Manager, Cybersecurity Officer

Washington D.C
Jun 07, 2021
Jun 17, 2021
Full Time
The Washington Metropolitan Area Transit Authority (Metro) is building a state-of-the-art cybersecurity program to better protect the critical transit infrastructure supporting our nation's capital. This position shall serve as Information System Security Manager (ISSM) responsible for security oversight of a team of ISSOs and supported systems. Reports to the Senior Manager, Cybersecurity and Enterprise System Security Officer (ESSO). The ISSM shall lead a team of cybersecurity experts, develop system security plans based on risk analysis and an understanding of the IT and security architecture of the organization, and meet with system owners to navigate the intersection of innovative security and IT demands/schedules. The ISSM shall expertly navigate the NIST Cybersecurity Framework and its mapping to the Risk Management Framework along with PCI and HIPAA standards for security. Further, a knowledge of system security auditing, security control assessment and use of a governance risk and compliance tool are critical skills. Successful candidates will be expected to lead efforts to implement NIST frameworks and guide more junior ISSOs in their application. The ISSM shall review and approve all system security documentation prior to submission to the Authorizing Official and lead continuous monitoring efforts for systems in production.


  • A Bachelor's degree in Cybersecurity, Cybersecurity Management and Policy, Information Systems Management, Risk Management, Liberal Arts, or another analytical degree from an accredited college or university

  • Seven (7) years of experience as a cybersecurity officer/engineer, information systems security officer, or specialized expertise in cyber policy, intelligence, analytics, budget, audit, metrics, or training such that it meets the specific role posted

Preferred Education
  • A Master's degree in Cybersecurity, Cybersecurity Management and Policy, Information Systems Management, Risk Management, Liberal Arts or another analytical degree from an accredited college or university

  • Certifications in cybersecurity, ITIL/ITSM, or a related field

Medical Group

Satisfactorily complete the medical examination for this position, if required. The incumbent must be able to perform the essential functions of this position either with or without reasonable accommodations.


The Manager, Cybersecurity Officer is responsible for ensuring that the Washington Metropolitan Area Transit Authority (WMATA) cybersecurity program is conducted based on the cybersecurity strategy and in alignment with industry best practices such as the National Institute of Standards and Technology (NIST) framework. The incumbent is directly responsible for personnel and functions that identify, architect, document, facilitate and assess cybersecurity, privacy, and risk management solutions, requirements, and practices for WMATA systems and programs throughout the System Development Life Cycle (SDLC). The incumbent further develops, documents, and implements cybersecurity policy, programs, plans, procedures, and work instructions; supports internal and external audits, and advances an effective security awareness program to educate and change the cybersecurity culture in alignment with organizational priorities, objectives, and goals. The Manager, Cybersecurity Officer also ensures that the skills necessary for an effective cybersecurity program are defined and that there is adequate funding to hire the right people to provide those skills.

  • Manages, develops, and maintains cybersecurity and risk management policy, programs, plans, strategies, and governance standards in alignment with industry best practices, NIST frameworks and guidance, and organizational priorities, initiatives, goals, and objectives against which the WMATA cybersecurity program is managed and measured. Identifies, documents, and integrates cybersecurity requirements throughout the SDLC in alignment with NIST frameworks. Creates a strong culture of cybersecurity throughout the organization and drives behavioral changes for all business units within WMATA. Supports, manages, trains, and directs system security officers in the execution of functions to ensure regulatory compliance.
  • Manages, implements, and reports on the status and effectiveness of the NIST Risk Management Framework (RMF) / Cybersecurity Framework (CSF) on WMATA systems. Ensures that security controls specified in system security plans or other system documentation are implemented. Develops system-level strategies for assigned systems in alignment with organization and mission/business process strategies to continuously monitor control effectiveness. Serves as a cybersecurity consultant/subject matter expert for system personnel and collaborates with other internal and external cybersecurity professionals to identify and implement risk-based, repeatable strategies and processes that include control selection and inheritance, security documentation and review, security control assessment and authorization, vulnerability documentation and remediation. Populates status and system security information in the Governance Risk and Compliance (GRC) tool. Ensures the appropriate treatment of risk, compliance, and assurance from all perspectives to assure that existing and new information technology (IT) systems meet organizational cybersecurity and risk requirements, objectives and goals.
  • Develops and manages technical cybersecurity services and personnel that assure the confidentiality, integrity and availability of WMATA's systems, system components, files, folders, repositories as well as physical resources (e.g., buses, trains, police communications, industrial control systems, building/facility entrances and doors). Ensures that technical cybersecurity solutions comply with regulatory requirements, industry best practice, and internal and external customer requirements. Develops, reviews, and manages secure systems engineering and software development efforts for WMATA systems. Analyzes business needs and proposes suitable enterprise and system-level security solutions and plans for implementation within a broader inheritance model/structure. Conducts system security analyses and documents system boundaries and security requirements/specifications in alignment with best practices. Develops system security engineering project plans that document key system security performance parameters aligned with risk mitigation countermeasures, reliability and resiliency needs, and NIST guidance. Ensures that secure provisioning and deprovisioning is conducted for WMATA systems, employees, contractors and external users.
  • Manages and advances cybersecurity programs, projects, and processes to ensure that systems are operated at an acceptable level of risk to WMATA operations (including mission, functions, image, or reputation), assets, and individuals. Manages the cybersecurity posture for assigned portfolio of systems or programs. Serves as the primary liaison between system personnel and the cybersecurity organization. Engages common control providers, system security officers, and the Authorizing Official (AO) in support of WMATA programs in alignment with organizational priorities and to advance security goals and objectives.
  • Manages and documents risk, threat, vulnerability, and security control assessments, processes, procedures, and requirements for WMATA applications, programs, systems, and networks in alignment with industry best practice and NIST frameworks, publications, and guidance. Measures the effectiveness of system defense-in-depth architectures and security controls implementations. Ensures that systems, processes, and people follow published policy and recommends appropriate mitigation countermeasures in operational and nonoperational situations. Alerts management personnel regarding potential risk areas.
  • Conducts, manages and contributes to performance evaluations and audits of the IT security program to determine compliance with published standards. Manages, tracks, and develops solutions to security and issues and reports remediation progress. Supports policy compliance, governance and incident response programs. Prepares and documents responses to audit reports and provides recommended remediation strategies/solutions. Coordinates external audit requirements across programs.
  • Manages, develops, documents, and communicates enterprise cybersecurity requirements for special projects and new initiatives to include continuous monitoring, secure software development, and flaw, malicious code, and vulnerability remediation efforts. Trains and manages system security officers on requirements of new cybersecurity initiatives.
  • Manages, reviews, and complies with budgets for the Cybersecurity program using actual performance, previous budget figures, estimated revenue, expense reports, and other data sources to maximize return on investment, control funds and provide for proper financial administration. Applies knowledge of system security to develop budgetary requirements. Works with cybersecurity personnel to effectively plan and monitor budgets. Tracks contracting costs, identifies security needs, reviews and enforces statements of work. Ensures that the cybersecurity program manages costs effectively, projects future budget needs, improves services received and meets schedule demands for service delivery.
  • Prepares, manages and presents governance and compliance management reports, key performance metrics, scorecards, and briefings to cybersecurity and IT leadership. Uses continuous monitoring scoring and grading metrics and provides such to management for their information security investment decisions that address persistent issues. Works with organizational risk analysts to ensure risk metrics are defined realistically. Ensures the enterprise has a cybersecurity scorecard that presents an accurate and clear view of the health of the organization, including but not limited to system and program-level health, operational defensive effectiveness, and employee training/effectiveness. Manages, reviews, edits, approves, and reports on the status and substance of cybersecurity documentation, plans, and programs.
  • Manages the cybersecurity components of the GRC tool. Configures, populates, and documents instructions for security professionals' use of the tool. Creates and maintains inherited controls at the direction of the Authorizing Official. Develops exports and reports to support audit and metric requirements. Ensures that all system security documentation is tracked and managed effectively.
  • As a part of the system security life cycle, provides program oversight and leadership to system security officers in the identification, documentation, and evaluation of supply chain risks and recommends improvements. Ensures that WMATA systems and technology are procured with security considered from the start of the purchase process.
  • Manages and performs privacy impact and threshold assessments of system's security design for the appropriate security controls, which protect the confidentiality and integrity of Personally Identifiable Information (PII). Assesses the security effectiveness of the system's security controls. Ensures sensitive information is properly protected in all systems and applications that store, process, or transmit WMATA data or information.
  • Advises security leadership on risk levels and security posture of WMATA systems, and on the cost/benefit analysis and Return on Investment (ROI) of cybersecurity programs, projects, policies, processes, systems and elements.
  • Consults with customers gathers and evaluates functional requirements, determines appropriate security controls that adhere to policy to mitigate risks and fulfill customer needs. Translates requirements into technical cybersecurity solutions. Provides guidance to customers about applicability of security controls needed to support business goals and objectives. Supports and integrates cybersecurity into all phases of the SDLC.
  • Ensures that timely, mission-focused, and tailored cybersecurity training and developmental opportunities are provided to cybersecurity personnel to support employee retention objectives. Creates training, education and certification requirements to address changes to cybersecurity policy, emerging threats, and industry best practices. Partners with universities, certification companies, state/federal agencies and other innovative resources to provide up-to-date and relevant content to WMATA. Trains and develops system security officers in response to cybersecurity assessments or identified skill/knowledge deficits.

The functions listed are not intended to limit specific duties and responsibilities of any particular position. Nor is it intended to limit in any way the right of managers and supervisors to assign, direct and control the work of employees under their supervision.

Evaluation Criteria

Consideration will be given to applicants whose resumes demonstrate the required education and experience. Applicants should include all relevant education and work experience.

Evaluation criteria may include one or more of the following:
  • Skills and/or behavioral assessment
  • Personal interview
  • Verification of education and experience (including certifications and licenses)
  • Criminal Background Check (a criminal conviction is not an automatic bar to employment)
  • Medical examination including a drug and alcohol screening (for safety sensitive positions)
  • Review of a current motor vehicle report


WMATA is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, status as a protected veteran, or any other status protected by applicable federal law.

This posting is an announcement of a vacant position under recruitment. It is not intended to replace the official job description. Job descriptions are available upon confirmation of an interview.

Similar jobs