crafting interdisciplinary approaches to problem solving, and demonstrate strong presentation and writing skills . You are able to communicate with clients and staff of all levels in a highly professional and competent manner. You love the flexibility of an organization that values hard work but appreciates work-life balance and professional development. More specifically, you have demonstrated the application of those skills to matters that pertain to risk management in the context of a cybersecurity or enterprise risk management organization.
BS or BA in relevant field with ten (10) years of experience or a Masters in a relevant field with eight (8) years of experience is preferred or PhD in a relevant field with five (5) years of experience.
Willingness to travel to various locations to support the SEI's overall mission. (25% travel)
You will b e subject to a background check and would need to be eligible to obtain and maintain a Department of Defense security clearance
S hape national and organizational policy with respect to risk management and its application to strategic and cybersecurity related matters
Analyze and measure effectiveness of risk policy and governance
Develop roadmaps for improvement of cybersecurity capabilities through the use of appropriate tools and methods that support risk-based decision making
Participate in standards making bodies as they relate to risk management in organizations
Assist in implementation of risk policy and procedure
Participate in applied research of risk related topics
Develop new tools and applications that support qualitative and quantitative risk analysis
Directly interface and support clients at client site
Seek opportunities to expand customer relationships through direct engagement
Knowledge, Skills and Abilities:
Experience, knowledge, and application of any number of the following subject matter areas:
Strategic implementation of cyber risk management practices
Metrics and measurements methodologies
Understanding of the economics of risk and its impacts on cyber
Subject matter expertise in the evaluation of cybersecurity controls and practices
Risk management related standards, policies, and frameworks such as FAIR, NIST CSF, and NIST RMF
Qualification and quantification of risk and the application of those processes in making risk-based decisions
Risk management-based metrics and measurement
Detailed understanding and application of risk to matters pertaining to privacy
Organizational governance structure considerations related to risk management
Knowledge of critical infrastructure protection concepts and standards
Ability to deal collaboratively, diplomatically, and successfully with customers, co-workers and other professional colleagues, managers, and staff
Knowledge of supply chain risk management concepts and tools
Ability to communicate with a range of audiences ranging from junior technical individual contributors to senior customer points of contacts
Knowledge of information sharing practices and models
Understanding of maturity model concepts
Experience in an operational environment with an understanding of service related processes and technologies
Cybersecurity concepts and technical implementations
Cybersecurity standards, policies, and frameworks
Certifications of interest include the ISC2 CISSP, CISA, or CISM. Oth ers may pertain to general risk management, privacy risk, or others.
Please visit "Why Carnegie Mellon" to learn more about becoming part of an institution inspiring innovations that change the world.
A listing of employee benefits is available at: www.cmu.edu/jobs/benefits-at-a-glance /
Carnegie Mellon University is an Equal Opportunity Employer/Disability/Veteran
Statement of Assurance: https://www.cmu.edu/policies/administrative-and-governance/statement-of-assurance.html