The Commercial Technologies Operational Security Lead (Director) ensures security, resilience, and operational integrity of customer-facing technology solutions (software, platforms, and integrated hardware), providing hands-on leadership across vulnerability research, security engineering, product security, and operational assurance.
Key Activities:
- Provide security oversight and operational assurance across development, deployment, and runtime for customer-facing software and hardware.
- Define, assess, and validate security controls aligned to enterprise standards, regulatory needs, and customer expectations.
- Lead vulnerability research, analysis, and operational response across applications, platforms, infrastructure, and embedded technologies.
- Partner with engineering and product teams to embed security via secure-by-design and shift-left.
- Support product security: threat modeling, secure design reviews, penetration test coordination, and remediation validation.
- Provide security architecture guidance for virtualized, cloud-native, hybrid, and containerized environments.
- Oversee vulnerability management (scanning, prioritization, remediation tracking, risk acceptance).
- Collaborate with DevSecOps to automate security testing, control validation, and continuous monitoring.
- Embed security requirements into CI/CD and product release processes.
- Liaison with security, risk, and compliance; support customer assurance (questionnaires, audits, attestations, incident response).
- Contribute to incident response and root cause analysis.
- Identify gaps, emerging risks, and improvement opportunities; promote security best practices and maturity.
Education:
- Bachelorβs in CS/Engineering/InfoSec or related.
- Advanced degree or relevant certifications preferred.
Required Skills/Experience:
- Strong experience in vulnerability research, vulnerability management operations, and remediation validation.
- Hands-on security engineering/product security for software and integrated hardware.
- Security architecture knowledge for cloud, virtualized, containerized, and hybrid environments.
- Experience securing APIs, web apps, SaaS platforms, and distributed systems.
- Familiarity with DevSecOps, CI/CD, and security automation tooling.
- Working knowledge of cryptography, IAM, and secure communications.
- Experience supporting business-critical customer-facing technologies.
- Ability to assess operational risk and drive actionable remediation.
- Experience supporting audits, customer security reviews, and regulatory expectations.
- 10+ years cybersecurity/product security/security engineering or related; leadership by expertise; cross-functional collaboration; strong communication.
Preferred:
- CISSP, CSSLP, GWAPT, OSCP (or equivalent).
- NIST, ISO 27001, OWASP, SDLC frameworks.
- AWS/Azure/GCP and infrastructure-as-code; scaling controls via automation.
Application:
- Apply via https://jobs.merck.com/us/en (or Workday Jobs Hub if a current employee).