Address
SalaryWhat you will do
The future is being built today, and Johnson Controls is making that future safer, greener, efficient building solutions and services. We are harnessing the power of cloud, data analytics, the Internet of Things, and user design to deliver on the promise of intelligent buildings and smart cities that connect communities in ways that make people’s lives – and the world – better.
In this career defining opportunity within the Global Product Security organization, you will drive continuous improvement initiatives aligned to our cybersecurity maturity framework and roadmap, ensuring proactive management of security and data privacy risk across the full lifecycle of our products, platforms, and service offerings. You will apply your expertise in secure software development practices to ensure security and privacy by design requirements are fulfilled and that products, solutions, and services are released to market with strong cybersecurity.
How you will do it
- Provide cybersecurity expertise and guidance to product development teams and business leaders throughout all phases of the software development life cycle.
- Architect security and privacy by design and secure-by-default into the entire stack from design through operations in the cloud.
- Drive secure SDLC activities -- requirements, architectures, threat models, SAST, DAST, penetration testing
- Specify and design secure operations features for platforms
- Review security policies, standards, and metrics to drive improvements
- Quantify residual product risk and identify appropriate security controls.
- Review changes made via the DevOps pipeline and processes
- Develop methodologies and processes that align product risk assessments to DevOps
- Review product architectures for security design gaps and vulnerabilities and consult with product teams to remediate or mitigate cyber risk.
- Assist coordination of penetration testing engagements with product teams.
- Help engineers and product managers identify solutions to meet cybersecurity requirements.
- Help business leaders understand security risks during resource planning.
- Assist coordination and tracking of vulnerability remediation activities.
- Support reporting to executive leadership on the status of product security, risks, mitigations, and trends.
- Use agile project management to manage resources and track milestones and deliverables.
- Identify cybersecurity features that enhance developer and customer experiences.
What we look for
Required:
- Bachelor’s or higher degree in engineering, cybersecurity, or related technical degree
- Minimum 10 years of product or application cybersecurity experience
- Expert knowledge and practical product and software security experience, including secure SDLC practices, defense-in-depth design architectures, and secure by default configurations
- 5 years of experience delivering results using agile methodologies and tools
- 3 years of experience supporting software security governance and compliance activities, i.e. metrics, assessments, audits, exercises, risk frameworks, and maturity models
- 2 + years experience with Cloud technologies;
- Ability to build trust with stakeholders and explain complex security topics to all audiences
Preferred:
- CSSLP, CISSP, CCSP, OSCP, CEH or other cybersecurity certifications
- Masters degree in Cybersecurity, Computer Science, Engineering, or Information Systems
- 2 years of experience with technology risk management related frameworks such as RMF, NIST 800-53, ISA/IEC 62443, UL CAP, ISO 27001, GDPR, CSL, SOC 2 or other comparable
- Demonstrated ability to lead change initiatives that intelligently manage software security
- Strong problem-solving skills to analyze cybersecurity issues and requirements (legal/regulatory, policy, customer, industry standards) and relate them to appropriate security controls
- Practical experience with operating systems
- Practical experience with programming and scripting languages
- Practical experience security tools
- Practical experience building multi-tenant platforms or service offerings
