Application Security Engineer II

Build your best future with the Johnson Controls team 

As a global leader in smart, healthy and sustainable buildings, our mission is to reimagine the performance of buildings to serve people, places and the planet.  Join a winning team that enables you to build your best future! Our teams are uniquely positioned to support a multitude of industries across the globe. You will have the opportunity to develop yourself through meaningful work projects and learning opportunities. We strive to provide our employees with an experience, focused on supporting their physical, financial, and emotional wellbeing. Become a member of the Johnson Controls family and thrive in an empowering company culture where your voice and ideas will be heard – your next great opportunity is just a few clicks away! 

What we offer: 

• Competitive salary 

• Paid vacation/holidays/sick time 

• Comprehensive benefits package including 401K, medical, dental, and vision care 

• On the job/cross training opportunities 

• Encouraging and collaborative team environment 

• Dedication to safety through our Zero Harm policy 

What you will do:

In this high impact opportunity within the Application Security organization, you will report directly to the Manager, Application Security. You will drive continuous improvement initiatives aligned to our cybersecurity maturity framework and roadmap, ensuring proactive management of security and data privacy risk across the full lifecycle of our products, applications, platforms, and service offerings.

You will apply your expertise in secure software development practices to ensure security and privacy by design requirements are fulfilled and that applications are delivered with strong cybersecurity as a core feature.

In this role, you will play a pivotal role in managing cybersecurity risk, differentiating Johnson Controls, and enabling business success.

How you will do it:

• Provide cybersecurity expertise and guidance to application development teams, security champions, and business leaders throughout all phases of the software development life cycle.

• Drive policy compliance and high quality for secure SDLC activities – security requirements, security architectures, threat and attack models, supply chain security, code reviews, SAST, DAST, IAST, penetration testing, and security hardening. Architect security and privacy by design and secure-by-default into software applications for mobile, embedded systems, and cloud.

• Drive efforts to quantify residual product and application risk and identify appropriate security controls.

• Review application architectures for security design gaps and vulnerabilities and consult with development teams to remediate or mitigate cyber risk.

• Assist coordination of third-party penetration testing vendor engagements with product teams.

• Help engineers and product managers identify solutions to meet cybersecurity requirements.

• Maintain current knowledge of security threats and vulnerabilities that could impact products and applications.

• Support incident response operations, training, and exercises, including exploitation analysis and countermeasure testing.

• Assist coordination and tracking of vulnerability remediation activities.

• Raise security awareness and drive security training and certification for people and products.

• Support periodic reporting to senior executive leadership on health and status of the application security program, cybersecurity risks, risk mitigations, and trends.

• Use agile project management to manage resources and track milestones and deliverables.

• Support internal audits and assessments to identify risks and determine mitigation actions.

• Identify cybersecurity opportunities that enhance the developer and customer experience.

• Support cybersecurity risk and technology assessments.

What we look for:

• Knowledge of cybersecurity compliance, regulations, industry standards and certifications.
• Excellent written and verbal communication and presentation skills.
• Experience with Operational Technologies (e.g. Controls Systems, Building
• Management) a plus.
• Customer relations acumen with ability to explain complex technical details to a wide audience.
• Excellent interpersonal, organizational, written and verbal communication skills.
• Relevant work experience.
• BS/BA in cybersecurity, computer science, engineering, or related technical
• degree.
• Cybersecurity certifications, e.g. CISSP, GSEC, Sec+, or related are preferred.
• Travel is occasional up to 10-15%, including international.

NOTE: This is a virtual/remote position considering candidates who reside within the United States

Johnson Controls International plc. is an equal employment opportunity and affirmative action employer and all qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, age, protected veteran status, genetic information, sexual orientation, gender identity, status as a qualified individual with a disability or any other characteristic protected by law. To view more information about your equal opportunity and non-discrimination rights as a candidate, visit EEO is the Law. If you are an individual with a disability and you require an accommodation during the application process, please visit here.