Info Risk/Cyber Risk Management Consultant

Santcore Technologies • Washington, DC, US • $80 - $85 / hour • 1d ago

Position: Senior Info Risk/Cyber Risk Management Consultant

Location: Washington, DC

Duration: Long term contract

Hybrid: Onsite 1x (Tuesday thru Thursday)/Quarter – at own expense

Logistics

The Selected Candidate May Work Remotely From

Washington, DC. or any of the 50 states of the United States, except for 1 week (3 days in 1 week i.e., Tuesday- Thursday) every quarter (i.e., every 3 months) where it is mandatory that candidate physically work from the HQ offices in Washington, DC.

The selected candidate must be available to work Eastern Standard Time (EST) hours. Expectation is that the candidate works an eight-hour block per day from Monday to Friday between the hours of 8AM to 6PM EST for a total of 40 hours per week.

Job Summary

Under the general supervision of an Information Security Risk Manager, the Senior Security Consultant will provide specialized expertise in security risk management and technical assessment of:

Operational Technology (OT) & Facilities Systems: Including Building Management Systems (BMS), HVAC, smart lighting, and power distribution.
Physical Security & IoT Ecosystems: IP-based surveillance (CCTV), biometric access control, gym equipment telemetry, and hospitality IoT devices.
Specialized Service Systems: High-end Audio-Visual (AV) integration, simultaneous language translation hardware/software, and automated catering/hospitality platforms.
Converged Network Architectures: Securing the interface between traditional IT networks and specialized IoT/OT segments.

The candidate will work with Facilities, General Services, and external vendors to ensure that "Smart Building" and hospitality capabilities are resilient against cyber threats. The candidate must bring a pragmatic approach to securing non-traditional computing environments where standard security agents cannot always be installed.

Minimum Qualifications

Education

Bachelor's degree in information security, computer science, engineering, mathematics, business, or related field of study plus a minimum of 10 years of relevant experience working as a technical information security risk manager or information security architect.

Advanced degree in Information Security, computer science, engineering, mathematics, business, or related field of study plus a minimum of 4 years of relevant experience working as a technical information security risk manager or information security architect.

Certifications: (Minimum plus at least 2 preferred)

CISSP or CISM (minimum required)
CCSP or other expert-level cloud security certification (preferred)
GICSP (GIAC - Global Industrial Cyber Security Professional) (preferred)
GRID (GIAC - Response and Industrial Defense) (preferred)
ISA/IEC 62443 Cybersecurity Expert (preferred)
Certified IoT Security Practitioner or similar vendor-neutral IoT certifications (preferred)

Experience Must Include

Practical application of risk management frameworks and standards such as ISO 27001/2, ISO 27005, NIST SP 800-30, NIST CSF, COBIT, Purdue Model for ICS/OT security, NIST SP 800-82 and OT-relevant standards (e.g., IEC 62443).
Ability to embed security and risk management into project lifecycles, vendor onboarding, service management, and operational processes.
Strong understanding of third-party and supplier risk in managed service and facilities environments.
Experience with cyber risk management, assessing and securing IoT and OT platforms, including embedded systems, sensors, controllers, PLC/SCADA environments, or large-scale IoT deployments and specialized appliances.
Experience hardening non-traditional OS environments (e.g., Linux-embedded, RTOS, Windows IoT).
Deep knowledge of specialized protocols (e.g., BACnet, Modbus, Zigbee, MQTT, Dante, NDI).
Expertise in securing Physical Security Information Management (PSIM) and AV-over-IP systems.
Familiarity with OT/IoT architectures, proprietary protocols, and constrained devices, including lifecycle patching, and availability considerations.
Knowledge of modern cyber threats targeting physical, operational, and converged IT/OT environments.
Cloud IoT Platform Experience: Azure IoT or AWS IoT or Google Cloud IoT (device provisioning, secure messaging, telemetry pipelines, digital twins).

Required Soft Skills

Strategic Synthesis: Ability to bridge the gap between "hard-hat" facilities management and "keyboard-focused" cybersecurity. Strong analytical skills with the ability to synthesize technical, operational, and business inputs into clear risk assessments. Ability to balance security requirements with operational safety, reliability, and user experience.
Effective Communication: Excellent communication skills, including the ability to explain complex technical risks to non-technical stakeholders such as facilities, security, and business leaders. Ability to explain cyber risks to Facilities Managers, Gym Coordinators, and Event Planners in non-technical language.
Resilience: Ability to work independently and collaboratively under pressure, managing multiple priorities and deadlines. Ability to manage tight deadlines during large-scale office renovations or high-profile international conferences.
Strong interpersonal and relationship-management skills across diverse stakeholder groups.
High level of integrity, professionalism, and discretion.

Overview

Major Duties and Responsibilities

Function as a senior individual contributor providing cybersecurity risk management expertise for IoT and OT systems supporting facilities, physical security, audio-visual, hospitality, gymnasium, and language services.

IoT / OT Risk Management and Assurance

Conduct risk assessments for new and existing IoT/OT deployments, including architecture reviews, threat modeling, and control adequacy assessments.
Define and assess security control requirements for IoT/OT environments, considering availability, safety, vendor constraints, and lifecycle management.

Governance, Standards, and Controls

Contribute to the development and maintenance of security standards, baselines, and guidelines specific to IoT and OT systems.
Assess compliance with applicable security policies and standards relevant to operational technologies.
Support the definition and enforcement of network segmentation, access control, monitoring, and remote access controls for OT environments.

Third-Party and Service Provider Risk

Assess cybersecurity risks associated with third-party vendors and managed service providers delivering IoT/OT solutions.
Support contract reviews, security requirements definition, and exception management for OT-related services.

Advisory and Stakeholder Engagement

Advise project teams, facilities management, and business stakeholders on secure design and operation of IoT/OT systems.
Provide pragmatic, risk-based recommendations that balance security with operational continuity and user experience.

Collaboration and Continuous Improvement

Collaborate with security architecture, security assurance, physical security, and IT operations teams to ensure consistent risk treatment.
Maintain impartiality and independence when reporting on IoT/OT security risks and control gaps.
Identify opportunities to improve processes, governance, and technical controls related to operational technologies.
Support awareness and training efforts to improve understanding of IoT/OT security risks among technical and non-technical stakeholders.