Principal Cybersecurity Risk Advisor

ECI is the leading global provider of managed services, cybersecurity, and business transformation for mid-market financial services organizations across the globe.  From its unmatched range of services, ECI provides stability, security and improved business performance, freeing clients from technology concerns and enabling them to focus on running their businesses.  More than 1,000 customers worldwide with over $3 trillion of assets under management put their trust in ECI.  

At ECI, we believe success is driven by passion and purpose. Our passion for technology is only surpassed by our commitment to empowering our employees around the world.  

Position Summary

As a Principal Cybersecurity Risk Advisor, you will work alongside industry leaders across verticals to strengthen client security postures, drive compliance programs, and act as a trusted strategic partner to executive leadership. This is not a delegation role — you will own the work: writing policies, conducting assessments, leading audits, and advising boards. This is not your typical consulting role. Since ECI is the primary third party to our clients, you will be working with internal teams to own workflows.

You will serve as a senior technical and advisory resource across a portfolio of complex client engagements, leading multi-framework compliance programs (CMMC, TISAX, NIST, ISO 27001, SOC 2, SEC) and helping clients translate evolving regulatory obligations into prioritized, actionable programs. If you can't get your hands dirty, this role isn't for you.

Responsibilities

Client Advisory & Program Leadership

• Serve as a named senior advisor to client CTO, CISO, and executive leadership — owning strategic direction and day-to-day program execution across multiple engagements
• Lead steering sessions, quarterly program reviews, and board-level risk briefings — preparing and delivering materials directly
• Develop and maintain rolling GRC roadmaps aligned to client business priorities, regulatory calendars, and risk appetite
• Translate complex regulatory and technical requirements into actionable, prioritized guidance for operational, technical, and executive stakeholders
• Address ad hoc client security queries with timely, well-reasoned guidance, and build deep institutional knowledge of client environments, systems, and supply chains

Risk Management & Compliance

• Develop and implement risk management strategies, maintaining enterprise GRC risk registers with hands-on identification, scoring, treatment, and reporting
• Conduct thorough security architecture analyses, identifying vulnerabilities and proposing robust countermeasures; facilitate risk workshops and annual Security Program Reviews
• Manage multi-framework compliance programs concurrently — CMMC Level 2 (including SSP, POA&M, SRM, SPRS scoring, and C3PAO coordination), TISAX (ISA self-assessment, ISMS), ISO 27001 (SoA, Annex A mapping), and others as client needs dictate
• Own and drive full audit lifecycle management — pre-audit readiness, evidence collection, auditor liaison, post-audit remediation — across up to four certification engagements per year
• Develop, review, and maintain client information security policy suites and procedures; update policies against SEC, NIST, CMMC, FTSE, ISO 27001, and other applicable standards

Vendor Risk & M&A Due Diligence

• Own vendor due diligence programs including SOC 2 Type II analysis, security questionnaire reviews, risk scoring, and contractual flow-down verification
• Lead GRC due diligence workstreams on M&A acquisition targets — assessing security posture, compliance gaps, and integration risk; produce diligence reports and post-acquisition integration roadmaps

Mentorship & Practice Development

• Mentor team members, contributing to their professional growth and overall GRC practice capability
• Contribute to internal practice development — maintaining and improving compliance playbooks, templates, and methodologies informed by client engagement learnings
• Participate in internal QA and peer review processes to ensure quality and consistency across all client deliverables

Qualifications (Knowledge, Skills, Abilities)

• 7–10+ years of experience in information security, GRC, or IT risk, with a track record of continuous growth in a consulting or advisory environment
• At least 3 years in a client-facing advisory, vCISO, or principal consultant capacity — comfortable owning named client relationships at the C-suite level
• Demonstrated, hands-on experience managing multi-framework compliance programs (CMMC, NIST, SOC 2, ISO 27001, TISAX, or similar) — not just familiarity in isolation
• Experience supporting M&A transactions from a GRC/security perspective — due diligence, gap analysis, or integration planning
• Previous consulting experience in financial services, healthcare, government, manufacturing, or DIB sectors preferred
• Bachelor's degree in Computer Science, Information Systems, or related field required; advanced degree preferred

Preferred Qualifications

Certifications (two preferred)

• CISSP — Certified Information Systems Security Professional
• CISM — Certified Information Security Manager
• CMMC Registered Practitioner (RP) or Certified Professional (CCP), or ability to obtain within 6 months
• ISO/IEC 27001 Lead Implementer or Lead Auditor
• CRISC or CISA advantageous

Technical & Framework Knowledge

• Deep working knowledge of CMMC 2.0 (NIST SP 800-171 / 800-172), DFARS 252.204-7012, NIST CSF/RMF/SP 800-53, HITRUST, and SEC cybersecurity rules
• TISAX requirements — ISA categories, maturity levels, VDA ISA control catalogue, and ENX assessment process
• Strong understanding of security controls and best practices: MFA, Conditional Access, Least Privilege, Defense in Depth
• Experience with endpoint and cloud security platforms (CrowdStrike, SentinelOne, Microsoft 365, Cisco); familiarity with GRC tooling (Vanta, Cynomi, Drata, Archer, ServiceNow GRC, or similar)
• Constantly aware of evolving threat landscape and real-world events impacting client security posture

ECI’s culture is all about connection - connection with our clients, our technology and most importantly with each other.  In addition to working with an amazing team around the world, ECI offers a competitive compensation package and includes flexible PTO, benefit eligibility the first of the month, 401K with employer match and so much more!  If you believe you’d be a great fit and are ready for your best job ever, we’d like to hear from you!

Love Your Job, Share Your Technology Passion, Create Your Future Here!

#LI-Hybrid