Senior Principal Product Cybersecurity Architect, Remote/Virtual
This job is no longer active.
View similar jobs.
POST DATE 9/13/2020
END DATE 9/24/2020
JOB DESCRIPTIONSenior Principal Product Cybersecurity Architect
What you will do
The future is being built today, and Johnson Controls is making that future more productive, more secure and more sustainable. We are harnessing the power of cloud, data analytics, the Internet of Things, and user design thinking to deliver on the promise of intelligent buildings and smart cities that connect communities in ways that make people s lives and the world better.
In this career defining opportunity within the Global Product Security organization, you will drive continuous improvement initiatives aligned to our cybersecurity maturity framework and roadmap, ensuring proactive management of security and data privacy risk across the full lifecycle of our products, platforms, and service offerings. You will apply your expertise in secure software development practices to ensure security and privacy by design requirements are fulfilled and that products are released to market with strong cybersecurity as a core feature. In this role, you will play a pivotal role in managing cybersecurity risk, differentiating Johnson Controls, and enabling business success. THIS IS A REMOTE/VIRTUAL OPPORTUNITY.
HOW YOU WILL DO IT
* Provide cybersecurity expertise and guidance to product development teams, security champions, and business leaders throughout all phases of the software development life cycle.
* Drive policy compliance and high quality for secure SDLC activities -- security requirements, security architectures, threat and attack models, supply chain security, code reviews, SAST, DAST, IAST, penetration testing, and security hardening.
* Architect security and privacy by design and secure-by-default into software applications, embedded systems, and cloud platforms.
* Periodically assess security policies, standards, and metrics to drive improvements that help Johnson Controls adapt to evolving regulatory, customer, and threat environments.
* Drive efforts to quantify residual product risk and identify appropriate security controls.
* Drive efforts to advance innovative security features, capabilities, and practices.
* Review product architectures for security design gaps and vulnerabilities and consult with product teams to remediate or mitigate cyber risk.
* Assist coordination of third party penetration testing vendor engagements with product teams.
* Help engineers and product managers identify solutions to meet cybersecurity requirements.
* Help business unit leaders understand security risks and participate in project resource planning.
* Maintain current knowledge of security threats and vulnerabilities that could impact products.
* Support incident response operations, training, and exercises, including exploitation analysis and countermeasure testing.
* Assist coordination and tracking of vulnerability remediation activities.
* Raise cybersecurity awareness and facilitate security training and certification.
* Support periodic reporting to senior executive leadership on health and status of the product security program, cybersecurity risks, risk mitigations, and trends.
* Collaborate with product, IT, and privacy teams on product security risks and opportunities.
* Use agile project management to manage resources and track milestones and deliverables.
* Support company response to customer audits and inquiries pertaining to product security.
* Support internal audits and assessments to identify risks and determine mitigation actions.
* Identify cybersecurity opportunities that enhance the developer and customer experience.
* Support product security committees, boards, councils and working groups.
* Support cybersecurity risk and technology assessments.
* Speak at customer-facing events and present at conferences.
WHAT WE LOOK FOR
* Technical and operational excellence, thought leadership, and integrative thinking.
* Expert knowledge and practical product and software security experience, including secure SDLC practices, security and privacy by design architectures, and secure by default configurations.
* Strong problem-solving skills to analyze cybersecurity issues and requirements (legal/regulatory, policy, customer, industry standards) and relate them to appropriate security controls.
* Experience supporting software security governance and compliance activities, i.e. metrics, assessments, audits, exercises, risk frameworks, and maturity models.
* Demonstrated ability to lead change initiatives that intelligently manage software cyber risks.
* Proven ability to deliver results using agile methodologies and tools (e.g. Scrum/Kanban, Jira).
* Understanding of Product Security Incident Response Team (PSIRT) processes and activities.
* Understanding of agile software development and continuous integration/deployment.
* Practical experience with Linux OS, programming and scripting languages (e.g. Java, Python, Perl), and security tools (e.g. Kali, Nessus, Netsparker, openVAS, BurpSuite, Metaspolit).
* Understanding of embedded systems architectures (e.g. ARM, Cortex), embedded systems tools/emulators, RTOS/Linux, network protocols and programming languages (such as C/C++).
* Understanding of penetration testing, reverse engineering, software attack vectors, fault injection, device fingerprinting, and tamper resistance.
* Understanding TPM, Secure Boot, OTP, PKI, SPI/I2C Bus Analyzers, JTAG probing.
* Knowledge of current security threats and techniques for exploiting software vulnerabilities.
* Active participation in hackathons, cybersecurity competitions, and exercises are a plus.
* Superior interpersonal, organizational, written/verbal communication, and presentation skills.
* Ability to build trust with stakeholders and explain complex security topics to all audiences.
* Familiarity with technology risk management related frameworks such as RMF, NIST 800-53, ISA/IEC 62443, UL CAP, ISO 27001, GDPR, CSL, SOC 2 or other comparable.
* Experience with Operational Technologies (e.g. Controls Systems, Building Management) a plus.
* Bachelors degree in Cybersecurity, Computer Science, Engineering, Information Systems, or related technical degree. Masters degree is preferred.
* Minimum of 14 years of experience with at least 7 years in software or product cybersecurity.
* CSSLP, CISSP, CCSP, OSCP, CEH or related cybersecurity certifications.
* Travel is occasional at approximately 15%, including international.
Johnson Controls is an equal employment opportunity and affirmative action employer and all qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, age, protected veteran status, status as a qualified individual with a disability, or any other characteristic protected by law. For more information, please view EEO is the Law. If you are an individual with a disability and you require an accommodation during the application process, please visit www.johnsoncontrols.com/tomorrowneedsyou.