Principal Product Cybersecurity Integration Analyst
The future is being built today, and Johnson Controls is making that future more productive, more secure and more sustainable. We are harnessing the power of cloud, data analytics, the Internet of Things, and user design thinking to deliver on the promise intelligent buildings and smart cities that connect communities in ways that make people's lives – and the world – better.
In this career defining opportunity within the Global Product Security organization, you will support security integration and automation initiatives aimed at making our products more resilient to cyber threats and our company more effective at managing risk. You will build, deploy, maintain and continuously improve a fully integrated security tool chain that embeds security, privacy, and policy controls within the product development lifecycle. You will play a critical role in enhancing the developer and customer experience making cybersecurity and risk management a foundational component of the product development process. Through a combined skill set in software development, systems integration, DevOps and security, you will work to advance our product security maturity infusing best-in-class security tools across the full lifecycle of our products, platforms, and service offerings.
How you will do it
- Utilize system integration and DevOps best practices in providing hands-on technical expertise for the development, deployment and adoption of an integrated security tool chain.
- Understand overall security program policies and standards, and associated governance, risk and compliance in providing security tool integration and automation within and across business units, including sales channels and field engineering.
- Contribute to security tool integration and automation strategies and roadmaps.
- Provide technical expertise in implementing solutions that optimize cybersecurity product development processes and accelerate the build out, operationalization, orchestration and adoption of the integrated security tool chain.
- Understand the security tool integration and automation needs of security governance, risk and compliance, security engineering and innovation, security operations and incident response to implement solutions that promote software risk reduction and business success.
- Participate in hands-on security tool and service proof-of-concepts and pilot efforts performing objective due diligence analysis in evaluating best-in-class tools and automation solutions.
- Understand tool data composition, storage, accessibility and reporting needs across the cybersecurity program. Ensure data needs are a critical factor in performing security automation due diligence and evaluation.
- Understand data management principles and techniques utilized in the design and development of secure, reliable, responsive tool chain data stores. Implement secure data connections and flow automation for each security tool introduced into the tool chain.
- Utilize the established workflow and automated processes within the integrated security tool chain to provide ETL data capabilities to supply data feeds for dashboard creation and reporting on security program health and maturity, cybersecurity risks, risk mitigations, and trends.
- Work with product security marketing and communications to develop communication plans in regard to awareness, training, rollout and adoption of product security tools and automation.
- Educate and train security architects, security champions, developers, and engineers on security tools and automation capabilities integrated into the product development process.
- Support customer-driven cybersecurity audits and inquiries via automated and/or self-service security tool chain reporting. Establish data feeds for advanced analytics and customization.
- Promote continuous improvement through ingenuity, creativity and innovative thinking.
What we look for
- Technical and operational excellence, thought leadership, integrative and innovative thinking.
- Self-starter highly motivated to achieve superior results in integrating advanced and emerging technologies to develop a scalable, sustainable, distributed integrated security tool chain.
- Experiential knowledge of integrating diverse, complex software systems and tools, and implementing operational workflows, processes and procedures to deploy capabilities across large organizations including experience in scaling distributed systems.
- Proven ability to convert functional concepts and requirements into technical designs.
- Ability to influence people and bring groups to consensus, especially from other organizations.
- Product development and software security experience, including secure SDLC practices, security and privacy by design architectures, and secure by default configurations.
- Solid understanding of software security governance, risk and compliance activities i.e. metrics, assessments, audits, exercises, risk frameworks, and maturity models.
- Experience with Continuous Integration, testing and Continuous Deployment technologies and the build out of CI/CD pipelines including build tools such as Jenkins, TeamCity, and Bamboo and CI/CD configuration tools such as Puppet, Chef, Ansible, and Salt.
- Understanding of cloud, embedded, web and mobile platforms and associated architectures.
- Experience in the use of application security tools for security requirements, design, development, testing, deployment and execution (SAST, DAST, SCA, DB security scanning, MAST, IAST, STaaS, penetration testing, code diversity, ASTO, etc.)
- Experience in API development.
- Excellent problem-solving and troubleshooting skills to analyze system integration and automation operational and support issues.
- Familiarity with data management principles and techniques at the enterprise level.
- Ability to deliver results using agile methodologies and tools (e.g. Scrum/Kanban, JIRA.)
- Strong interpersonal, organizational, written/verbal communication, and presentation skills.
- Ability to provide consulting, mentorship and training at the technical level.
- Ability to build trust with stakeholders and explain tool configuration/setup, interoperability and automation security topics both at a technical level and abstracted for Senior Management.
- Familiarity with technology risk management related frameworks such as RMF, NIST 800-53, ISA/IEC 62443, UL CAP, ISO 27001, GDPR, CSL, SOC 2 or other comparable a plus.
- Bachelor's degree in Computer Science, Engineering, Information Systems, Cybersecurity or related technical degree.
- CISSP, CSSLP, CCSP or related security and PMP project management certifications are a plus.
- Minimum of 10 years of experience; at least 6 years in software development and cybersecurity.
- Travel is occasional at approximately 5%; including international.