JOB SUMMARY
Citadel Electric Group is hiring a Director, Information Security & Compliance to own both physical and cyber information security, federal compliance, and IT governance for a growing 200+ employee electrical contractor with significant commercial, industrial, and federal work. This is a hands-on leadership role, not a detached advisory seat. On the cyber side, the Director will lead CMMC Level 2 and NIST SP 800-171 readiness, define and protect Citadel's CUI environment, strengthen Microsoft 365 security controls, supervise internal IT, manage the MSP relationship, and produce audit-ready evidence for customers and assessors. On the physical side, the Director will own company-wide physical security — facility and controlled-area access control, surveillance and alarm systems, visitor management, and physical protection of CUI and IT assets — and extend that discipline to the yard, warehouse, equipment, fleet, and active jobsites.
The right person will bring order, accountability, and discipline to IT and cyber without building a bureaucracy that slows the business down. We need practical, right-sized security that fits a 250+ employee construction company and scales with us.
ESSENTIAL JOB DUTIES
- Federal Compliance & CMMC - Own CMMC Level 2 readiness and assessment preparation; maintain the SSP, POA&M, SPRS score, CUI boundary, and control evidence; coordinate with assessors, federal customers, counsel, the MSP, and internal stakeholders; support Citadel's obligations under DFARS 252.204-7012, 7019, 7020, and 7021.
- Cybersecurity Program Operations - Build and operate the security program: policies and procedures, risk register, incident response, security awareness training, vendor and supply-chain risk, access governance, asset inventory, and recurring control reviews.
- Physical Security (Company-Wide) - Own physical security across all Citadel locations and operations: facility and controlled-area access control and badging, visitor management, surveillance/CCTV, intrusion and alarm systems, and clean-desk/CUI-area controls (NIST SP 800-171 Physical Protection family). Extend physical security to the yard, warehouse, equipment storage, fleet/vehicles, and active jobsites in partnership with Operations and Safety. Manage physical-security vendors (alarm, CCTV, access-control integrators, monitoring) and lead physical incident response (break-ins, theft, tampering) as part of the overall security program.
- IT Governance & Planning - Create and maintain an annual IT/cyber roadmap; help prioritize budget, lifecycle, backup/recovery, logging, endpoint, identity, and infrastructure decisions; make sure material technology changes are reviewed, approved, documented, and tied to business risk.
- Microsoft 365 Security Oversight - Review and validate configurations across Entra ID, Conditional Access, MFA, Intune, Defender, Purview, logging, administrative roles, and secure administration practices. This is not primarily a tenant-admin role, but the Director must know what good looks like and be able to challenge the MSP when needed.
- Incident Response & Issue Resolution - Lead cybersecurity incidents and major IT-risk events from triage through root-cause analysis, corrective action, executive communication, documentation, and customer or regulatory reporting where required.
- Audit-Ready Evidence - Maintain the compliance evidence repository; define documentation standards for internal IT and MSP work; require tickets, approvals, screenshots, exports, policies, procedures, and configuration records sufficient to stand up to assessment.
- IT Supervision & MSP Oversight - Directly supervise the internal IT Administrator; own the MSP relationship as a security and engineering partner; hold vendors accountable for outcomes, responsiveness, documentation, and secure execution.
MINIMUM QUALIFICATIONS
- Must be a U.S. person as defined under applicable export-control regulations due to potential access to CUI and ITAR/EAR-controlled technical data.
- Clear background check and ability to meet applicable federal customer requirements.
- Eight or more years of progressive IT security, cybersecurity, compliance, infrastructure, or risk-management experience, including at least three years in a senior, lead, or management capacity.
- Direct experience leading or materially supporting CMMC Level 2, NIST SP 800-171, DFARS 7012, SPRS, DIBCAC, C3PAO, or comparable federal-contractor cybersecurity readiness efforts.
- Working knowledge of NIST SP 800-171; familiarity with NIST 800-53 and the NIST Cybersecurity Framework.
- Practical experience with Microsoft 365 / Entra / Intune / Defender / Purview as a security and compliance platform.
- Experience implementing or overseeing physical security controls — facility access control/badging, surveillance/CCTV, alarm/intrusion, visitor management, and physical protection of sensitive assets.
- Experience supervising internal IT personnel, managing an MSP, or leading technical vendors through accountable delivery.
- Track record of leading security incidents or high-risk IT issues and producing defensible documentation.
- Strong written and verbal communication with executives, field supervisors, project teams, tradespeople, vendors, and assessors.
- One or more of CISSP, CISM, CRISC, Security+, CMMC CCP, CMMC RP, CCA, or equivalent demonstrated experience.
PREFERRED QUALIFICATIONS
- Successful CMMC Level 2 assessment outcome at a prior employer or client; prior C3PAO or DIBCAC engagement experience.
- Physical security credential or background — ASIS Physical Security Professional (PSP), Certified Protection Professional (CPP), or equivalent hands-on physical security program experience, ideally across multiple or distributed sites.
- In-house experience at a federal contractor, defense supplier, DIB-adjacent organization, construction company, manufacturing company, or engineering services firm.
- GCC, GCC High, or other compliant Microsoft 365 environment experience.
- ITAR / EAR familiarity.
- Experience creating right-sized security programs in mid-sized operating businesses, not only large enterprise or pure technology environments.
CANDIDATE FIT
This person must be comfortable operating between ownership, operations, project teams, HR, outside counsel, MSP engineers, federal customers, assessors, and physical-security vendors. The role requires someone who can write a policy in the morning, challenge an Entra ID configuration after lunch, walk the yard to fix a badge-access gap before close, and explain the risk to ownership without hiding behind acronyms. The right candidate is direct, organized, technically credible, documentation-minded, and willing to do the work.
WHAT THIS ROLE IS NOT
- Not a pure CIO role: application strategy and broad enterprise-technology transformation are not the primary mission.
- Not a passive compliance role: the Director must read configurations, validate controls, walk sites, run incidents, and produce evidence.
- Not a help desk manager role: the Director supervises IT, but the mission is security (physical and cyber), compliance, risk reduction, IT governance, and federal readiness.
- Not a consultant-only role: Citadel needs an accountable internal owner who will make decisions, follow through, and hold vendors accountable.
COMPENSATION
Competitive base salary commensurate with experience, performance bonus opportunity, company provided health insurance and 401k with generous safe harbor and profit sharing contributions. Target range to be discussed with finalists.
SAFETY
It is Citadel Electric Group, Inc.'s policy to require safe operations and practices from all employees and to ensure our management team focuses on maintaining a safe working environment, including when work occurs in hazardous construction environments.
APPEARANCE
Business casual.
TRAVEL
Primarily local during the business day. Occasional out-of-area or overnight travel for project sites, federal customer engagements, vendor meetings, and CMMC assessment activities.
HOW TO APPLY
Apply directly through this posting. We review applications on a weekly basis.
EQUAL EMPLOYMENT OPPORTUNITY
Citadel Electric Group, Inc. is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, protected veteran status, or any other characteristic protected by law. The U.S.-person requirement stated above is based on U.S. export-control obligations (ITAR/EAR) and applicable federal contract requirements.
Benefits:
- 401(k)
- Health insurance
- Vision insurance
Experience:
- NIST standards: 5 years (Preferred)
License/Certification:
Work Location: In person