Principal Cloud Security Engineer

Role Summary

The Principal Cloud Security Engineer will implement Johnson & Johnson's enterprise Product Security strategy and framework across the Heart Recovery portfolio of medical devices and supporting platforms. This role will join Abiomed, part of Johnson & Johnson MedTech, to provide technical leadership in securing Impella heart pump technologies, next-generation cardiac support systems, and connected medical devices. It will deliver security architecture, cryptographic controls, embedded protections, and threat mitigation techniques to ensure robust, regulatory-compliant security across the product lifecycle. The position is based in Danvers, MA or Raritan, NJ with remote or hybrid options and may require up to 20% travel.

Responsibilities

• Drive alignment of the Cloud security controls and documentation to the J&J Product Security framework.
• Define and prioritize compliance with the FDA Pre-Market Guidance Appendix 1.
• Define the security requirements for USA 510k, EU MDR, and Japan PDMA compliance.
• Support the Product Security strategy and objectives within Heart Recovery.
• Define and enforce cryptographic protocols for data-at-rest and data-in-transit, ensuring compliance with FDA cybersecurity requirements, NIST 800-175, FIPS 140-3, and IEC 62443.
• Define and implement key management infrastructure (PKI, cloud-based HSMs) for device identity, authentication, and software signing.
• Implement Zero Trust security for device-to-cloud connectivity, integrating mTLS and continuous authentication models into clinical applications.
• Oversee secure OTA update mechanisms, ensuring software and firmware rollbacks, code signing, and supply chain integrity validation.
• Working from the office in Danvers, MA or Raritan, NJ for a minimum of 3 days per week (candidates within commuting distance).
• Partner with engineering teams (cloud, console) to drive adherence to product security policies, processes, framework and program objectives.
• Create, update, and improve product security processes for the cloud infrastructure and application.
• Demonstrate deep understanding of the Azure Cloud platform and implement security services such as Defender, WAF, NSGs, KeyVault, Azure VM Security, AKS security.
• Act as a subject-matter expert on cybersecurity and provide guidance to engineering and cross-functional teams.
• Advocate for proactive inclusion of cybersecurity controls across the product life cycle and contribute to strategic road map planning.
• Deliver pre-market documentation including product security plans, threat models, security requirements, SBOMs, and risk assessments.
• Drive and monitor post-market vulnerability management with CVE risk assessments and timelines aligned with cross-functional stakeholders.
• Perform security risk assessments and develop security views for Cloud infrastructure and applications (Global System View, Patchability View, Multi-Patient Harm View, Security Use Case Views).
• Collaborate with cloud engineering and development teams to integrate security measures into the CI/CD pipeline and DevSecOps processes.
• Continuously improve Defender Score and support compliance certification activities (SOC2 Type 2, FedRAMP, ISO 27001, 81001-5-1, etc.).
• Identify, research, evaluate, and integrate new compliance requirements, industry standards, and best practices into product security programs.
• Maintain relationships with Heart Recovery’s Information Sharing and Analysis Organizations.
• Guide teams to balance business needs with medical device security objectives and work across organizational boundaries with customers.
• Perform other related duties as assigned.

Qualifications

• Required: Bachelor’s degree
• Required: 5+ years industry experience in Information Security
• Required: Experience generating threat models without threat modeling tools
• Required: Experience performing risk assessments utilizing CVSS 3.1 or higher, with STRIDE per element
• Required: Ability to write technical security requirements for embedded systems and web platforms based on the latest regulations
• Required: Experience architecting and securing MS Azure with configuring and hardening Azure security services
• Required: Experience working in a Cloud Scrum/Agile Azure DevOps environment
• Required: Familiarity with tools such as Snyk, Veracode, Coverity, Wiz, JIRA, Confluence, Dependency-Track
• Required: Experience with containerization technologies such as Docker and Kubernetes and implementing security controls
• Required: Understanding and execution of third-party penetration testing, vulnerability scanning, CVSS and other security testing principles
• Required: Experience supporting regulatory security submissions, ensuring compliance with FDA Cybersecurity Guidance (2025), EU MDR, NIST 800-53, IMDRF, and AAMI TIR57
• Required: Working knowledge of regulatory standards and compliance frameworks (e.g., NIST Cybersecurity Framework, ISO27001, SOC2 Type 2, HIPAA, GDPR, 81001-5-1)
• Required: Ability to generate SBOMs from Software source code and Binaries, Firmware, and Operating Systems
• Required: Ability to generate pre-market risk assessments against the threat model leveraging STRIDE and post-market risk assessments via SBOM scans
• Required: Ability to generate security architecture views for software as medical device (SAMD) Web applications, including Global System View, Multi-Patient Harm View, and Updateability/Patchability View
• Required: Experience with security risk management techniques and developing Quality Management System documentation
• Required: Demonstrated organizational skills, attention to detail, ability to handle multiple assignments and meet deadlines
• Required: Ability to work independently with urgency and embrace new challenges
• Required: Strong communication and interpersonal skills
• Preferred: CISSP, CISM, or other security certification
• Preferred: MS and/or advanced degree
• Preferred: Experience working in an FDA-regulated environment
• Preferred: Experience leading or participating in formal security audits
• Preferred: Familiarity with FDA and/or global regulatory cybersecurity guidance requirements and submission process
• Preferred: Experience in cybersecurity pre-sales
• Preferred: Software development experience

Additional Requirements

• Travel up to 20% travel.