Application Security Engineer

The future is being built today, and Johnson Controls is making that future more productive, more secure and more sustainable.  We are harnessing the power of cloud, data analytics, the Internet of Things, and user design thinking to deliver on the promise of intelligent buildings and smart cities that connect communities in ways that make people’s lives – and the world – better.

What you will do

In this high impact opportunity within the Application Security organization, you will report directly to the Manager, Application Security. You will drive continuous improvement initiatives aligned to our cybersecurity maturity framework and roadmap, ensuring proactive management of security and data privacy risk across the full lifecycle of our products, applications, platforms, and service offerings.

You will apply your expertise in secure software development practices to ensure security and privacy by design requirements are fulfilled and that applications are delivered with strong cybersecurity as a core feature.

In this role, you will play a pivotal role in managing cybersecurity risk, differentiating Johnson Controls, and enabling business success.

How you will do it

• Provide cybersecurity expertise and guidance to application development teams, security champions, and business leaders throughout all phases of the software development life cycle.
• Drive policy compliance and high quality for secure SDLC activities – security requirements, security architectures, threat and attack models, supply chain security, code reviews, SAST, DAST, IAST, penetration testing, and security hardening. Architect security and privacy by design and secure-by-default into software applications for mobile, embedded systems, and cloud.
• Periodically assess security policies, standards, and metrics to drive improvements that help Johnson Controls adapt to evolving regulatory, customer, and threat environments.
• Drive efforts to quantify residual product and application risk and identify appropriate security controls.
• Drive efforts to advance innovative security features, capabilities, and practices.
• Review application architectures for security design gaps and vulnerabilities and consult with development teams to remediate or mitigate cyber risk.
• Assist coordination of third-party penetration testing vendor engagements with product teams.
• Help engineers and product managers identify solutions to meet cybersecurity requirements.
• Build and operate automation and scripting to integrate various tools and processes.
• Assist DevOps teams with building secure and robust pipelines
• Maintain current knowledge of security threats and vulnerabilities that could impact products and applications.
• Support incident response operations, training, and exercises, including exploitation analysis and countermeasure testing.
• Assist coordination and tracking of vulnerability remediation activities.
• Raise security awareness and drive security training and certification for people and products.
• Support periodic reporting to senior executive leadership on health and status of the application security program, cybersecurity risks, risk mitigations, and trends.
• Use agile project management to manage resources and track milestones and deliverables.
• Support company response to customer audits and inquiries pertaining to product security.
• Support internal audits and assessments to identify risks and determine mitigation actions.
• Identify cybersecurity opportunities that enhance the developer and customer experience.
• Support cybersecurity risk and technology assessments.

What we look for

• Knowledge of cybersecurity compliance, regulations, industry standards and certifications.
• Demonstrated problem-solving skills to analyze customer cyber issues and requirements (regulatory, policy, customer, industry standard) and link to appropriate security controls.
• Scripting and automation experience.
• Excellent written and verbal communication and presentation skills.
• Experience delivering applications on a DevOps team
• Experience with Operational Technologies (e.g. Controls Systems, Building Management) a plus.
• Customer relations acumen with ability to explain complex technical details to a wide audience.
• Excellent interpersonal, organizational, written and verbal communication skills.
• Minimum of 4 years of experience of professional work experience in a cybersecurity role.
• BS/BA in cybersecurity, computer science, engineering, or related technical degree.
• Cybersecurity certifications, e.g. CISSP, GSEC, Sec+, or related are preferred.
• Travel is occasional up to 10-15%, including international.

#LI-Hybrid

#GOSIA