Johnson & Johnson · 8 hours ago
Principal Cloud Security Engineer
Danvers, Massachusetts, United States of America
Full-time
Hybrid
Senior Level, Lead/Staff
$102K/yr - $177K/yr
5+ years expJohnson & Johnson is a leader in healthcare innovation, aiming to profoundly impact health for humanity. They are seeking a Principal Cloud Security Engineer to implement their enterprise Product Security strategy across medical devices, focusing on securing heart recovery technologies and ensuring regulatory compliance throughout the product lifecycle.
Hospital & Health Care
Responsibilities
Drive alignment of the Cloud security controls and documentation to the J&J Product Security’s overarching framework
Define and prioritize compliance with the FDA Pre-Market Guidance Appendix 1
Define the security requirements required for USA 510k, EU MDR, and Japan PDMA compliance
Support the Product Security strategy and objectives within Heart Recovery
Define and Enforce cryptographic protocols for data-at-rest and data-in-transit, ensuring compliance with FDA cybersecurity requirements, NIST 800-175, FIPS 140-3, and IEC 62443
Define and implement key management infrastructure (PKI, cloud-based HSMs)) for device identity, authentication, and software signing
Implement Zero Trust security for device-to-cloud connectivity, integrating mTLS and continuous authentication models into clinical applications
Oversee secure OTA (over-the-air) update mechanisms, ensuring software and firmware rollbacks, code signing, and supply chain integrity validation
Partner with engineering teams (cloud, console) to drive successful adherence to the product security policies, processes, framework and program objectives
Create, update, and improve product security processes for the cloud infrastructure and application
Act as an SME on cyber security matters and provide guidance to engineering and cross-functional teams
Advocate for proactive inclusion of cyber security controls and processes into all phases of the product life cycle, process improvements, strategic product road map planning
Deliver documentation for pre-market product development activities including product security plans, threat models, security requirements, detailed SBOM, and risk assessments documentation
Drive and monitor post-market vulnerability management activities with the development of CVE risk assessments, with adherence to strict timelines and alignment from cross-functional stakeholders
Perform security risk assessment and development of the security views (Global System View, Patchability View, Multi-Patient Harm View, and Security Use Case Views) on the Cloud infrastructure and applications
Collaborate with the cloud engineering and development team to integrate security measures and security tools into the CI/CD pipeline and the DevSecOps processes
Continuous improvement of Defender Score
Support compliance certification activities, such as SOC2 Type2, FedRAMP, ISO 27001, 81001-5-1, etc
Identify, research, evaluate, and integrate new compliance requirements, industry standards, and best practices into the product security programs
Maintain relationships with Heart Recovery’s Information Sharing and Analysis Organizations
Guide teams to make decisions that balance business needs with medical device security objectives
Work across organizational boundaries and exhibit empathy with customers, both internal and external
Perform other related duties and responsibilities, as assigned
Qualification
Required
Bachelor's degree
5+ years industry experience in Information Security
Experience generating Threat models without the use of threat modeling tools
Experience performing risk assessments utilizing CVSS 3.1 or higher, with STRIDE per element
Ability to write technical security requirements for embedded systems and web platforms based on the latest regulations
Experience architecture and securing MS Azure with configuring and hardening Azure security services
Experience working in a Cloud Scrum/Agile Azure DevOps environment
Familiarity with some or all of these tools: Snyk, Veracode, Coverity, Wiz, JIRA, Confluence, Dependency-Track
Experience with Containerization technologies such as Docker and Kubernetes and implementing security controls
Understanding and execution of third-party penetration testing, vulnerability scanning, CVSS and/or other general security testing principles
Experience supporting regulatory security submissions, ensuring compliance with FDA Cybersecurity Guidance (2025), EU MDR, NIST 800-53, IMDRF, and AAMI TIR57
Working knowledge of regulatory standards and compliance frameworks (e.g., NIST Cybersecurity Framework, ISO27001, SOC2 Type 2, HIPAA, GDPR, 81001-5-1)
Ability to generate SBOMs from Software source code and Binaries, Firmware, and Operating Systems
Ability to generate pre-market risk assessments against the threat model leveraging STRIDE and post-market risk assessments via SCA SBOM scans
Ability to generate security architecture views for software as medical device (SAMD) Web applications that would include: Global System View, Multi-Patient Harm View, Updateability/Patchability view and, detailing system boundaries, data flows, and external interactions to show risk mitigation, ensuring transparency, and supporting post-market management
Experience with security risk management techniques and developing Quality Management System documentation from draft through cross-functional approval
Demonstrated organizational skills, attention to detail, the ability to handle multiple assignments simultaneously in a timely manner and be able to meet assigned deadlines
Committed to working independently with a sense of urgency and embracing new challenges
Strong communication and interpersonal skills
Preferred
CISSP, CISM, or other security certification
MS and/or advanced degree
Experience working in an FDA-regulated environment
Experience leading or participating in formal security audits
Familiarity with FDA and/or other global regulatory cybersecurity guidance requirements and submission process
Experience in cybersecurity pre-sales
Software development experience
Benefits
Subject to the terms of their respective plans, employees are eligible to participate in the Company’s consolidated retirement plan (pension) and savings plan (401(k)).
Vacation –120 hours per calendar year
Sick time - 40 hours per calendar year; for employees who reside in the State of Washington –56 hours per calendar year
Holiday pay, including Floating Holidays –13 days per calendar year
Work, Personal and Family Time - up to 40 hours per calendar year
Parental Leave – 480 hours within one year of the birth/adoption/foster care of a child
Condolence Leave – 30 days for an immediate family member: 5 days for an extended family member
Caregiver Leave – 10 days
Volunteer Leave – 4 days
Military Spouse Time-Off – 80 hours
Company
Johnson & Johnson
At Johnson & Johnson, we believe health is everything.
10001+ employees
H1B Sponsorship
Johnson & Johnson has a track record of offering H1B sponsorships. Please note that this does not
guarantee sponsorship for this specific role. Below presents additional info for your
reference. (Data Powered by US Department of Labor)
Distribution of Different Job Fields Receiving Sponsorship
Represents job field similar to this job
Trends of Total Sponsorships
2025 (48)
2024 (56)
2023 (58)
2022 (59)
2021 (44)
2020 (27)
Funding
Current Stage
Late StageLeadership Team
Alex Gorsky
Former Chairman and CEO, Johnson & Johnson
Joaquin Duato
Chairman of the Board and Chief Executive Officer
Recent News
2025-10-07
2025-10-07
Company data provided by crunchbase