Principal Product Security Engineer

Work Flexibility: Remote

The Product Security Principal Architect is a valued professional within the Stryker organization. They work with product development team members during the digital systems development processes on effective security controls. Stryker has products that reside on bespoke embedded devices, applications on mobile devices (iOS, and Android) or personal computers, along with services deployed in the clouds (Azure, AWS, GCP). This person has the ability to shape the security of Stryker products before release to market, and the responsibility to guide teams to build Security by Default, enabling products to be resilient in the marketplace.

This role will help through consistent generation of threat models with risk scoring, identifying the effective security controls during requirements, refined during design, then applied at build and configuration, provide oversight through verification and validation. Once the product is on-market, this team also aids others with the security investigations and response, as needed throughout the product life.

What You Will Do:

 Technical Responsibilities:

• Collaborate with product teams to assess security risks and drive design decisions for new and evolving products and related systems, ensuring secure by design.
• Guide product development teams in completing threat models towards security as it relates to product risk.
• Assemble Security requirements applicable to the new or evolving product under consideration.
• Working with product teams to remediate issues or vulnerabilities found by security tooling or reports for Stryker’s variety of medical device technologies.
• Support product security incident response (PSIRT) teams, when needed, so they can effectively address (contain or remediate) and then document security incidents.
• Draft internal and external communications summarizing details concerning security concepts used in requirements, design, and build phases related to medical products and related systems.
• Provide product security guidance to internal taskforce teams.

Knowledge and Capabilities:

• Understanding of the current revisions from FDA, NIST, ISO, IEC on the related security topics.
• Expertise in applying security control frameworks, threat modeling, and scoring the severity of security threats and vulnerabilities.
• Experience analyzing and supporting enablement of security controls, along with designing secure products, as part of a broad eco-system (embedded devices + clouds + mobile devices) in the IoT ecosystems that healthcare providers need and expect to support safety.
• Driven to stay up to date on vulnerabilities and exploits that may affect the Stryker eco-system across several areas of computing such as cloud, distributed applications, embedded systems, or IoT.

What You Will Need:

Basic Qualifications:

• Bachelor's Degree in product security, computer science, mathematics, statistics, or related field
• 8+ years of applicable (product) security work experience

Preferred Qualifications:

• Master’s degree in security related discipline
• Understands quality management systems in the healthcare, medical device, or industries that leverage cyber-physical systems.
• Experience implementing secure technologies in embedded devices, clouds and mobile devices using secure controls, including but not limited to transport and communication protocols.
• One or more active, industry recognized, and relevant cybersecurity certifications.

 

• $129k - $286k salary plus bonus eligible + benefits. Actual minimum and maximum may vary based on location. Individual pay is based on skills, experience, and other relevant factors.

Travel Percentage: 10%

Stryker Corporation is an equal opportunity employer. Qualified applicants will receive consideration for employment without regard to race, ethnicity, color, religion, sex, gender identity, sexual orientation, national origin, disability, or protected veteran status. Stryker is an EO employer – M/F/Veteran/Disability.

Stryker Corporation will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the contractor’s legal duty to furnish information.