Director, Product Security – Corporate Information Security
When you’re part of the team at Thermo Fisher Scientific, you’ll do important work, like helping customers in finding cures for cancer, protecting the environment or making sure our food is safe. Your work will have real-world impact, and you’ll be supported in achieving your career goals.
The Director, Product Security has global responsibility for the Global Product Security program including the strategy, planning, and execution. He/she will own the overarching program which will be responsible for ensuring security is integrated into relevant Thermo Fisher products (such as instruments, equipment, and other electronic and/or connected devices). We are looking for a true leader that wants to build a program of talented product security specialist and an evangelist that can educate and inform the business on product, instrument, device, and IoT security. This position reports to the Chief Information Security Officer.
- Partner with key product development leaders to ensure security is incorporated in all customer-facing product offerings.
- Lead efforts to inject security into all levels of the software development process.
- Build out team of security professionals to support the Global Product Security Program.
- Develop and actively lead a Product Security steering committee and working group to prioritize efforts, shed light on issues, and work to resolve identified security risks.
- Spearhead strategic vision to manage both internal and external risks associated with our products.
- Define scope and priority matrix to help focus efforts in the appropriate direction.
- Drive secure development and integration of security features into all phases of product and software design and development.
- Lead programs to ensure continuous development and improvement of security integration into the product development lifecycle.
- Partner with architecture and development leaders to develop shared software frameworks to enable consistent application of secure coding best practices across the enterprise.
- Build solid working relationships with business stakeholders to maintain and improve product and application security processes.
- Contribute to maturing process, policy, and standards guidance.
- Educate key stakeholders on program, risks, and importance of security in our products.
- Work with business units to identify, capture, escalate, and close security vulnerabilities found in Thermo Fisher products and platforms; Leverage tools to deliver vulnerability information back to the development organization for remediation.
- Coordinate, participate, and deliver threat modeling for given designs and architectures.
- Analyze reports from Static and Dynamic Code Analysis tools and use as material for software engineering education.
- Coordinate/participate in and perform design reviews, peer reviews, and code reviews.
- Partner with vulnerability management and security awareness teams to develop secure code practices and provide hands-on training to developers and quality engineers.
- Ensure excellent consistency, documentation, and process across all programs.
- Develop a team of business security liaisons across the various business divisions and groups of Thermo Fisher to ensure that product security is top of mind and to gain program breadth, visibility, and control of our instrument/device environment.
- Coordinate security risk assessments for new products through the risk assessment team.
- Collaborate with other departments (e.g., Risk Management, Internal Audit, HR, Legal, etc.) to direct compliance issues to appropriate existing channels for investigation and resolution.
- Consult with the internal legal team to resolve potential legal compliance issues.
- Research latest security best practices when it comes to device/instrument/IoT, staying current on new vulnerabilities and threats.
- Proactively advise the business on how to maintain compliance with appropiate regulatory or industry best practice.
- Past Senior Management, Director, or VP experience managing teams of senior security professionals
- Knowledge of applicable industry standards, leading security practices, and regulatory requirements
- Deep understanding of cryptography, authentication, authorization, network security protocols, and web application security
- Strong exposure to popular application security standards including OWASP TOP 10, SANS TOP 25 etc.
- Bachelor’s Degree in Information Assurance, Information Security, Management Information Systems, Risk Management, or Computer Science (Master’s Degree a plus)
- Relevant technical certificates a plus
- 8+ years of related work experience with product security, secure software development, risk assessment, or vulnerability management
- Technical experience within IoT, DevSecOps and/ or application security is highly preferred
- Strong interpersonal and documentation skills are a must
- Ability to explain and champion technical concepts to a broad audience focusing on business acumen
- Strong attention to detail, organizational skills
- Excellent customer service skills required
- Strong analytical and product management skills required, including a thorough understanding of how to interpret customer business needs and translate them into application and operational requirements
- Excellent verbal and written communication skills and the ability to interact professionally with a diverse group, executives, managers, and subject matter experts