• Drive alignment to J&J Product Security’s overarching framework
• Support the Product Security strategy and objectives within Heart Recovery
• Define and implement secure boot, firmware integrity validation, and anti-tamper mechanisms to protect Heart Recovery Device firmware against unauthorized modification
• Enforce cryptographic protocols for data-at-rest and data-in-transit, ensuring compliance with FDA cybersecurity requirements, NIST 800-175, FIPS 140-3, and IEC 62443
• Define and implement key management infrastructure (PKI, HSMs, TPMs, and secure enclave integration) for device identity, authentication, and software signing
• Develop real-time vulnerability assessment techniques for detecting security flaws in wireless communications (Bluetooth LE, NFC, Wi-Fi, 5G, proprietary RF) used in Heart Recovery’s medical devices
• Implement Zero Trust security for device-to-cloud connectivity, integrating mTLS and continuous authentication models into clinical applications
• Oversee secure OTA (over-the-air) update mechanisms, ensuring firmware rollbacks, code signing, and supply chain integrity validation
• Lead Secure Development Lifecycle practices, integrating threat modeling, static/dynamic analysis, fuzz testing, and formal verification into the development process
• Work with R&D Engineering to define hardware security architecture, including trust zones, hardware root of trust (HRoT), and secure microcontroller protections
• Implement memory safety strategies to mitigate buffer overflows, side-channel attacks, and execution vulnerabilities in real-time operating systems (RTOS) and bare-metal firmware

Respond to customer cybersecurity questionnaires and contractual language for post-market medical devices under your responsibility as necessary

• 5+ years industry experience in Information Security
• 3+ years experience with embedded system, IOT, or medical device cybersecurity
• Bachelor's degree or equivalent
• Experience generating Threat models without the use of threat modeling tools
• Experience performing risk assessments utilizing CVSS 3.1 or higher, with STRIDE per element
• Ability to write technical security requirements for embedded systems and web platforms based on the latest regulations
• Understanding and execution of third-party penetration testing, vulnerability scanning, CVSS and/or other general security testing principles
• Knowledge of real-time operating systems hardening techniques
• Knowledge of cloud security principles
• Ability to generate SBOMs from Software source code and Binaries, Firmware, and Operating Systems
• Ability to generate pre-market risk assessments against the threat model leveraging STRIDE and post-market risk assessments via SCA SBOM scans
• Ability to translate technical security requirements into solutions
• Ability to provide secure coding recommendations and execute reviews
• Data privacy experience, including HIPAA and GDPR
• Understanding of industry standards and certifications such as HITRUST & ISO 27001
• Ability to work autonomously and proactively seek out product security opportunities within heart recovery
• Ability to lead large projects and proven ability to track to project plan timelines from a security perspective
• Ability to create and deliver cybersecurity awareness campaigns and other communications
• Creative problem-solving skills
• Customer focus (internal & external)
• Strong leadership skills
• Experience leading or participating in formal security audits
• Experience with Operating Systems such as QNX QOS, Yocto
• Familiarity with FDA and/or other global regulatory cybersecurity guidance requirements and submission process
• Experience with web applications and server hardening (i.e
• AWS, Azure) including knowledge of OWASP Top 10 and blue teaming techniques
• Experience in cybersecurity pre-sales
• Software development experience
• CISSP, CISM, or other security certification

MS and/or advanced degree

• Experience supporting regulatory security submissions, ensuring compliance with FDA Cybersecurity Guidance (2025), EU MDR, NIST 800-53, IMDRF, and AAMI TIR57

Ability to generate the security architecture views for medical devices that could include: Global System View, Multi-Patient Harm View, Updateability/Patchability view and, detailing system boundaries, data flows, and external interactions to show risk mitigation, ensuring transparency, and supporting post-market management Excellent communication and collaboration skills, able to network, interface and influence at all levels of the organization, cross sector, cross-functionally and globally

• Subject to the terms of their respective plans, employees are eligible to participate in the Company’s consolidated retirement plan (pension) and savings plan (401(k))
• Vacation –120 hours per calendar year
• Sick time - 40 hours per calendar year; for employees who reside in the State of Washington –56 hours per calendar year
• Holiday pay, including Floating Holidays –13 days per calendar year
• Work, Personal and Family Time - up to 40 hours per calendar year
• Parental Leave – 480 hours within one year of the birth/adoption/foster care of a child
• Condolence Leave – 30 days for an immediate family member: 5 days for an extended family member
• Caregiver Leave – 10 days
• Volunteer Leave – 4 days

Military Spouse Time-Off – 80 hours