Network Security Engineer, W2 role

NO C2C will work here. ONLY ON W2

Job Title: Network and Cybersecurity Architect
Term: 5 yrs /contract
Loc: Onsite in Albany NY
Start date: June 1 – will need time to screen/interview/onboard, etc.

Interviews:  Internal tech screen with Akkodis; interview with Skyline program mgr then final round w/NY State

Position Summary
NYSDOT is seeking an experienced Network Architect to support the design, evolution, security, and optimization of the network infrastructure that underpins business IT and operational technology (OT) environments.

The Network and Cybersecurity Architect will be responsible for developing, documenting, and implementing current and future state network and cybersecurity architectures, recommending technologies and standards, improving performance and resilience, and helping ensure that designs aligns with cybersecurity and operational requirements. This role requires strong knowledge of enterprise and industrial networking, routing and segmentation, security architecture, and the operational realities of critical infrastructure environments.

This position will also contribute to the architecture, engineering, and integration of cybersecurity capabilities commonly required in modern transportation and OT networks, including EDR, SIEM, firewalls, VPNs, IAM, NAC, vulnerability management, and related security controls.

Key Responsibilities
Network Design and Planning

• Develop and document network architectures that support the current and future needs of Regional TMCs, the STICC, and associated ITS, OT, and business environments.
• Evaluate, recommend, and configure network technologies and solutions, including WAN routing protocols such as OSPF and BGP, segmentation strategies, and resilient communications designs.
• Plan and support execution of consolidation and modernization initiatives to improve performance, maintainability, and operational efficiency.
• Define current state and future state network and cybersecurity architectures, standards, and roadmaps.
• Create and maintain architecture diagrams, data flow diagrams, and supporting technical documentation.

Security Architecture and Cybersecurity Engineering

• Work closely with the NYSDOT CISO to develop and implement comprehensive network and cybersecurity strategies.
• Recommend and deploy security designs that protect critical ITS and OT assets from cyber threats while preserving operational availability and safety.
• Lead or support vulnerability assessments of external IP addresses, internal network segments, and security architecture exposures, and develop remediation plans.
• Integrate threat intelligence feeds from MS-ISAC, NYSOC, and other approved sources into architectural and operational security processes.
• Design and configure recommendations for firewalls, VPNs, network segmentation, zero trust approaches, and secure remote access to sensitive environments.
• Support engineering and design decisions related to endpoint detection and response (EDR) platforms, ensuring endpoint telemetry and response capabilities are appropriately integrated with network and security operations.
• Support SIEM integration and design by helping ensure logs from network devices, firewalls, VPN concentrators, NAC systems, and security appliances are properly captured, normalized, and usable for monitoring and response.
• Contribute to the design and improvement of identity and access management (IAM) controls for administrative access, remote access, privileged access, and service authentication.
• Provide design guidance and configuration for network access control (NAC) solutions to improve device visibility, policy enforcement, and segmentation.
• Support secure design and placement of IDS/IPS, DNS security controls, secure management plane access, and monitoring infrastructure.

Technology Evaluation and Implementation

• Research and evaluate emerging networking and cybersecurity technologies and assess their applicability to the ITS and OT environment.
• Develop proof-of-concept initiatives and pilot programs to validate new technologies and approaches before broader deployment.
• Provide technical leadership and architectural guidance to network engineers and other technical staff.
• Evaluate vendor solutions for security, operational fit, lifecycle support, and interoperability with existing infrastructure.

Network Optimization and Performance Management

• Analyze network performance, utilization, and operational data to identify opportunities for optimization.
• Develop strategies to improve network reliability, scalability, resilience, and security.
• Support capacity planning, lifecycle planning, redundancy design, and performance tuning.
• Recommend improvements to routing, switching, segmentation, path diversity, and failover design.
• Help ensure that monitoring, alerting, and observability capabilities are aligned with operational and security needs.

Strategic Collaboration

• Work with the NYSDOT CISO, ETO leadership, network engineering staff, operations teams, and other stakeholders to ensure architecture decisions align with organizational goals and security requirements.
• Contribute to the development of network and cybersecurity standards, engineering patterns, and best practices for ITS and OT environments.
• Support collaboration between cybersecurity, networking, infrastructure, and operational teams.
• Help ensure that architecture recommendations are practical, supportable, and aligned with regulatory and policy expectations.

Minimum Qualifications

• Bachelor’s degree in computer science, information technology, engineering, or a related field, or equivalent experience.
• Extensive experience in network and cybersecurity architecture, engineering, and design.
• Strong understanding of TCP/IP, routing, switching, VLANs, WAN connectivity, network segmentation, and high availability design.
• Strong understanding of network security architecture and cybersecurity best practices.
• Experience with routing protocols such as EIGRP, OSPF and BGP.
• Experience designing and supporting firewalls, VPNs, IDS/IPS, and secure remote access solutions.
• Experience with SIEM, EDR, IAM, NAC, and other cybersecurity technologies is strongly preferred.
• Experience performing or supporting vulnerability assessments, remediation planning, and secure architecture reviews.
• Excellent analytical, problem-solving, documentation, and communication skills.
• Ability to work effectively with both technical teams and leadership stakeholders.
• Experience in critical infrastructure, transportation, public sector, industrial, or OT environments is highly desirable.

Preferred Certifications

• Industry certifications such as CCNP, CCIE, PCNSA, PCNSE, or similar are preferred.

Core Knowledge Areas
Candidates should demonstrate practical knowledge of:

• Enterprise and distributed network architecture
• WAN routing and resilient communications design
• OSPF, BGP, static routing, and route policy design
• Layer 2 and Layer 3 segmentation strategies
• Firewall architecture and policy design
• VPN design and secure remote access including SDWAN and SASE
• SIEM, SOAR, and security monitoring integration
• EDR architecture and endpoint telemetry strategy
• IAM and privileged access design
• NAC and device access enforcement
• Threat intelligence integration
• OT and critical infrastructure security principles
• Vulnerability management and remediation planning
• Network performance, capacity, and resilience engineering