The Principal Engineer, Product Cyber Security is a highly technical position serving as the SME for product cybersecurity (cybersecurity requirements writing, threat modeling, asset tracking, vulnerability/defect identification and management, impact assessment, risk control measure development and implementation, security test planning) for proprietary hardware, embedded software, smart device applications and PC software.
Responsibilities
- Collaborate with and contribute to the Sonova Global Product Cyber Security Center of Expertise (CoE).
- Implement Advanced Bionics Product Cyber Security strategy, roadmap, and build the necessary capabilities to execute to the roadmap.
- Continuously monitor and manage Product cyber risks to ensure confidentiality, integrity, and resilience of Sonova products and services, maintaining customer trust and regulatory compliance.
- Report on the effectiveness of security controls.
- Ensure the secure design, development, and maintenance of products, platforms, and services.
- Lead and mentor Advanced Bionics product development, quality, and maintenance teams in cyber security and secure product development lifecycle practices.
- Contribute to the development and implementation of Sonova’s cross-divisional product cyber security strategy and ensure its adoption by Advanced Bionics.
- Monitor threats and regulatory landscapes, conducting gap assessments against standards and frameworks.
- Identify security requirements for business processes and products.
- Define, implement, and maintain global and Advanced Bionics-specific product security policies, standards, controls, and processes.
- Provide guidance on secure design, development, and maintenance of products, software applications, platforms, and services.
- Conduct threat modeling and cyber risk assessments.
- Define and execute security verification and validation tasks, such as design and code reviews, static and dynamic code analysis, vulnerability scanning, and penetration testing.
- Perform and support vulnerability management for products and services.
- Support the creation of security documentation and required quality management deliverables.
- Drive and contribute to the automation of security practices (DevSecOps).
- Measure and report on the effectiveness of security controls using meaningful KPIs.
- Act as an ambassador for information security and cyber risk, promoting awareness and a secure culture within the organization.
- Provide guidance on product cyber security topics and risks to relevant stakeholders.
- Support cyber security incident management, response, and customer complaint processes. Participate in tabletop exercises.
- Initiate periodic Product Security Health Checks/Risk Assessments and manage mitigation measures.
- Drive continuous improvement in your area of responsibility.
- Support security reviews, internal, and external audits.
- Communicate and report product security risk status to senior and product management.
- Build and maintain relationships with internal stakeholders and external partners.
- Support communication with external stakeholders, including customers, authorities, and other third parties related to product security.
- Stay updated on current Cyber Security trends, best practices, technologies, regulatory requirements, and risks.
- Work with the Director of Product Cyber Security Center of Expertise to set strategic direction and planning for product security risk for Advanced Bionics and Sonova globally.
- Other duties and responsibilities as assigned by your manager
Qualifications
Bachelors with 10+ years of relevant experience/masters degree with 8+ years relevant experience (Computer science engineering)
Experience/Technical competencies:
- Previous Medical Device experience (Class III)
- Expertise in secure software development lifecycle practices.
- 5+ years in medical device Cybersecurity experience
- Proficient in threat modeling, security assessments, security verification, and security engineering
- Ability to conduct security audits
- Knowledge of OWASP Top 10 and SANS CWE-25.
- Cloud Security aspects
- Integration of IEC 62443 into SDLC
- Continuously update knowledge on current cybersecurity trends, best practices, technologies, regulatory requirements, and risks.
- Continuously update knowledge on current cybersecurity trends, best practices, technologies, regulatory requirements, and risks
- Ability to think strategically and adapt to changing circumstances
- Comfortable navigating both technical and business issues, with a strong understanding of business needs
- Familiar with participating in internal and external compliance audits (FDA/TUV). Front room experience desired
- Secure SDLC Practices: Expertise in secure software development lifecycle practices.
- CI/CD: Knowledge of continuous integration and continuous delivery processes.
- Cryptography: Proficiency in cryptographic methods.
- Authentication & Authorization: Familiarity with protocols such as OAuth2 and WebAuthn.
- Application Security: Experience in securing applications.
- Vulnerability Management: Skilled in identifying and managing vulnerabilities.
- Security Audits: Ability to conduct security audits.
- External Communication: Capable of communicating security-related information to external stakeholders.
- Security & Privacy Standards: Knowledge of security and privacy frameworks and standards.
- Regulatory Compliance: Understanding of relevant regulations such as GDPR, MDR, FDA, and HIPAA.
- AI: Experience with artificial intelligence applications.
Programming Languages:
- Proficient in C, C++, C#, Java, Swift, Kotlin, TypeScript, and Rust.
- Scripting Languages: Skilled in Python, PowerShell, and bash.
- Software Frameworks & Services: Experience with .NET Framework, .NET Core, Angular, and Azure.
- Communication Protocols: Knowledge of Bluetooth (Classic, LE), WLAN, and TLS, with an understanding of their security protocols.
- Process/Project Management: Strong capabilities in managing processes and projects.
- Software Development: Hands-on experience with smart device, PC, and embedded software code.
- Wireless Protocol Vulnerabilities: Familiarity with common wireless protocol vulnerabilities, including RF, Bluetooth, and Wi-Fi.
- Penetration & Fuzz Testing: Experience with penetration and fuzz testing.
Leadership Competencies:
• Expert in Leading Self
• Expert in Leading Systems
• Ability to Influence without authority
IT Skills:
Good working knowledge of Windows, MS Office, Linux, Mac OS, iOS and Android.
