Principal Product Security Engineer

Life Unlimited. At Smith+Nephew, we design and manufacture technology that takes the limits off living.

Join our dynamic team and embark on an exciting journey of innovation and growth as we seek a hard-working and dedicated individual for role of Principal Product Security Engineer to join our Global IT team. You will work in collaboration with Global IT, R&D and Compliance Teams, will provide hands on cybersecurity architecture and engineering services with the goal of ensuring Smith + Nephew products and their data is secure and resilient to cybersecurity threats. You will serve as the definitive voice of cybersecurity considerations for Smith + Nephew's portfolio of assigned technologies, capital devices, digital accessories, connected infrastructures and software applications.

What will you be doing?

• Role will collaborate with a diverse cohort of internal stakeholders to design, engineer, and ensure implementation of security requirements, controls and process governance needed to incorporate security through the entire lifecycle of a product (Development, Pre-Market, Post-Market and Retirement).

• You will be responsible for identifying, developing, and explaining cybersecurity requirements and controls. Requirements and controls will be sourced from processes driven activities (ex. Policies, Standards, Frameworks, Threat Modelling and Risk Assessments) and technical assessments (ex. Requirements Analysis, Static Application Security Testing, Dynamic Application Security Testing, Software Composition Analysis, and Penetration Testing). Requirements and controls will range from hardening activities and requirements (Identify/Protect) to incident response (Detect, Respond, Recover).

• Technical Cybersecurity Architecture and Engineering Services - Lead the definition and ensure the implementation of cybersecurity requirements and controls in support of multiple Smith + Nephew technologies, capital devices, digital accessories, connected infrastructures and software applications.

• Product Security Risk Management and Threat Modelling - Lead the creation and maintenance of Product Cybersecurity Risk Registers and Threat Models throughout the development lifecycle to identify and mitigate cybersecurity deficiencies as early in the development lifecycle as possible.

• Product Security Testing and Assessment - Lead the execution and integration of cybersecurity testing and assessment activities throughout the development lifecycle to identify and formulate mitigation strategies for cybersecurity deficiencies. Support the identification of technical solutions and ensure the integration of automated security tools and processes to help mitigate security vulnerabilities. This includes but is not limited to: Vulnerability Testing, Penetration Testing, Code Analysis, Endpoint Protections, etc.

• Incident Response - support best practice (ISO 29147/30111) product cyber security incident response (IR) activities.

• Secure-Software Development Life Cycle - Help develop and mature Global Product Security Strategy and Secure-Software Development Life Cycle (S-SDLC) to ensure robust cyber security controls are present and effective in our products from product conceptualization through commercial launch and ultimately product/product family decommissioning. Ensure ongoing awareness and understanding of emerging threats and industry best practices.

• Outward Facing - Provide technical leadership and competency in communications with stakeholders outside of Smith + Nephew. Help to answer questions regarding the security of different products. This includes but is not limited to: Regulators, Customers, Auditors, Industry Groups, Researchers, etc.

What will you need to be successful?

• Education: Bachelor’s degree in a Computer Science or related field, or an equivalent combination of training and experience.
• Licenses/ Certifications:
• Current CISM, CISSP, CRISC, or equivalent certification preferred.
• Operating Mode: Work from office – Hybrid, 2 days in a week.
• Experience:
• Proven relevant experience of 5+ years in product/device security, hands-on cybersecurity experience, application security, or IT information security.
• Strong understanding of mitigating security controls, Vulnerability Management, Penetration Testing, Code Security. Security Governance models.
• IT Risk and Vendor Risk Assessments. FDA and other medical device regulators.
• Knowledge of cyber security standard frameworks such as HIPAA, FDA, ISO 27001/2, NIST CSF, and OWASP.
• Understanding of network infrastructure, including firewalls, web proxy and/or email architecture- particularly as they apply in a mitigating control functionality.
• Experience with different cloud computing platforms and the cloud security framework.
• Ability to design, recommend, plan, guide, and support implementation of innovative security solutions.
• Experience in being able to manage and prioritize multiple tasks in an effective manner.
• Ability to work independently and proactively without daily direction. Working across multiple teams and business lines.
• Understand the current Medical Device market, including what customers want to see with regards to product security.
• Understanding of back-channels typically used by threat actors for malicious activity.
• Understanding of different connectivity protocols and any risks involved with them.

You. Unlimited.

We believe in crafting the greatest good for society. Our strongest investments are in our people and the patients we serve.

Inclusion + Belonging - Committed to Welcoming, Celebrating and Thriving. Learn more about our Employee Inclusion Groups on our website https://www.smith-nephew.com/

Other reasons why you will love it here!

• Your Future: Major Medical coverage + Policy exclusions and insurance non-medical limit. Educational Assistance.
• Work/Life Balance: Flexible Personal/Vacation Time Off, Privilege Leave, Floater Leave.
• Your Wellbeing: Parents / Parents in Law’s Insurance, Employee Assistance Program, Parental Leave.
• Flexibility: Hybrid Work Model (For most professional roles)
• Training: Hands-On, Team-Customized, Mentorship
• Extra Perks: Free Cab Transport facility for all employees, One Time Meal provided to all employees as per shift. Night Shift Allowances.

#YS1