Principal Cybersecurity Risk Advisor

ECI•Boston, MA

1d•Hybrid

About The Position

ECI is the leading global provider of managed services, cybersecurity, and business transformation for mid-market financial services organizations across the globe. From its unmatched range of services, ECI provides stability, security and improved business performance, freeing clients from technology concerns and enabling them to focus on running their businesses. More than 1,000 customers worldwide with over $3 trillion of assets under management put their trust in ECI. At ECI, we believe success is driven by passion and purpose. Our passion for technology is only surpassed by our commitment to empowering our employees around the world. Position Summary As a Principal Cybersecurity Risk Advisor, you will work alongside industry leaders across verticals to strengthen client security postures, drive compliance programs, and act as a trusted strategic partner to executive leadership. This is not a delegation role — you will own the work: writing policies, conducting assessments, leading audits, and advising boards. This is not your typical consulting role. Since ECI is the primary third party to our clients, you will be working with internal teams to own workflows. You will serve as a senior technical and advisory resource across a portfolio of complex client engagements, leading multi-framework compliance programs (CMMC, TISAX, NIST, ISO 27001, SOC 2, SEC) and helping clients translate evolving regulatory obligations into prioritized, actionable programs. If you can't get your hands dirty, this role isn't for you.

Requirements

7–10+ years of experience in information security, GRC, or IT risk, with a track record of continuous growth in a consulting or advisory environment
At least 3 years in a client-facing advisory, vCISO, or principal consultant capacity — comfortable owning named client relationships at the C-suite level
Demonstrated, hands-on experience managing multi-framework compliance programs (CMMC, NIST, SOC 2, ISO 27001, TISAX, or similar) — not just familiarity in isolation
Experience supporting M&A transactions from a GRC/security perspective — due diligence, gap analysis, or integration planning
Previous consulting experience in financial services, healthcare, government, manufacturing, or DIB sectors preferred
Bachelor's degree in Computer Science, Information Systems, or related field required; advanced degree preferred

Nice To Haves

CISSP — Certified Information Systems Security Professional
CISM — Certified Information Security Manager
CMMC Registered Practitioner (RP) or Certified Professional (CCP), or ability to obtain within 6 months
ISO/IEC 27001 Lead Implementer or Lead Auditor
CRISC or CISA advantageous
Deep working knowledge of CMMC 2.0 (NIST SP 800-171 / 800-172), DFARS 252.204-7012, NIST CSF/RMF/SP 800-53, HITRUST, and SEC cybersecurity rules
TISAX requirements — ISA categories, maturity levels, VDA ISA control catalogue, and ENX assessment process
Strong understanding of security controls and best practices: MFA, Conditional Access, Least Privilege, Defense in Depth
Experience with endpoint and cloud security platforms (CrowdStrike, SentinelOne, Microsoft 365, Cisco); familiarity with GRC tooling (Vanta, Cynomi, Drata, Archer, ServiceNow GRC, or similar)
Constantly aware of evolving threat landscape and real-world events impacting client security posture

Responsibilities

Serve as a named senior advisor to client CTO, CISO, and executive leadership — owning strategic direction and day-to-day program execution across multiple engagements
Lead steering sessions, quarterly program reviews, and board-level risk briefings — preparing and delivering materials directly
Develop and maintain rolling GRC roadmaps aligned to client business priorities, regulatory calendars, and risk appetite
Translate complex regulatory and technical requirements into actionable, prioritized guidance for operational, technical, and executive stakeholders
Address ad hoc client security queries with timely, well-reasoned guidance, and build deep institutional knowledge of client environments, systems, and supply chains
Develop and implement risk management strategies, maintaining enterprise GRC risk registers with hands-on identification, scoring, treatment, and reporting
Conduct thorough security architecture analyses, identifying vulnerabilities and proposing robust countermeasures; facilitate risk workshops and annual Security Program Reviews
Manage multi-framework compliance programs concurrently — CMMC Level 2 (including SSP, POA&M, SRM, SPRS scoring, and C3PAO coordination), TISAX (ISA self-assessment, ISMS), ISO 27001 (SoA, Annex A mapping), and others as client needs dictate
Own and drive full audit lifecycle management — pre-audit readiness, evidence collection, auditor liaison, post-audit remediation — across up to four certification engagements per year
Develop, review, and maintain client information security policy suites and procedures; update policies against SEC, NIST, CMMC, FTSE, ISO 27001, and other applicable standards
Own vendor due diligence programs including SOC 2 Type II analysis, security questionnaire reviews, risk scoring, and contractual flow-down verification
Lead GRC due diligence workstreams on M&A acquisition targets — assessing security posture, compliance gaps, and integration risk; produce diligence reports and post-acquisition integration roadmaps
Mentor team members, contributing to their professional growth and overall GRC practice capability
Contribute to internal practice development — maintaining and improving compliance playbooks, templates, and methodologies informed by client engagement learnings
Participate in internal QA and peer review processes to ensure quality and consistency across all client deliverables