Principal Product Security Architect

Johnson Controls - Concord, ON (4 months ago)

Apply Now

What you will do
The future is being built today, and Johnson Controls is making that future more productive, more secure and more sustainable. We are harnessing the power of cloud, data analytics, the Internet of Things, and user design thinking to deliver on the promise of intelligent buildings and smart cities that connect communities in ways that make people’s lives – and the world – better.

In this career defining opportunity within the Global Product Security organization, you will drive continuous improvement initiatives aligned to our cybersecurity maturity framework and roadmap, ensuring proactive management of security and data privacy risk across the full lifecycle of our products, platforms, and service offerings. You will apply your expertise in secure software development practices to ensure security and privacy by design requirements are fulfilled and that products are released to market with strong cybersecurity as a core feature. In this role, you will play a pivotal role in managing cybersecurity risk, differentiating Johnson Controls, and enabling business success.

How you will do it
Provide cybersecurity expertise and guidance to product development teams, security champions, and business leaders throughout all phases of the software development life cycle.
Drive policy compliance and high quality for secure SDLC activities - security requirements, security architectures, threat and attack models, supply chain security, code reviews, SAST, DAST, IAST, penetration testing, and security hardening.
Architect security and privacy by design and secure-by-default into software applications for mobile, embedded systems, and cloud.
Periodically assess security policies, standards, and metrics to drive improvements that help Johnson Controls adapt to evolving regulatory, customer, and threat environments.
Drive efforts to quantify residual product risk and identify appropriate security controls.
Drive efforts to advance innovative security features, capabilities, and practices.
Review product architectures for security design gaps and vulnerabilities and consult with product teams to remediate or mitigate cyber risk.
Assist coordination of third party penetration testing vendor engagements with product teams.
Help engineers and product managers identify solutions to meet cybersecurity requirements.
Help business unit leaders understand security risks and participate in project resource planning.
Maintain current knowledge of security threats and vulnerabilities that could impact products.
Support incident response operations, training, and exercises, including exploitation analysis and countermeasure testing.
Assist coordination and tracking of vulnerability remediation activities.
Raise security awareness and drive security training and certification for people and products.
Support periodic reporting to senior executive leadership on health and status of the product security program, cybersecurity risks, risk mitigations, and trends.
Use agile project management to manage resources and track milestones and deliverables.
Support company response to customer audits and inquiries pertaining to product security.
Support internal audits and assessments to identify risks and determine mitigation actions.
Identify cybersecurity opportunities that enhance the developer and customer experience.
Support product security committees, boards, councils and working groups.
Support cybersecurity risk and technology assessments.
Speak at customer-facing events and present at conferences.
Position can be also be located in Toronto ON, CA or Montreal QC, CA


What we look for
Technical and operational excellence, thought leadership, and integrative thinking.
Expert knowledge and practical product and software security experience, including secure SDLC practices, security and privacy by design architectures, and secure by default configurations.
Strong problem-solving skills to analyze cybersecurity issues and requirements (legal/regulatory, policy, customer, industry standards) and relate them to appropriate security controls.
Experience supporting software security governance and compliance activities, i.e. metrics, assessments, audits, exercises, risk frameworks, and maturity models.
Demonstrated ability to lead change initiatives that intelligently manage software cyber risks.
Proven ability to deliver results using agile methodologies and tools (e.g. Scrum/Kanban, Jira).
Understanding of Product Security Incident Response Team (PSIRT) processes and activities.
Understanding of agile software development and continuous integration/deployment.
Practical experience with Linux OS, programming and scripting languages (e.g. Java, Python, Perl), and security tools (e.g. Kali, Nessus, Netsparker, openVAS, BurpSuite, Metaspolit).
Understanding of embedded systems architectures (e.g. ARM, Cortex), embedded systems tools/emulators, RTOS/Linux, network protocols and programming languages (such as C/C++).
Understanding of penetration testing, reverse engineering, software attack vectors, fault injection, device fingerprinting, and tamper resistance.
Understanding TPM, Secure Boot, OTP, PKI, SPI/I2C bus analyzers, JTAG probing.
Knowledge of current security threats and techniques for exploiting software vulnerabilities.
Understanding of web and mobile application secure design principles such as OWASP.
Understanding of data protection, secure cloud, and network infrastructure design principles.
Familiarity with technology risk management related frameworks such as RMF, NIST 800-53, ISA/IEC 62443, UL CAP, ISO 27001, GDPR, CSL, CSA, SOC 2 and other comparable.
Experience with Operational Technologies (e.g. Controls Systems, Building Management) a plus.
Superior interpersonal, organizational, written/verbal communication, and presentation skills.
Ability to build trust with stakeholders and explain complex security topics to all audiences.
Active participation in hackathons, cybersecurity competitions, and exercises are a plus.
CSSLP, CISSP, CCSP, OSCP, CEH or related cybersecurity certifications.
Bachelors degree in Cybersecurity, Computer Science, Engineering, Information Systems, or related technical degree. Masters degree is preferred.
Minimum of 10 years of experience with at least 6 years in software or product cybersecurity.
Travel is occasional at approximately 10%, including international.
Johnson Controls International plc. is an equal employment opportunity and affirmative action employer and all qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, age, protected veteran status, genetic information, status as a qualified individual with a disability, or any other characteristic protected by law. For more information, please view EEO is the Law. If you are an individual with a disability and you require an accommodation during the application process, please

Job Engineering
Primary LocationCAN-Ontario-Concord
Organization Bldg Technologies & Solutions
Overtime Status-Exempt