Remote friendly (Garden City, SC)
Principal Product Security Engineer (MedTech cybersecurity)
Responsibilities:
- Implement J&J enterprise Product Security strategy/framework across the Heart Recovery medical device portfolio (pre- and post-market).
- Deliver security architecture, cryptographic controls, embedded protections/controls, and threat mitigation across product lifecycle.
- Support product development phases: review security requirements, recommend designs, complete quality documentation, perform threat modeling, coordinate third-party penetration testing, and conduct code/software architecture security reviews.
- Post-market: monitor vulnerabilities, support patching/remediation, respond to security questionnaires, and review security language in contractual agreements.
- Drive Product Security framework alignment; define secure boot, firmware integrity validation, anti-tamper.
- Enforce crypto for data-at-rest/in-transit (FDA cybersecurity guidance, NIST 800-175, FIPS 140-3, IEC 62443); define key management (PKI/HSMs/TPM/secure enclave).
- Develop real-time vulnerability assessment for wireless (BLE, NFC, WiβFi, 5G, proprietary RF); implement Zero Trust (mTLS, continuous authentication).
- Oversee secure OTA updates (rollback protection, code signing, supply-chain integrity).
- Lead SDL: threat modeling, static/dynamic analysis, fuzz testing, formal verification; define hardware security architecture (trust zones, HRoT, secure microcontroller); implement memory-safety mitigations.
Required Qualifications:
- 8+ years information security; 5+ years embedded/IoT/medical device cybersecurity; Bachelorβs degree/equivalent.
- Threat modeling without tools; risk assessments using CVSS 3.1+ with STRIDE.
- Security requirements for embedded/web; third-party penetration testing/vuln scanning.
- Regulatory submission experience (FDA cybersecurity guidance 2025, EU MDR, NIST 800-53, IMDRF, AAMI TIR57).
- RTOS hardening; cloud security principles; generate SBOMs; pre-/post-market risk assessments.
- Security architecture views (system boundaries, data flows, external interactions); translate requirements to solutions; secure coding reviews.
- Data privacy (HIPAA, GDPR); HITRUST/ISO 27001 knowledge; autonomy/leadership; communication/collaboration.
Preferred Qualifications:
- Formal security audit experience; QNX/QoS, Yocto, Linux (Ubuntu/Alpine); global regulatory submission familiarity.
- Web/app + server hardening (AWS/Azure), OWASP Top 10, blue teaming; pre-sales; software development; CISSP/CISM; MS/advanced degree.
Benefits (time off): Vacation 120h/yr; sick time 40h/yr (48h CO, 56h WA); holidays including floating 13 days/yr; work/personal/family up to 40h/yr; parental leave 480h/within 1 year; bereavement 240h immediate/40h extended; caregiver leave 80h/52-week period; volunteer leave 32h/yr; military spouse time-off 80h/yr.