1. What is a Security Engineer at Burns & McDonnell?
The Security Engineer role at Burns & McDonnell—often situated within the 1898 & Co. security and risk consulting practice—is distinct from typical corporate IT security roles. Here, your work directly intersects with the physical world. You are not just protecting data; you are safeguarding the critical infrastructure that powers cities, runs manufacturing plants, and secures federal assets. This position bridges the gap between Information Technology (IT) and Operational Technology (OT), focusing on Industrial Control Systems (ICS) and SCADA environments.
In this role, you will act as a technical consultant and a hands-on engineer. You will assist clients in designing secure network architectures, conducting vulnerability assessments on industrial systems, and navigating complex compliance frameworks like NIST RMF. The impact of your work is tangible: you help prevent cyberattacks that could disrupt power grids, water systems, or transportation networks.
For a candidate, this means the role demands a dual mindset. You must possess the technical rigor to harden PLCs and firewalls while maintaining the consulting soft skills required to communicate risk to non-technical stakeholders. You are joining an employee-owned firm known for its commitment to "serving humanity by improving the safety, security, and reliability of the world’s critical infrastructure."
2. Getting Ready for Your Interviews
Preparation for Burns & McDonnell requires a shift in perspective. While technical proficiency is the baseline, the interview team is equally focused on your ability to operate in a consulting environment and your cultural fit within an employee-owned company.
You will be evaluated on the following key criteria:
OT/ICS Domain Knowledge – 2–3 sentences describing: This is the differentiator for this role. Interviewers will assess your understanding of how security principles apply to industrial environments (OT) versus standard corporate networks (IT). You must demonstrate knowledge of SCADA systems, PLCs, and the unique availability requirements of critical infrastructure.
Consulting & Communication – 2–3 sentences describing: Because this is often a client-facing role, you must be able to articulate complex security concepts to diverse audiences. Evaluators look for clarity, professionalism, and the ability to write detailed reports and documentation (such as POA&Ms) effectively.
Regulatory & Compliance Fluency – 2–3 sentences describing: A significant portion of the work involves adhering to federal and industry standards. You should demonstrate familiarity with frameworks like the NIST Cybersecurity Framework (CSF) and the Risk Management Framework (RMF), as well as tools like eMASS.
Cultural Fit & Employee Ownership – 2–3 sentences describing: Burns & McDonnell is 100% employee-owned, fostering a culture of accountability and collaboration. Interviewers look for candidates who are self-starters, eager to take ownership of their projects, and willing to collaborate across different divisions.
3. Interview Process Overview
The interview process for the Security Engineer position is structured, efficient, and rigorous. Based on recent candidate experiences, the process is designed to filter for communication skills early on before diving deep into technical and behavioral assessments with the team you would actually work with.
You should expect the process to begin with a digital, one-way video interview. This is a recorded session where you answer pre-set questions without an interviewer present. While some candidates find this format "challenging" or "unnatural," it is a critical step for the hiring team to gauge your communication style and initial technical thought process. If you pass this stage, you will move to the core of the evaluation: a panel interview. This typically involves 4–5 managers and senior engineers from the business and technology groups. This round is comprehensive, covering behavioral questions, technical scenarios, and role-specific knowledge in a single, intense session.
The company values efficiency. Candidates often report a well-organized process where recruiters stay in touch, and the timeline from application to the final rounds can move relatively quickly compared to industry norms. The philosophy here is practical: they want to see if you can do the work and if you fit the team dynamic.
The visual timeline above highlights the streamlined nature of the process. Note that the "Recorded Video Screen" is a major gatekeeper; treat it with the same seriousness as a live conversation. The final "Panel Interview" is your opportunity to meet your future peers—bring your highest energy to this stage, as it is often the deciding factor.
4. Deep Dive into Evaluation Areas
To succeed, you must prepare for a blend of standard cybersecurity questions and specialized industrial security scenarios. The interview panel will probe the depth of your knowledge to ensure you can handle the high-stakes environment of critical infrastructure.
Operational Technology (OT) & ICS Security
This is the most critical technical area. You must understand the distinction between IT (focused on Confidentiality) and OT (focused on Availability and Safety).
Be ready to go over:
- The Purdue Model – Understanding network segmentation in industrial control systems.
- ICS Protocols – Familiarity with Modbus, DNP3, or BACnet and why they are insecure by design.
- Asset Hardening – How to secure PLCs and HMIs without disrupting operations.
- Advanced concepts – Data diodes, unidirectional gateways, and specific SCADA vulnerabilities.
Example questions or scenarios:
- "How does your approach to patching a server differ from patching a PLC in a live production environment?"
- "Explain the difference between IT security priorities and OT security priorities."
- "Describe a time you had to secure a legacy system that could not be taken offline."
Regulatory Compliance & Frameworks
Since many clients are in the federal or utility sectors, compliance is not optional—it is the product.
Be ready to go over:
- NIST RMF & CSF – The steps of the Risk Management Framework and how to apply the Cybersecurity Framework.
- Documentation – Writing Plans of Action and Milestones (POA&Ms) and System Security Plans (SSPs).
- eMASS – Experience with or understanding of the Enterprise Mission Assurance Support Service (used by federal clients).
Example questions or scenarios:
- "Walk me through the steps of the NIST Risk Management Framework."
- "How would you categorize a system based on its impact level?"
- "What is your experience with eMASS or similar compliance repositories?"
Network Security & Architecture
You will be expected to demonstrate strong fundamentals in network defense, specifically how they apply to securing boundaries between zones.
Be ready to go over:
- Firewall Configuration – Rulesets, ACLs, and Next-Gen Firewall (NGFW) features.
- Vulnerability Assessment – Tools and techniques for scanning networks (e.g., Nessus) and interpreting results.
- Penetration Testing – Methodologies for testing web applications and network perimeters.
Example questions or scenarios:
- "How would you design a secure remote access solution for an off-site engineer accessing the control network?"
- "Describe the process of a vulnerability assessment from scanning to reporting."
- "Explain the TCP/IP handshake and where attacks can occur during the process."
5. Key Responsibilities
As a Security Engineer at Burns & McDonnell, your day-to-day work is dynamic and project-based. You are not simply monitoring a SIEM; you are actively building and assessing security programs.
You will support the execution of projects that range from network penetration testing and vulnerability assessments to secure system design. A major part of your role involves hands-on implementation, such as configuring firewalls, hardening servers and workstations, and securing Programmable Logic Controllers (PLCs) at client sites. You will frequently collaborate with other engineering divisions to integrate cybersecurity into the design of physical infrastructure projects from the ground up.
Documentation and compliance are also central to your responsibilities. You will develop technical artifacts like dataflow diagrams, control listings, and POA&Ms. For federal clients, you will assist in uploading these artifacts into systems like eMASS to support accreditation packages. Whether you are performing a post-event analysis of an unusual network event or presenting a risk assessment to a client, your goal is to ensure the resilience and safety of the systems you protect.
6. Role Requirements & Qualifications
Successful candidates typically possess a mix of formal education, certifications, and specific technical exposure.
-
Must-have skills:
- Educational Background: A Bachelor’s degree in Cybersecurity, Computer Science, Electrical Engineering, or a related field (or equivalent experience).
- Core Technical Knowledge: Strong understanding of firewalls, access control, authentication, and network protocols.
- Framework Familiarity: Working knowledge of NIST CSF and RMF.
- Communication: Excellent written and verbal skills are non-negotiable due to the consulting nature of the role.
-
Nice-to-have skills:
- Certifications: Industry-recognized certifications such as GICSP (Global Industrial Cyber Security Professional), CISSP, Security+, or CEH are highly valued.
- OT Experience: Direct experience with ICS/SCADA systems, utilities, oil & gas, or manufacturing environments.
- Federal Experience: Prior experience with eMASS or federal accreditation processes.
7. Common Interview Questions
The questions below are representative of what you might face. They are drawn from candidate reports and the specific technical demands of the role. Expect a mix of behavioral questions (often used in the initial recorded interview) and technical deep-dives (in the panel interview).
Behavioral & Situational
- "Tell me about a time you had to explain a complex technical issue to a non-technical stakeholder."
- "Describe a situation where you had to work under tight deadlines. How did you prioritize?"
- "Tell me about a time you identified a security risk that others had overlooked."
- "How do you handle conflict within a team when you disagree on a technical approach?"
- "Why do you want to work for Burns & McDonnell specifically?"
Technical: OT & Infrastructure
- "What are the primary differences between securing an IT environment versus an OT environment?"
- "How would you approach a vulnerability assessment on a live SCADA network?"
- "Explain the concept of 'Defense in Depth' and how you would apply it to a substation network."
- "What ports would you expect to see open on a web server versus a Modbus device?"
Compliance & Frameworks
- "Walk us through the RMF process. Which step do you find most critical?"
- "How do you determine the impact level of a system?"
- "What is a POA&M, and how do you manage it effectively?"
These questions are based on real interview experiences from candidates who interviewed at this company. You can practice answering them interactively on Dataford to better prepare for your interview.
8. Frequently Asked Questions
Q: How difficult is the interview process? Most candidates describe the difficulty as medium to difficult. The initial recorded interview is straightforward but can feel awkward. The panel interview is the real challenge, as you will face multiple experts asking detailed questions about both your technical skills and your problem-solving approach.
Q: Is this a remote position? While some work can be done remotely, this is a consulting role that often deals with physical infrastructure. The job description notes that you may need to operate in on-site industrial, corporate, and government environments. Expect travel to client sites for assessments and implementation.
Q: What is the "recorded interview" like? You will likely be given a prompt on screen and a set time to prepare and record your answer. There is no human on the other end. The best approach is to treat the camera like a person: maintain eye contact, smile, and speak clearly. Have your "STAR" method stories prepared in advance so you don't freeze.
Q: What makes a candidate stand out? Beyond technical skills, candidates who show a passion for critical infrastructure protection stand out. Showing that you understand the "why" behind the work—protecting the grid, ensuring safety—resonates deeply with the company's mission.
9. Other General Tips
- Understand the "Employee-Owned" Culture: Burns & McDonnell is an ESOP (Employee Stock Ownership Plan) company. This means every employee acts like an owner. In your interview, demonstrate that you are proactive, accountable, and care about the long-term success of the company and its clients.
- Focus on Safety: In the industrial world, safety is paramount. When answering technical questions, always acknowledge the physical safety implications of your cybersecurity decisions (e.g., "I wouldn't just patch this PLC immediately because it could trip the plant and cause a safety incident").
- Prepare for the "One-Way" Format: Since the first step is often a recorded video interview, practice recording yourself answering standard behavioral questions. Watch the playback to check your lighting, audio, and body language.
- Know Your Audience: In the panel interview, you will likely speak to both technical leads and project managers. Adjust your language accordingly—get technical when needed, but pivot to business impact and risk management when speaking to managers.
10. Summary & Next Steps
Securing a position as a Security Engineer at Burns & McDonnell is an opportunity to work at the cutting edge of industrial cybersecurity. You will be tasked with protecting the systems that society relies on every day, from power grids to water treatment facilities. This role offers a unique blend of technical engineering challenges and high-level consulting, all within a supportive, employee-owned culture.
To prepare, focus heavily on bridging your IT security knowledge with OT principles. Review the NIST frameworks, understand the constraints of industrial control systems, and practice articulating your experience clearly. The process is efficient but rigorous, starting with a digital screen and culminating in a comprehensive panel interview. Approach each step with confidence, demonstrating not just your technical capability, but your commitment to safety and client success.
The compensation data above provides a baseline for the role. Keep in mind that as an employee-owned company, total compensation at Burns & McDonnell often includes significant bonuses and stock ownership contributions (ESOP), which can be a major part of the long-term financial package.
With focused preparation on both the technical nuances of ICS security and the behavioral aspects of consulting, you are well-positioned to succeed. Good luck!
