Specialist Cybersecurity Risk & Compliance Analyst
Location: Birmingham, AL or Atlanta, GA
Onsite 4 days per week.
Job Description
Southern Company’s Cybersecurity organization is committed to reducing risk using a threat-informed approach, enhancing the cyber resilience of Southern Company while delivering clean, safe, reliable, and affordable energy to the communities we serve.
Position Overview:
Southern Company, a major U.S. energy firm, is seeking a cybersecurity professional to reduce risk as part of the Cybersecurity Assurance Team. This hybrid role reports directly to the Company’s Senior Manager for Cybersecurity Assurance. This position is an analyst role responsible for assessing cyber security risk across multiple business units, managing compliance programs linked to applicable Federal cyber security directives/regulations, managing third party penetration testers, and engaging externally with key industry partners/organizations both as advocate and educator. The analyst will combine solid business knowledge, strong understanding of cybersecurity principles, and close familiarity with Federal requirements to reduce cybersecurity and business risk over time. Up to 20% travel may be required.
In-office presence four days a week is expected either in Atlanta or Birmingham.
Job Responsibilities:
- Serve as the lead in performing and coordination of cyber security assessments throughout the company.
+ Department of War (DoW) Cybersecurity Maturity Model Certification (CMMC)
+ Department of Homeland Security Safety Act
+ NIST Cyber Security Framework
+ DoW Defense Federal Acquisition Regulation Supplement (DFARS) 252.204.7012, Safeguarding Covered Defense Information and Cyber Incident Reporting and DFARS 252.204.7021 contractor compliance with the cybersecurity maturity model certification level requirements (Nov 2025)
+ Edison Electric Institute (EEI) Culture of Security
+ Adversarial assessments (penetration tests)
- Perform analysis of assessment findings
+ Perform or coordinate related remediation by technology stewards and/or recommend investments to address identified cybersecurity gaps/risk
- Manage CUI compliance program with and all required reporting for DFARS 252.204‑7021, Contractor Compliance with the CMMC Level Requirements
+ Consult/collaborate with inside and external Counsel regarding CUI requirements
+ Respond to requests from prime contracting officers on matters relating to CUI scope
- Manage External Enclave used for sharing Controlled Unclassified Information with business and Federal partners, including the enforcement of all required configuration(s), compliance attestations, reporting, and licensing
- Perform Department of War Cyber Incident Reporting as required
- Serve as the Cyber Liaison for the Company’s Federal Energy Services group
- Keep senior leadership apprised of pending state regulations pertaining to cybersecurity and impacting utilities; provide Southern Company response to proposed state legislation
- Provide briefings to senior leadership and external stakeholders in a way that links technical and business risk to drive prioritization of effort and investment decisions
- External Engagement/executive support (NOTE: Requires face to face meetings and travel, up to 20%)
+ Interact with external organizations such as state Public Service Commissions, State representatives, other utilities, trade organizations, and federal partners in representing Southern Company’s cyber security practice.
+ Represent Southern Company by presenting or speaking at various federal conferences
+ Influence the utility industry’s creation, adoption and implementation of information security practices by participating in industry forums, events, and committees
- Participate in the EEI Peer Review process
- Lead cross-functional efforts for monitoring and maintaining compliance of security controls associated with Federal projects
- Build and maintain strategic partnerships with key business stakeholders; collaborate closely with solution owners from the business and Technology Organization, seeking to understand business imperatives while educating them as needed regarding relevant requirements and controls
- Support cross-functional teams to investigate, analyze, and make recommendations to leadership on current cybersecurity strategy
- Provide internal cybersecurity expertise by defining and influencing appropriate policies, technologies, processes and controls to reduce risk
- Maintain current knowledge of information security concepts, technologies, and adversary tactics
Requirements and qualifications:
+ CMMC Certified Professional (CCP) certification
+ 8+ years of experience in infrastructure or network engineering, security operations, security risk analysis, cybersecurity governance, or security architecture
+ Bachelor’s degree or equivalent applicable experience
+ One or more of the following certifications: CISSP, CCSP, CISM, CASP, GCIP, GCCC
+ Familiarity with:
* NARA CUI registry,
* FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
* NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
* DOD Manual 5200.01 Volumes 1-3
+ Must pass both Insider Threat Program background checks and North American Electric Reliability Corporation Critical Infrastructure Protection (CIP) Personnel Risk Assessment
+ Demonstrated ability to manage a program/process/project across multiple teams in multiple disciplines
+ Demonstrated critical, independent thinking; demonstrated ability to conceive and present creative solutions
+ Knowledge and understanding of information security concepts and best practices
+ Working, hands-on familiarity with federal cyber security requirements and environments
+ Demonstrated experience in working with senior stakeholders across various lines of business
+ Able to obtain and maintain a SECRET security clearance
- Prior experience desired promoting security as a business enablement function using documentation, metrics, and strong verbal communication
- Strong technical consulting experience: ability to understand business requirements and present appropriate solutions to a non-technical audience
- Energy industry experience
- CMMC Certified Assessor (CCA) certification
- Working familiarity with information security frameworks (e.g. COBIT, NIST, OWASP, NIST CSF, CIS, MITRE ATT&CK)
This position falls under the company’s Insider Threat Program and will have access to, and control over sensitive data, systems or assets. Enhanced personnel screening, which includes a background review, drug screen and psychological assessment, will be required if you are selected for this position
About Southern Company
Southern Company (NYSE: SO ) is a leading energy provider serving 9 million customers across the Southeast and beyond through its family of companies. Providing clean, safe, reliable and affordable energy with excellent service is our mission. The company has electric operating companies in three states, natural gas distribution companies in four states, a competitive generation company, a leading distributed energy solutions provider with national capabilities, a fiber optics network and telecommunications services. Through an industry-leading commitment to innovation, resilience and sustainability, we are taking action to meet customers' and communities' needs while advancing our goal of net-zero greenhouse gas emissions by 2050. Our uncompromising values ensure we put the needs of those we serve at the center of everything we do and are the key to our sustained success. We are transforming energy into economic, environmental and social progress for tomorrow. Our corporate culture has been recognized by a variety of organizations, earning the company awards and recognitions that reflect Our Values and dedication to service. To learn more, visit www.southerncompany.com .
Southern Company invests in the well-being of its employees and their families through a comprehensive total rewards strategy that includes competitive base salary, annual incentive awards for eligible employees and health, welfare and retirement benefits designed to support physical, financial, and emotional/social well-being. This position may also be eligible for additional compensation, such as an incentive program, with the amount of any bonus/awards subject to the terms and conditions of the applicable incentive plan(s). A summary of the benefits offered for this position can be found here https://seo.nlx.org/southernco/pdf/SOCO-Benefits.pdf . Additional and specific details about total compensation and benefits will also be provided during the hiring process.
Southern Company is an equal opportunity employer where an applicant's qualifications are considered without regard to race, color, religion, sex, national origin, age, disability, veteran status, genetic information, sexual orientation, gender identity or expression, or any other basis prohibited by law.
Job Identification: 17564
Job Category: Cybersecurity
Job Schedule: Full time
Company: Southern Company Services
