Senior Staff Product Security Engineer

Who we want:

• Customer-oriented achievers – Individuals with an unparalleled work ethic and customer focused attitude who bring value to their partnerships.

• Self-directed innovators - People who take ownership of their work and need no prompting to drive productivity, change, and outcomes.

• Detail-oriented process improvers - Critical thinkers who naturally see opportunities to develop and optimize work processes – finding ways to simplify, standardize and automate.

• Collaborative partners - People who build and leverage cross-functional relationships to bring together ideas, information, use cases, and industry analyses to develop best practices.

What you will do:
Product Security is driven to make healthcare better by ensuring that Stryker designs, develops, and maintains industry leading cyber secure products for our customers.  We are seeking a highly skilled Secure Product Lifecycle Expert to ensure the security of our medical devices across their entire lifecycle.  This role is critical in embedding robust security practices into our software development lifecycle (SDL), overseeing post-market security management, and integrating product security into our quality management systems (QMS).  The ideal candidate will have experience with embedded systems, a strong understanding of security maturity frameworks such as BSIMM, and familiarity with secure product lifecycle standards like ISO 81001-5-1.

Key Responsibilities:

Secure Development Lifecycle (SDL):

• Establish and maintain a comprehensive SDL framework tailored to the medical device industry.

• Integrate secure coding practices, threat modeling, and security testing into the development process, with a focus on embedded systems and IoT devices.

• Conduct security risk assessments for medical device software and firmware during design and development.

• Facilitate security-related training and awareness programs for development teams.

• Ensure compliance with regulatory requirements, such as FDA premarket cybersecurity guidance, IEC 62304, ISO 14971, and ISO 81001-5-1.

Post-Market Product Security Management:

• Develop and oversee the post-market surveillance program for product security, including vulnerability monitoring and incident response.

• Collaborate with product teams to develop and deploy patches, updates, and mitigations for identified vulnerabilities in embedded devices and software systems.

• Maintain and enhance procedures for reporting and managing product security issues, ensuring compliance with FDA and other international post-market cybersecurity requirements.

• Act as the liaison with external stakeholders, including customers, regulatory agencies, and independent security researchers, to address security concerns.

Integration into Quality Management Systems (QMS):

• Define and implement processes for embedding product security practices into the QMS.

• Collaborate with quality and regulatory teams to ensure security considerations are documented and auditable.

• Support internal and external audits related to product security.

• Drive continuous improvement initiatives to enhance security processes and QMS alignment, with a focus on ISO 81001-5-1 compliance.

Security Maturity and Framework Alignment:

• Apply security maturity models such as BSIMM to assess and improve the organization’s product security practices.

• Ensure alignment with secure product lifecycle frameworks, including ISO 81001-5-1, to embed security as a core component of product development and management.

Cross-Functional Collaboration:

• Work with cross-functional teams (e.g., R&D, IT, Regulatory Affairs, Quality Assurance) to ensure security is prioritized throughout the product lifecycle.

• Provide technical guidance and expertise on emerging security threats, tools, and technologies relevant to embedded systems.

• Lead or support product security certifications as needed (e.g., UL 2900).

​

What You Need:

• Bachelor's degree in Cybersecurity, Information Technology, Computer Science, or related discipline.Minimum 5 years of related experience

• Strong understanding of secure software development practices, tools, and frameworks (e.g., threat modeling, static/dynamic analysis, penetration testing).Experience implementing security controls in embedded systems and IoT devices.

• Familiarity with security maturity models (e.g., BSIMM) and secure product lifecycle frameworks (e.g., ISO 81001-5-1).Familiarity with relevant regulations and standards (e.g., FDA cybersecurity guidance, IEC 62304, ISO 14971, ISO 13485).

• Knowledge of cybersecurity frameworks (e.g., NIST Cybersecurity Framework, OWASP, MITRE ATT&CK).Demonstrated competence with compliance, security, and privacy standards and frameworks (e.g., NIST 800-53, HIPAA, GDPR, EU MDCG)

• Strong ability to communicate cybersecurity information to engineering, sales, customers, and other non-subject matter experts.

What We Would Love That You Have (Preferred):

• Experience conducting HIPAA security assessments.Experience working in medical device, health care, or other regulated industry.

• Professional cybersecurity certifications such as CISSP, CSSLP, CCSP, CISM, HCISSP, etc..Familiarity with VA or DHA risk management processes (FedRAMP, RMF, ATO).

• Familiarity with additional secure product lifecycle frameworks such as IEC 81001 5-1, IEC 62443 4-1

• Familiarity with additional security control standards such as IEC 60601 4-5, IEC 62443 4-2, OWASP ASVS, OWASP MASVS, etc.