Manager, OT Security & Compliance

About The Position

Requirements

• 5+ years of progressive OT or ICS cybersecurity experience, with direct ownership of a NERC CIP compliance program at a registered entity and a demonstrated record of successful audit outcomes.
• Formal designation or functional experience as a manager or compliance program authority, with firsthand experience managing regulatory interactions with TRE, FERC, or NERC.
• Direct, production hands-on experience operating Splunk, Nessus or Tenable, and Tripwire or equivalent security tooling in OT or ICS environments.
• Proven experience directly managing both a technical operations team and an analyst/GRC team, including hiring, performance management, and developing staff into program ownership.
• Demonstrated ability to communicate technical OT Security & Compliance topics with equal clarity to engineers, peer managers, auditors, and executive leadership — adjusting framing and depth without losing accuracy.
• Strong working knowledge of CIP-006, CIP-007, CIP-008, CIP-010, and CIP-011, with the ability to interpret requirements, identify gaps, and build controls that satisfy both regulatory intent and operational reality.
• Experience building and maintaining GRC program components: risk registers, control frameworks, policy libraries, and exception management workflows.
• Excellent written communication skills across multiple document types: regulatory submissions, executive summaries, work instructions, and compliance evidence documentation.
• 7+ years of experience in OT/ICS cybersecurity or critical infrastructure protection, with at least 3 years in a compliance program leadership role at a NERC-registered entity.
• Named NERC CIP compliance program ownership with direct engagement in Regional Entity (TRE, WECC, RF, or equivalent) audit and enforcement processes.
• Demonstrated experience managing Splunk, Nessus or Tenable, and Tripwire or equivalent OT security tooling.
• Demonstrated experience managing both a technical security team and a GRC/analyst team simultaneously.
• Demonstrated ability to communicate OT Security & Compliance topics clearly and accurately across all organizational levels: from engineering staff through executive leadership, and to external regulatory bodies.
• Active security certification required: GICSP, CISSP, CISM, or GIAC equivalent.
• Bachelor’s degree in computer science, Information Systems, Engineering, or a related field; in lieu of degree, 10+ years of directly applicable OT/ICS security and compliance experience.

Nice To Haves

• Familiarity with IEC 62443, NIST SP 800-82, or NIST CSF as complementary frameworks to NERC CIP in OT environments.
• Experience with compliance evidence management platforms (AssurX or equivalent) and ITSM/CMDB tools (ChangeGear, ServiceNow, or equivalent).
• Background supporting multi-entity, multi-jurisdictional compliance programs across transmission and generation assets in different regional footprints.
• Active security certification: GICSP, CISSP, CISM, or GIAC equivalent.
• Bachelor’s degree in computer science, Information Systems, Engineering, or a related field; equivalent experience considered.

Responsibilities

• Directly manage a team of OT Compliance Engineers responsible for operating Splunk (SIEM and log management), Nessus/Tenable (vulnerability scanning), and Tripwire (file integrity and configuration monitoring) in production OT environments.
• Ensure tool outputs are fully operationalized: alerts are triaged and actioned, vulnerability findings are tracked through remediation, configuration baselines are enforced, and compliance evidence is generated consistently and on schedule.
• Set performance expectations, conduct regular 1:1s and formal reviews, and develop engineers from compliance executors into deeper program owners with domain expertise.
• Build a team culture of documentation discipline and continuous audit readiness; establish and maintain evidence quality standards so the program is always prepared, not just ahead of scheduled engagements.
• Identify gaps in tooling coverage or team capability and develop justified proposals for headcount, tooling, or process improvements.
• Lead audit preparation and direct engagement with TRE, FERC, and NERC; serve as the primary signatory and point of contact for all regulatory correspondence and submissions.
• Own the full violation management lifecycle — self-identification, mitigation documentation, and corrective action plan development and tracking through closure.
• Own end-to-end compliance with CIP-006, CIP-007, CIP-008, CIP-010, and CIP-011; serve as the authoritative interpreter of CIP requirements for both your teams and peer functions.
• Monitor NERC, TRE, and FERC regulatory developments; assess impact of new or revised standards and drive program updates ahead of enforcement deadlines.
• Directly manage a team of OT GRC Analysts responsible for policy management, risk assessment, control framework maintenance, audit evidence coordination, and regulatory reporting.
• Own the OT GRC program end-to-end: policy library, standards, control framework, risk register, exception management, and governance reporting cadences.
• Maintain a living OT security risk register; ensure risks are formally assessed, assigned to owners, tracked to resolution, and reported to leadership with clear business context and recommended disposition.
• Develop and enforce OT security policies and procedures that satisfy regulatory obligations and are written to be operationally executable — not just audit-ready on paper.
• Support multi-entity expansion and new facility onboarding: manage compliance readiness for PSP and ESP certifications, NERC registration, and regulatory filings with long lead-time coordination across legal, engineering, and operations.
• Communicate OT Security & Compliance topics effectively at every level of the organization: giving precise technical direction to your engineers, coordinating peer-to-peer with network, systems, and physical security teams, and delivering clear business-risk framing to senior leadership and executives.
• Translate technical findings — scan results, configuration gaps, evidence deficiencies, control failures — into language that non-technical stakeholders can act on, without sacrificing the accuracy or context that makes the communication meaningful.
• Serve as the organizational voice in external regulatory interactions, including TRE audit engagements, NERC inquiry responses, and FERC filings.
• Produce written communications across a wide range of formats and audiences: regulatory correspondence, executive briefings, team-facing work instructions, and vendor accountability documentation.

Benefits

• 100% employer paid premium healthcare
• paid parental leave