Cybersecurity Policy Manager

About The Position

Requirements

• A bachelor's degree from an accredited college or university in cybersecurity, information technology, or other related field.
• Four years’ experience in creating/architecting, maintaining and updating a risk management program(s) and processes that align with state and federal laws, regulations and standards.
• Developing and updating cybersecurity policy, standards and strategy in compliance with federal & state laws, regulations and standards.
• One of the four years’ experience must have been in a supervisory capacity.
• Candidates may substitute the Bachelor’s degree with two additional years of experience listed above.

Nice To Haves

• Developing internal and external facing reports, documents, briefings, and surveys
• Briefing and consulting with Executive Leadership and Stakeholders

Responsibilities

• Architect and build from scratch a statewide cybersecurity risk management framework in a highly ambiguous environment, aligning with NIST 800-53, NIST 800-37 (RMF), and NIST CSF.
• Act as an intrapreneur to independently conceptualize and develop risk management policies, procedures, and controls where processes are currently vague or non-existent, enhancing the security posture across Maryland’s digital infrastructure.
• Proactively problem-solve by conducting risk assessments, threat modeling, and security gap analyses across agencies, navigating undocumented environments without waiting for a playbook.
• Synthesize disparate data points and connect context to establish meaningful Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) that effectively measure risk levels and cybersecurity maturity.
• Provide strategic cybersecurity risk guidance to executive leadership and agency stakeholders, driving initiatives forward autonomously and adapting fluidly to emerging threats.
• Lead continuous monitoring efforts, determining lightweight, scalable solutions to proactively manage and mitigate risks.
• Pioneer the development and implementation of a third-party/vendor risk management framework from the ground up, bringing structure to undefined processes while aligning with NIST 800-161 (Supply Chain Risk Management) and State of Maryland IT Security Policies.
• Creatively assess and solve complex security risks associated with cloud providers, contractors, and IT vendors, even when historical data or established procedures are lacking.
• Take ownership of figuring out the best scalable approach to establish vendor security assessments, contract security requirements, and ongoing compliance monitoring.
• Connect the dots across departments, partnering seamlessly with procurement and legal teams to integrate cybersecurity requirements into contracts and vendor agreements.
• Oversee vendor audits, penetration testing, and compliance assessments, acting decisively to mitigate third-party cybersecurity risks without waiting for explicit guidance.
• Navigate complex regulatory landscapes autonomously to ensure statewide cybersecurity, privacy and AI compliance with applicable and relevant federal and state laws, regulations and standards (MD COMAR, Senate & House Bills, NIST, etc.), translating rigid requirements into practical, actionable steps.
• Lead internal audits and risk reviews to assess cybersecurity effectiveness, bringing clarity and structured problem-solving to previously unassessed areas.
• Design innovative incident response strategies from a blank slate, coordinating agile risk mitigation efforts in response to dynamic cybersecurity threats.
• Absorb broad organizational context and collaborate with federal, state, and local agencies to strategically align our nascent risk management efforts with national cybersecurity standards.

Benefits

• STATE OF MARYLAND BENEFITS