Cyber Security Program Manager

What you will do

The future is being built today, and Johnson Controls is making that future more productive, more secure and more sustainable. We are harnessing the power of cloud, data analytics, the Internet of Things, and user design thinking to deliver on the promise of intelligent buildings and smart cities that connect communities in ways that make people’s lives – and the world – better.

In this product development role within the Controls organization, you will implement, monitor, and report on initiatives aligned to our cybersecurity maturity framework and processes. You will apply your expertise in secure software development practices to ensure security and privacy requirements are fulfilled and products that are released to market have cybersecurity as a core feature. Additionally, you will help to triage and incorporate field found security vulnerabilities that need to be addressed. In this role, you will play a pivotal role in managing cybersecurity risk, differentiating Johnson Controls, and enabling business success.

How you will do it

• Provide cybersecurity expertise and guidance to product development teams, security champions, and business leaders throughout all phases of the software development life cycle.

• Drive policy compliance and high quality for secure SDLC activities - security requirements, security architectures, threat and attack models, code reviews, SAST, DAST, IAST, penetration testing, and security hardening.

• Review product architectures for security design gaps and vulnerabilities and consult with product teams to remediate or mitigate cyber risk.

• Assist coordination of third party penetration testing vendor engagements with product teams.

• Help engineers and product managers identify solutions to meet cybersecurity requirements.

• Help business unit leaders understand security risks and participate in project resource planning.

• Maintain current knowledge of security threats and vulnerabilities that could impact products.

• Support incident response operations, training, and exercises, including exploitation analysis and countermeasure testing.

• Assist coordination and tracking of vulnerability remediation activities.

• Raise security awareness and drive security training and certification for people and products.

• Support reporting to senior leadership on health and status of the product security program, cybersecurity risks, risk mitigations, and trends.

• Support company response to customer audits and inquiries pertaining to product security.

• Support internal audits and assessments to identify risks and determine mitigation actions.

• Identify cybersecurity opportunities that enhance the developer and customer experience.

• Support product security committees, boards, councils and working groups.

• Support cybersecurity risk and technology assessments.

• Periodically assess security policies, standards, and metrics to drive improvements that help Johnson Controls adapt to evolving regulatory, customer, and threat environments.

• Drive efforts to quantify residual product risk and identify appropriate security controls.

• Drive efforts to advance innovative security features, capabilities, and practices.

What we look for

Required

• If hired, candidate will be required to be fully vaccinated against Covid-19 prior to his or her start date.

• Bachelor degree in Cybersecurity, Computer Science, Engineering, Information Systems, or related technical degree.

• Minimum of 7 years of experience with at least 5 years in software or product cybersecurity.

• Superior interpersonal, organizational, written/verbal communication, and presentation skills with an ability to build trust with stakeholders and explain complex security topics to all audiences.

• Working knowledge and practical product and software security experience, including secure SDLC practices, security and privacy by design architectures, and secure by default configurations.

• Understanding of agile methodologies and tools (e.g. Scrum/Kanban, Jira) with the ability to work with multiple teams to groom, plan, and deliver on commitments

• Experience supporting software security governance and compliance activities, i.e. metrics, assessments, audits, exercises, risk frameworks, and maturity models.

• Strong problem-solving skills to analyze cybersecurity issues and requirements (legal/regulatory, policy, customer, industry standards) and relate them to appropriate security controls.

• Familiarity with technology risk management related frameworks such as RMF, NIST 800-53, ISA/IEC 62443, UL CAP, ISO 27001, GDPR, CSL, CSA, SOC 2 and other comparable.

• Understanding of Product Security Incident Response Team (PSIRT) processes and activities, with the ability to Triage and prioritize incoming issues.

• Knowledge of current security threats and techniques for exploiting software vulnerabilities.

Preferred

• CSSLP, CISSP, CCSP, OSCP, CEH or related cybersecurity certifications.

• Understanding of web and mobile application secure design principles such as OWASP.

• Understanding of data protection, secure cloud, and network infrastructure design principles.

• Understanding of penetration testing, reverse engineering, software attack vectors, fault injection, device fingerprinting, and tamper resistance.

• Understanding TPM, Secure Boot, OTP, PKI, SPI/I2C bus analyzers, JTAG probing.

• Understanding of embedded systems architectures (e.g. ARM, Cortex), embedded systems tools/emulators, RTOS/Linux, network protocols and programming languages (such as C/C ).

• Practical experience with Linux OS, programming and scripting languages (e.g. Java, Python, Perl), and security tools (e.g. Kali, Nessus, Netsparker, openVAS, BurpSuite, Metaspolit).

• Experience with Operational Technologies (e.g. Controls Systems, Building Management) a plus.