Johnson Controls
Product Cybersecurity Leader - Remote (Information Technology)
Job Details
The future is being built today, and Johnson Controls is making that future more productive, more secure and more sustainable. We are harnessing the power of cloud, data analytics, the Internet of Things, and user design thinking to deliver on the promise of intelligent buildings and smart cities that connect communities in ways that make people's lives – and the world – better!
What you will do
As a Product Cybersecurity Leader, you will lead continuous improvement initiatives aligned to our cybersecurity maturity framework and roadmap, ensuring proactive management of security and data privacy risk across the full lifecycle of our products, platforms, and service offerings. Your leadership expertise in secure development practices will ensure security and privacy-by-design requirements are fulfilled and that products are released to market with strong cybersecurity as a core feature. In this role, you will play a pivotal role in handling cybersecurity risk, differentiating Johnson Controls, and enabling business success.
We want your guidance as we build architecture, and support IoT and Cloud connectivity.
How you will do it
Lead and mentor security architects providing cybersecurity insight to product development teams, security champions, and business leaders throughout all phases of the software creation process.
Influence policy compliance and quality for secure SDLC activities -- security requirements, security architectures, threat and attack models, supply chain security, code reviews, SAST, DAST, IAST, penetration testing, and security hardening.
Mentor product teams in the art and science of architecting security and privacy-by-design and security-by-default into software applications for mobile, embedded systems, and cloud.
Review product architectures for gaps and vulnerabilities and collaborate with product teams to remediate or mitigate cyber risk.
Update senior executive leadership on health and status of the product security program, cybersecurity risks, risk mitigations, and trends.
Speak at customer-facing events and present at conferences.
What we look for
Proven experience with at least 10 years in software or product cybersecurity.
Bachelor's degree in Cybersecurity, Computer Science, Engineering, Information Systems, or related technical degree. Master's degree is helpful.
Ability to build trust with partners and explain sophisticated security topics to all audiences.
Expert knowledge and practical product and software security experience, including secure SDLC practices, security and privacy by design architectures, and secure by default configurations.
Ability to lead change initiatives that thoughtfully handle software cyber risks.
Hands on experience with Linux OS, programming and scripting languages (e.g. Java, Python, Perl), and security tools (e.g. Kali, Nessus, Netsparker, openVAS, BurpSuite, Metaspolit).
Understanding of embedded systems architectures (e.g. ARM, Cortex), embedded systems tools/emulators, RTOS/Linux, network protocols and programming languages (such as C/C++).
Understanding of penetration testing, reverse engineering, software attack vectors, fault injection, device fingerprinting, and tamper resistance.
Understanding of TPM, Secure Boot, OTP, PKI, SPI/I2C bus analyzers, JTAG probing.
Familiarity with technology risk management related frameworks such as RMF, NIST 800-53, ISA/IEC 62443, UL CAP, ISO 27001, GDPR, CSL, CSA, SOC 2 and other comparable.
Travel is moderate at approximately 25%, including international.
Preferred
Experience with Operational Technologies (e.g. Controls Systems, Building Management).
Active participation in hackathons, cybersecurity competitions, and exercises.
CSSLP, CISSP, CCSP, OSCP, CEH or related cybersecurity certifications.
Where legally permissible, if hired, candidate is required to be fully vaccinated against Covid-19 no later than the scheduled start date, unless candidate has a valid medical condition or sincerely held religious belief precluding them from receiving the vaccine.
Johnson Controls International plc. is an equal employment opportunity and affirmative action employer and all qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, age, protected veteran status, genetic information, sexual orientation, gender identity, status as a qualified individual with a disability or any other characteristic protected by law. To view more information about your equal opportunity and non-discrimination rights as a candidate, visit EEO is the Law. If you are an individual with a disability and you require an accommodation during the application process, please visit here.