Skip to Main Content

Cybersecurity Policy Manager

Recruitment #26-004730-0001

Go Back Apply View Benefits

Introduction

As the state’s IT leader, DoIT manages information technology and telecommunications services and provides critical support to state agencies, the Executive Office of the Governor, coordinating offices, and independent Executive Branch agencies. The agency provides cybersecurity, digital, data governance, AI enablement, infrastructure, and platform services to its partner agencies, ensuring the State of Maryland is more secure, productive, and accessible.

GRADE

STD 0025

LOCATION OF POSITION

100 Community Place, Crownsville, MD  21032

Main Purpose of Job

The Cybersecurity Risk Management Manager is an integral part of the Maryland Department of Information Technology (DoIT) leadership team. This position will lead and oversee the development and implementation of a centralized cybersecurity risk management framework across all State Executive Agencies. The Cybersecurity Risk Management Manager will drive the standardization of cybersecurity risk practices, ensure compliance with federal standards and guidelines, and establish a robust third-party risk management program. Will architect and build from scratch a statewide cybersecurity risk management framework in a highly ambiguous environment, aligning with NIST 800-53, NIST 800-37 (RMF), and NIST CSF. This role will work closely with agency stakeholders to assess risk, implement mitigation strategies, and create a continuous monitoring structure to provide real-time visibility into cyber risk posture for state leadership. This position will also lead the development and execution of risk governance processes, coordinate risk assessments and reporting, and support the implementation of enterprise-wide cybersecurity initiatives aligned with federal and other relevant standards.

***This is a management service position which serves at the pleasure of the appointing authority***

POSITION DUTIES

Enterprise-Wide Risk Management Program
- Architect and build from scratch a statewide cybersecurity risk management framework in a highly ambiguous environment, aligning with NIST 800-53, NIST 800-37 (RMF), and NIST CSF.

- Act as an intrapreneur to independently conceptualize and develop risk management policies, procedures, and controls where processes are currently vague or non-existent, enhancing the security posture across Maryland’s digital infrastructure.

- Proactively problem-solve by conducting risk assessments, threat modeling, and security gap analyses across agencies, navigating undocumented environments without waiting for a playbook.

- Synthesize disparate data points and connect context to establish meaningful Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) that effectively measure risk levels and cybersecurity maturity.

-Provide strategic cybersecurity risk guidance to executive leadership and agency stakeholders, driving initiatives forward autonomously and adapting fluidly to emerging threats.

-Lead continuous monitoring efforts, determining lightweight, scalable solutions to proactively manage and mitigate risks.

Third-Party Risk Management Program
- Pioneer the development and implementation of a third-party/vendor risk management framework from the ground up, bringing structure to undefined processes while aligning with NIST 800-161 (Supply Chain Risk Management) and State of Maryland IT Security Policies.

- Creatively assess and solve complex security risks associated with cloud providers, contractors, and IT vendors, even when historical data or established procedures are lacking.

- Take ownership of figuring out the best scalable approach to establish vendor security assessments, contract security requirements, and ongoing compliance monitoring.

- Connect the dots across departments, partnering seamlessly with procurement and legal teams to integrate cybersecurity requirements into contracts and vendor agreements.

- Oversee vendor audits, penetration testing, and compliance assessments, acting decisively to mitigate third-party cybersecurity risks without waiting for explicit guidance.

Regulatory Compliance & Governance
- Navigate complex regulatory landscapes autonomously to ensure statewide cybersecurity, privacy and AI compliance with applicable and relevant federal and state laws, regulations and standards (MD COMAR, Senate & House Bills, NIST, etc.), translating rigid requirements into practical, actionable steps.

- Lead internal audits and risk reviews to assess cybersecurity effectiveness, bringing clarity and structured problem-solving to previously unassessed areas.

- Design innovative incident response strategies from a blank slate, coordinating agile risk mitigation efforts in response to dynamic cybersecurity threats.

- Absorb broad organizational context and collaborate with federal, state, and local agencies to strategically align our nascent risk management efforts with national cybersecurity standards.

MINIMUM QUALIFICATIONS

Education: A bachelor's degree from an accredited college or university in cybersecurity, information technology, or other related field.

Experience:  Four years’ experience in creating/architecting, maintaining and updating a risk management program(s) and processes that align with state and federal laws, regulations and standards.  Developing and updating cybersecurity policy, standards and strategy in compliance with federal & state laws, regulations and standards.

One of the four years’ experience must have been in a supervisory capacity.

Notes:  Candidates may substitute the Bachelor’s degree with two additional years of experience listed above.

DESIRED OR PREFERRED QUALIFICATIONS

Preference will be given to candidates who have experience in one or more of the following:
-Developing internal and external facing reports, documents, briefings, and surveys
-Briefing and consulting with Executive Leadership and Stakeholders

SELECTION PROCESS

Please make sure that you provide sufficient information on your application to show that you meet the qualifications for this recruitment. All information concerning your qualifications must be submitted by the closing date. We will not consider information submitted after this date. Successful candidates will be ranked as Best Qualified, Better Qualified, or Qualified and placed on the eligible (employment) list for at least one year.

BENEFITS

FURTHER INSTRUCTIONS

Online applications are highly recommended. However, if you are unable to apply online, the paper application and supplemental questionnaire may be submitted to: Department of Budget and Management, Recruitment and Examination Division, 301 W. Preston St., Baltimore, MD 21201. Paper application materials must be received in our office by the closing date for the recruitment. No postmarks will be accepted.

For questions regarding this recruitment, please contact the DBM Recruitment and Examination Division at Application.Help@maryland.gov or 410-767-4850, MD TTY Relay Service 1-800-735-2258.

We thank our Veterans for their service to our country.

People with disabilities and bilingual candidates are encouraged to apply.

As an equal opportunity employer, Maryland is committed to recruitment, retaining and promoting employees who are reflective of the State's diversity.



Click on a link below to apply for this position:

Fill out the Supplemental Questionnaire and Application NOW using the Internet. Apply Online
View and print the Supplemental Questionnaire. This recruitment requires completion of a supplemental questionnaire. You may view and print the supplemental questionnaire here.
Apply via Paper Application. You may also download and complete the Paper Application here.

Powered by JobAps