Principal Cloud Security Engineer

Role Summary

The Principal Cloud Security Engineer will implement Johnson & Johnson’s enterprise Product Security strategy across the Heart Recovery portfolio of medical devices and supporting platforms. Working with Abiomed within the MedTech organization, you will deliver security architecture, cryptographic controls, embedded protections, and threat mitigation throughout the product lifecycle, ensuring regulatory-compliant security. The role can be based in Danvers, MA or Raritan, NJ with remote or hybrid options and up to 20% travel. This position includes both pre-market and post-market responsibilities for secure product development and risk management.

Responsibilities

• Drive alignment of the Cloud security controls and documentation to the J&J Product Security framework.
• Define and prioritize compliance with the FDA Pre-Market Guidance Appendix 1.
• Define the security requirements for USA 510(k), EU MDR, and Japan PDMA compliance.
• Support the Product Security strategy and objectives within Heart Recovery.
• Define and enforce cryptographic protocols for data-at-rest and data-in-transit, ensuring compliance with FDA cybersecurity requirements, NIST 800-175, FIPS 140-3, and IEC 62443.
• Define and implement key management infrastructure (PKI, cloud-based HSMs) for device identity, authentication, and software signing.
• Implement Zero Trust security for device-to-cloud connectivity, integrating mTLS and continuous authentication models into clinical applications.
• Oversee secure OTA update mechanisms, including code signing, rollback capabilities, and supply chain integrity validation.
• Working from the office in Danvers, MA or Raritan, NJ for a minimum of 3 days per week (for candidates within commutable distance to site).
• Partner with engineering teams to drive adherence to product security policies, processes, framework, and program objectives.
• Create, update, and improve product security processes for cloud infrastructure and applications.
• Develop deep expertise in Microsoft Azure and implement secure Azure services (Defender, WAF, NSGs, KeyVault, VM security, AKS security).
• Act as an SME on cybersecurity matters and provide guidance to engineering and cross-functional teams.
• Advocate for proactive inclusion of cybersecurity controls throughout the product life cycle and road map planning.
• Deliver pre-market documentation for product development, including product security plans, threat models, security requirements, SBOMs, and risk assessments.
• Drive and monitor post-market vulnerability management with CVE risk assessments and cross-functional coordination for remediation.
• Perform security risk assessments and develop security views on cloud infrastructure and applications.
• Collaborate with cloud engineering to integrate security measures into CI/CD and DevSecOps processes.
• Continuously improve Defender Score.
• Support compliance certification activities (SOC 2 Type 2, ISO 27001, etc.) and keep abreast of evolving standards.
• Identify and integrate new compliance requirements, industry standards, and best practices into product security programs.
• Maintain relationships with Heart Recovery’s Information Sharing and Analysis Organizations.
• Guide teams to balance business needs with medical device security objectives and work across organizational boundaries with customers.
• Perform other related duties as assigned.

Qualifications

• Required: Bachelor’s degree
• Required: 5+ years of information security experience
• Required: Experience generating threat models without threat modeling tools
• Required: Experience performing risk assessments using CVSS 3.1 or higher with STRIDE per element
• Required: Ability to write technical security requirements for embedded systems and web platforms based on latest regulations
• Required: Experience securing Microsoft Azure, including configuring and hardening Azure security services
• Required: Experience working in a Cloud Scrum/Agile Azure DevOps environment
• Required: Familiarity with tools such as Snyk, Veracode, Coverity, Wiz, JIRA, Confluence, Dependency-Track
• Required: Experience with containerization technologies (Docker, Kubernetes) and implementing security controls
• Required: Understanding of third-party penetration testing, vulnerability scanning, CVSS, and general security testing principles
• Required: Experience supporting regulatory security submissions and ensuring compliance with FDA Cybersecurity Guidance, EU MDR, NIST 800-53, IMDRF, and AAMI TIR57
• Required: Working knowledge of regulatory standards and frameworks (NIST CSF, ISO27001, SOC2 Type 2, HIPAA, GDPR, 81001-5-1)
• Required: Ability to generate SBOMs from software source code, binaries, firmware, and operating systems
• Required: Ability to conduct pre-market risk assessments and post-market risk assessments via SBOM scans
• Required: Ability to generate security architecture views for software as a medical device (SAMD) Web applications, including Global System View, Multi-Patient Harm View, Updateability/Patchability view, and data flow mappings
• Required: Experience with security risk management techniques and developing Quality Management System documentation
• Required: Strong organizational skills, attention to detail, ability to manage multiple assignments, and meet deadlines
• Required: Ability to work independently with urgency and adapt to new challenges
• Required: Strong communication and interpersonal skills
• Preferred: CISSP, CISM, or other security certification
• Preferred: MS and/or advanced degree
• Preferred: Experience working in an FDA-regulated environment
• Preferred: Experience leading or participating in formal security audits
• Preferred: Familiarity with FDA and/or global regulatory cybersecurity guidance and submission processes
• Preferred: Experience in cybersecurity pre-sales
• Preferred: Software development experience

Additional Requirements

• Travel up to 20%