Technical Specialist​/Security Subject Matter Expert; SME - State

The Technical Specialist / Security Subject Matter Expert (SME) will serve as the lead cybersecurity authority supporting Suffolk County’s Department of Information Technology (DoIT) Governance, Risk, and Compliance (GRC) initiatives.

This role is responsible for ensuring the County’s cybersecurity posture meets all applicable federal, state, and local laws, regulations, and frameworks
, with a focus on NIST 800-series
, CIS Controls
, and ISO 27001 standards.

The Security SME will work closely with DoIT leadership to assess risk, establish compliant security baselines, and guide the development and implementation of robust information security policies, standards, and processes.

• Serve as the County’s cybersecurity governance and compliance lead
  , providing expert guidance on IT security frameworks, controls, and best practices.
• Identify and interpret cybersecurity laws, regulations, and standards applicable to County operations (e.g., NYS ITS policies, CJIS, HIPAA, NIST).
• Develop, update, and enforce cybersecurity policies, standards, and procedures based on the NIST Cybersecurity Framework (CSF) and related standards.
• Define and oversee risk-based compliance audits
  , risk tracking, and risk mitigation plans.
• Establish processes for documenting and managing risk exceptions and remediation activities.
• Conduct assessments and audits of the County’s IT systems, applications, and infrastructure to identify security gaps and recommend improvements.
• Support security awareness
  , training, and program development for staff and system owners.
• Collaborate with other DoIT teams on incident response planning
  , business continuity
  , and disaster recovery initiatives
  .
• Provide technical security advisory support for procurements, RFPs, and new system integrations.
• Prepare detailed reports, executive summaries, and compliance documentation for County leadership and auditors.

• Bachelor’s Degree in Computer Science, Information Security, or related field (Master’s preferred).
• 10+ years of professional experience in IT security, including at least 5 years in GRC, policy development, and risk management roles.
• Deep understanding of NIST 800-53, NIST CSF, ISO 27001, CIS Controls
  , and other relevant standards.
• Demonstrated experience creating and implementing organizational cybersecurity frameworks and risk programs.
• Proven ability to conduct audits, document risk findings, and support continuous compliance.
• Strong understanding of network, cloud, and endpoint security controls
  .
• Excellent communication skills — able to explain technical concepts to executive stakeholders.

• CISSP (Certified Information Systems Security Professional)
• CISM (Certified Information Security Manager)
• CISA (Certified Information Systems Auditor)
• CRISC, CGRC, or CASP+
• NIST Cybersecurity Framework Practitioner or similar