Principal Med Device Security Engineer
Remote · United States or Raritan, New Jersey, United States
Job Summary
Principal Product Security Engineer role within Johnson & Johnson MedTech Security & Controls. Own secure product security process for Heart Recovery devices across product lifecycle; define secure boot, cryptographic controls, PKI/HSM/TPM, threat modelling, vulnerability assessment, third-party testing, OTA updates, post-market risk management, and regulatory submissions; lead Secure Development Lifecycle with hardware security architecture, RTOS hardening, memory safety, and privacy/compliance considerations (HIPAA/GDPR). Remote-based or onsite in Danvers, MA or Raritan, NJ with up to 10% travel; require coordinating with Abiomed and ensuring FDA/NIST/IEC frameworks alignment.
Required Qualifications
- 8+ years industry experience in Information Security
- 5+ years experience with embedded system, IOT, or medical device cybersecurity
- Bachelor’s degree or equivalent
- Experience generating Threat models without the use of threat modeling tools
- Experience performing risk assessments utilizing CVSS 3.1 or higher, with STRIDE per element
- Ability to write technical security requirements for embedded systems and web platforms based on the latest regulations
- Understanding and execution of third-party penetration testing, vulnerability scanning, CVSS and/or other general security testing principles
- Experience supporting regulatory security submissions, ensuring compliance with FDA Cybersecurity Guidance (2025), EU MDR, NIST 800-53, IMDRF, and AAMI TIR57
- Knowledge of real-time operating systems hardening techniques
- Knowledge of cloud security principles
- Ability to generate SBOMs from Software source code and Binaries, Firmware, and Operating Systems
- Ability to generate pre-market risk assessments against the threat model leveraging STRIDE and post-market risk assessments via SCA SBOM scans
- Ability to generate the security architecture views for medical devices that could include: Global System View, Multi-Patient Harm View, Updateability/Patchability view and, detailing system boundaries, data flows, and external interactions to show risk mitigation, ensuring transparency, and supporting post-market management
- Ability to translate technical security requirements into solutions
- Ability to provide secure coding recommendations and execute reviews
- Data privacy experience, including HIPAA and GDPR
- Understanding of industry standards and certifications such as HITRUST & ISO 27001
- Ability to work autonomously and proactively seek out product security opportunities within heart recovery
- Ability to lead large projects and proven ability to track to project plan timelines from a security perspective
- Ability to create and deliver cybersecurity awareness campaigns and other communications
- Customer focus (internal & external)
- Excellent communication and collaboration skills, able to network, interface and influence at all levels of the organization, cross sector, cross-functionally and globally
- Strong leadership skills
- Preferred: Experience leading or participating in formal security audits
- Experience with Operating Systems such as QNX QOS, Yocto, Linux Ubuntu. Alpine
- Familiarity with FDA and/or other global regulatory cybersecurity guidance requirements and submission process
- Experience with web applications and server hardening (i.e. AWS, Azure) including knowledge of OWASP Top 10 and blue teaming techniques
- Experience in cybersecurity pre-sales
- Software development experience
- CISSP, CISM, or other security certification
- MS and/or advanced degree
Apply with one swipe on Sorce. We auto-fill applications and apply on your behalf — no cover letters, no 40-minute forms.
Hiring someone like this?
Get your role in front of qualified candidates on Sorce.