Sr Manager, Product Security Risk Management Engineer

J&J Family of Companies - Sr Manager, Product Security Risk Management Engineer

Location: Honolulu, Hawaii

Job ID: 2406216035W

Description

Johnson and Johnson is currently recruiting for a Senior Manager, Product Security Risk Management Engineer within the Johnson & Johnson Technology (JJT) organization. This role will be based in Raritan, NJ, Irvine, CA or remote US.

The Senior Manager, Product Security Risk Management Engineer will be responsible for implementation of the ISRM Product Security Risk Management Process. This includes identifying key strategies and goals, collaborating with internal organizations on existing process and policy enhancements, creating and communicating metrics to MedTech management, identifying communications plans and raising overall awareness of the capability. Specific responsibilities include supporting MedTech Business Units throughout a medical device & digital health solution lifecycle to establish vulnerability management solutions, review product security requirements and recommend security design solutions throughout dispositioning and lead the coordinated vulnerability disclosure process.

The key responsibilities will be:

1. Reporting directly to the Product Security Program Operations Director, this role spearheads the integration of vulnerability management and leads initiatives to bolster the cybersecurity resiliency across the MedTech business.
2. Mature ISRM product security vulnerability risk management process and drive changes into Business Unit Quality Management Systems.
3. Develop and lead risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever high exploit vulnerabilities occur.
4. Create risk management metrics and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials).
5. Ensure standardization of security reviews and identification of security gaps in security architecture resulting in recommendations for inclusion in the risk mitigation strategy.
6. Lead the creation of product security vulnerability management strategy and training through all ISRM product security.
7. Identify key tooling for vulnerability identification through the total product lifecycle.
8. Identify key research sources, analysis material, and correlation tooling to further develop the vulnerability management process.
9. Lead the ISRM MedTech Coordinated Vulnerability Disclosure Process.
10. Applies ISRM product security policies and standards when performing all duties.

Qualifications

Required:

1. Bachelor’s degree or equivalent in computer science or similar engineering discipline.
2. Minimum 10 years relevant experience, or equivalent combination of education/experience.
3. Must be a subject matter expert in vulnerability management, including scanning, remediation, stakeholder engagement, system administration and engineering.
4. CISSP or any combination of related subject matter expertise certifications to fully demonstrate a deep, comprehensive and thorough knowledge of cybersecurity vulnerability management.
5. Experience with SBOM creation/scanning automation.

Preferred:

1. Experienced in the following domains: APIs Security, vulnerability scan, compliance and threat detection, OWASP Top 10 API Security, Web App Security, AppSec, SAST, DAST, and SCA (Software composition analysis).
2. Experience or good understanding of the different enterprise components to publish and use APIs (e.g., API Gateways (Apigee), Microservices, Cloud Components, Load Balancers, WAFs).
3. Experience with API security testing, vulnerability scan and compliance reporting.
4. Experience with OWASP Top 10 for Web App & APIs.
5. Experience with Postman Collections, Swagger, OpenAPI, and other common formats for organizing and functionally testing REST APIs.
6. Excellent analytical, written, and verbal communication skills – capable of explaining complex requirements in simple words.
7. Comfortable with conflicts and capable of influencing cross-functional teams without formal authority.
8. Any programming or integration experience in the past will be highly beneficial.

Limited travel required, up to 10%, including international travel.

Johnson & Johnson is an Affirmative Action and Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, age, national origin, or protected veteran status and will not be discriminated against on the basis of disability.