Lead Product Security Engineer

At Johnson & Johnson, we believe health is everything. Our strength in healthcare innovation empowers us to build a world where complex diseases are prevented, treated, and cured, where treatments are smarter and less invasive, and solutions are personal. Through our expertise in Innovative Medicine and MedTech, we are uniquely positioned to innovate across the full spectrum of healthcare solutions today to deliver the breakthroughs of tomorrow, and profoundly impact health for humanity. Learn more at https://www.jnj.com

Job Function:

R&D Product Development

Job Sub Function:

R&D Electrical/Mechatronic Engineering

Job Category:

Scientific/Technology

All Job Posting Locations:

Cincinnati, Ohio, United States of America, Raritan, New Jersey, United States of America, Santa Clara, California, United States of America

Job Description:

We are searching for top talent for Lead Product Security Engineer. The preferred locations for this role are San Jose, California; Cincinnati, Ohio; and Raritan, New Jersey. Remote opportunities in the US are available on a case by case basis and if approved by the company. This role may require up to 10 - 20% travel.

The Lead Medical Device Cybersecurity Engineer will be responsible for implementation of J&J’s enterprise Product Security strategy and framework for J&J MedTech Surgery Ottava Robotic Platform. This includes identifying key strategy and goals, collaborating with internal organizations on existing process and policy enhancements, creating and communicating metrics to Ottava management, identifying communications plans and raising overall awareness of the capability.

Specific responsibilities include supporting Ottava’s R&D throughout a new product’s development phases, review product security requirements and recommend security design solutions, ensure the team completes Quality documentation, threat modelling, security risk assessment, penetration testing, software architecture review and design recommendations, code analysis and other security testing or work as needed.

Additionally, post market responsibilities for Ottava’s surgical robotic platform marketed devices include monitoring for new vulnerabilities, leading the product security teams with patching and remediation plans, as well as responding to all customer security questionnaires and reviewing security language within contractual agreements.

Key Responsibilities:

• Help drive adherence to J&J Product Security’s overarching framework
• Partner with internal organizations to enhance existing processes and policies
• Create and present Product Security metrics to management within Ottava and ISRM
• Champion Product Security strategy and objectives across the Ottava Robotic Platform

• Engaged as a subject matter expert to support completion of product security activities, tasks, deliverables, documentation, approvals, and product security controls.  

• Responsible for defining security requirements for the product and associated applications
• Responsible for reviewing the Threat Model and Security Risk Assessment in collaboration with Systems Engineering. 
• Responsible for supporting the FDA pre-market cybersecurity documents (as needed) and collaborating with regulatory compliance stakeholders and activities.  

• Responsible for the facilitation and assessing any third parties’ penetration testing and/or validation services.  
• Perform regular reviews and analysis of security reports and issues, propose solutions where appropriate and lead their remediation.
• Respond to alerts, security incidents, and assist in remediation as needed.

• Respond to customer cybersecurity questionnaires for all post-market medical devices. 
• Other MedTech cybersecurity related duties as needed

Qualifications:

Required:

• At least 5 years IT or cybersecurity experience and at least 2 years of product security experience
• Bachelor’s degree or equivalent experience
• Understanding of penetration testing, vulnerability scanning, CVSS and/or other general security testing principles
• Ability to provide secure coding recommendations
• Knowledge in at least one coding language (i.e. C/C++, C#, Python) with code review experience highly preferred
• Ability to work autonomously and proactively seek out security opportunities within the different surgical robotics teams
• Knowledge of traditional and real-time operating systems (i.e. QNX, Windows Embedded, Ubuntu, Yocto) hardening techniques
• Ability to translate technical security requirements into solutions
• Creative problem-solving skills
• Customer focus (internal & external)
• Excellent communication and collaboration skills

Preferred Skills:

• Understanding of Quality Design Control processes and FDA submission processes.
• Hands-on experience with software security tools and platforms like Checkmarx, Black Duck, Jfrog Xray, etc.
• Hands-on experience with vulnerability assessment tools.
• Knowledge of product or medical device security or MDDS platforms.
• Working knowledge of microservices architecture and API security.
• Experience working within Agile methodology.
• Software development experience
• Experience leading or participating in formal security audits (i.e. HITRUST, SOC2, FedRAMP)
• Security certification like CISSP/ AWS Security Specialist/ CEH or CSSLP a strong plus.

This is a remote role available in the US. While specific cities are listed in the Locations section for reference, please note that they are examples only and do not limit your application. We invite candidates from any location across the country to apply.

Johnson & Johnson is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, age, national origin, disability, protected veteran status or other characteristics protected by federal, state or local law. We actively seek qualified candidates who are protected veterans and individuals with disabilities as defined under VEVRAA and Section 503 of the Rehabilitation Act.

Johnson and Johnson is committed to providing an interview process that is inclusive of our applicants’ needs. If you are an individual with a disability and would like to request an accommodation, please email the Employee Health Support Center  (ra-employeehealthsup@its.jnj.com) or contact AskGS to be directed to your accommodation resource.

#LI-remote

The anticipated base pay range for this position is :

$105,000 to $169,050. For candidates living in the Bay Area, the applicable pay range is $121,000 to $194,350.

Additional Description for Pay Transparency:

The Company maintains highly competitive, performance-based compensation programs. Under current guidelines, this position is eligible for an annual performance bonus in accordance with the terms of the applicable plan. The annual performance bonus is a cash bonus intended to provide an incentive to achieve annual targeted results by rewarding for individual and the corporation’s performance over a calendar/performance year. Bonuses are awarded at the Company’s discretion on an individual basis. Employees and/or eligible dependents may be eligible to participate in the following Company sponsored employee benefit programs: medical, dental, vision, life insurance, short- and long-term disability, business accident insurance, and group legal insurance. • Employees may be eligible to participate in the Company’s consolidated retirement plan (pension) and savings plan (401(k)). • Employees are eligible for the following time off benefits: • Vacation – up to 120 hours per calendar year • Sick time - up to 40 hours per calendar year; for employees who reside in the State of Washington – up to 56 hours per calendar year • Holiday pay, including Floating Holidays – up to 13 days per calendar year of Work, Personal and Family Time - up to 40 hours per calendar year • Additional information can be found through the link below. https://www.careers.jnj.com/employee-benefits The compensation and benefits information set forth in this posting applies to candidates hired in the United States. Candidates hired outside the United States will be eligible for compensation and benefits in accordance with their local market.