Principal, Cybersecurity Policy Advisor

Job Description

Description

Be a part of something powerful at America's premier energy provider!

At Exelon, we are united by our values and shared vision for a cleaner and brighter future. We encourage curiosity, value diverse perspectives and we never stop looking for ways to be, work and do better. We know the future is in our hands. That's why we're looking for people like you, who have the power to make a difference.

As the nation's largest utility company, we serve more than 10 million customers through six fully regulated transmission and distribution utilities � Atlantic City Electric (ACE), Baltimore Gas and Electric (BGE), Commonwealth Edison (ComEd), Delmarva Power & Light (DPL), PECO Energy Company (PECO), and Potomac Electric Power Company (Pepco). All 18,000 of us are committed to delivering safe, reliable and affordable energy to our customers, strengthening our communities, supporting a clean energy future and reducing our impact on the changing climate.

Our people are the heart and soul of our business. Whether it's powering lives, supporting communities or collaborating with colleagues, an Exelon employee is talented, compassionate, forward-thinking and inspired. We are empowered to evolve and advance our careers in an open and inclusive environment. We pride ourselves on being the kind of place where people want to come and stay. We know that investing in our employees' futures strengthens ours, which is why we offer competitive compensation, incentives and health and retirement benefits.

PRIMARY PURPOSE OF POSITION

The Principal, Cybersecurity Policy Advisor will focus on enhancing enterprise-wide cybersecurity compliance, developing processes, that adhere to best practices and industry frameworks to mitigate risk. This individual will engage in job duties outlined below, to enhance the resiliency of Exelon and to promote our mission of safeguarding the people, property, reputation, and shareholder value of the corporation. Serve as Exelon's subject matter expert for cybersecurity compliance requirements, including internal and external controls to support Exelon's desired risk posture and regulatory obligations, respectively Research and stay informed of any regulatory compliance obligations that may impact Exelon to identify potential changes in compliance requirements Collaborate with security, compliance, legal, IT/OT, facilities, and business teams to drive awareness of emerging compliance obligations in support of proactive planning efforts to meet regulatory requirements in a more timely, efficient manner Analyze the intent of the required control(s) requirement(s) and define the strategy to address compliance obligations efficiently and securely, while reducing the scope and associated costs to maintain compliance over time Develop recommendations to meet regulated and non-regulated security control requirements Drive consensus on the recommended path forward to address the requirement(s) with impacted stakeholders Support remediation efforts to resolve compliance gaps Develop evidence collection processes to verify required security controls are in place Support internal and external audit teams to validate requirements have been met Provide recommendations to revise, enhance, and/or develop new policies, standards, processes, and best practices to further reduce risk to Exelon relative to compliance obligations Develop implementation strategies and roadmaps to enable IT, OT, facilities, and business teams to achieve compliance and mitigate risk Lead, mentor, and develop others to grow the capabilities and effectiveness of the team

PRIMARY DUTIES AND ACCOUNTABILITIES

• Provide guidance and operational management for cyber and physical security compliance programs (45%)
• Collaborate with security, compliance, legal, IT/OT, facilities, and business teams to drive awareness of emerging compliance obligations in support of proactive planning efforts to meet regulatory requirements in a more timely, efficient manner (25%)
• Support internal and external audit teams to validate requirements have been met (20%)
• Identify potential cyber and physical security control requirements to meet regulatory obligations and internal security control requirements (10%)

JOB SCOPE

Interact with internal stakeholders to deliver cyber compliance and perform related tasks Work under minimal supervision, following standard procedures to accomplish assigned tasks

Qualifications

MINIMUM QUALIFICATIONS

• Bachelor's degree in relevant field preferred, or equivalent experience required
• 7+ years of professional industry experience focused on cybersecurity, physical security, risk, and compliance
• A deep understanding of regulatory requirements and associated frameworks such as SOX, NERC CIP, NIST, ISO, FISMA, FARS, DFARS, CUI, CMMC is critical to success in this position
• Deep understanding of cybersecurity concepts, including security exceptions management, the anatomy of an attack, and risk mitigation strategies
• Experience with common security frameworks and industry regulatory requirements
• Ability to effectively assess risk to the organization and define appropriate mitigation techniques and/or compensating controls
• Experience helping organizations define, develop, deploy, and manage cybersecurity solutions across IT and Critical Infrastructure environments
• Confident in leading end-to-end solutions � strategy, design, development, testing, training, implementation
• Demonstrated project management experience leading teams and large-scale programs
• Experience leading and deploying end-to-end compliance/privacy solutions including strategy and road mapping, policy design, development, implementation, adoption, and enforcement
• Understanding of high-level application, database, cloud, and network security principles for risk identification, mitigation, and analysis
• Experience working with popular GRC tools like ServiceNow, Archer, MetricStream
• Understands current cyber and physical security best practices

PREFERRED QUALIFICATIONS

• Juris Doctorate
• Experience in the Energy and Utilities industry
• Experience working with internal and external auditing firms
• Understanding of key cyber and legal concepts relative to regulatory compliance requirements
• Professional Services or Consulting firm/industry experience
• Experience in writing procedures and policies
• Strong communication skills in a fast paced, dynamic, team-based environment
• GICSP, CISSP, CISA, CISM, PMP certifications
• A discipline in one of the following: Computer Science; Information Systems; Information Systems Security; Information Technology
• Experience mentoring and providing coaching for personnel