Reporting to the Head of Digital Security and Privacy, the Product Cybersecurity Specialist is responsible to develop, implement, and enforce policies and procedures of the organization's security and privacy program in accordance with applicable laws and regulations. He/she assists the businesses to set up processes and technical controls to support the data security and privacy strategy, ensuring software products and embedded systems are secure and documented in accordance with business strategy.
The Product Cybersecurity Specialist provides in-depth knowledge of data protection, information security practice, and helps define requirements as well as give guidance to internal and external stakeholders regarding security topics. Leverage the software engineering experience and security and privacy technical leadership skills to drive future innovative technologies into our products and make a difference in patient’s lives. He/she works in collaboration with R&D and Digital teams, Quality Assurance, Compliance, Product Management teams, etc. to conduct security risk assessments, code reviews, application security testing, vulnerability assessment, bug bounty program, etc.
The Specialist should demonstrate experience of taking accountability and working in a global security and privacy program and the attitude to become a trusted partner who is pro-active, positive, and provides high quality response. This role would be suitable for candidates with the right skills and mindset who also share the Roche values and make an active contribution to achieve our vision.
- Develop and maintain an application security policy within the organization's software development lifecycle; design of security policy education, training, and awareness activities; monitoring compliance with security policy and applicable law; and coordinating investigation and reporting of security incidents.
- Conduct information security risk management process of digital solutions and define the security requirements, follow up of security and privacy preventive/corrective actions of the digital solutions making sure they are compliant with company’s requirements and are solved in a timely manner.
- Conduct internal audits of existing hardware and firmware products to check if they follow best practices and meet security requirements and applicable data privacy and health regulations. Lead security reviews, participate in design FMEA and Hazards Analyses.
- Perform security review of solution design/architecture and propose changes if required, reviewing the security features of existing and new digital solutions to assess that they meet the security requirements for key health regulations, privacy law and Roche standards and policies.
- Lead the definition of security and privacy requirements, design and provide guidance and review in related testing efforts for software projects and systems, ensuring that documentation is created and maintained within the project records.
- Support cybersecurity aspects of FDA submissions for medical devices and other relevant medical authorities.
- Research problems discovered by or reported to product support (including new security and privacy threats) and identify / develop solutions.
- Participate in design and code reviews with internal and / or external developers.
- Maintain relevant SOPs and provide the guidance for testing of products, ensuring compliance with regulatory requirements while balancing the concerns for time to market, product quality, and customer satisfaction.
- Perform highly complex system analysis and programming activities on applications software, embedded systems, and their interoperable ecosystem.
- Assist in providing estimates of task effort and resource/skills needed using standard estimation methods.
- Documents and reports any security incident or security issues in a timely manner to senior management and other relevant Roche security teams.
- Participate and/or manage security certifications or other audit efforts according to the needs of the organization or products.
- Maintain proficiency in current technology, design practices, architectures, software and networking processes, tools, and methods. Make recommendations regarding the implications and application of these advances.
- Assess and strengthen the security practices, tooling, and capabilities of the development environments and manufacturing processes.
- Be a security subject matter expert and respond to any security questions/request, specialized in product security. Technical consultant to other members of the organization, such as product management and product marketing, in all areas of system and software design related to security and privacy, providing detailed analysis, feedback, and other assistance as required.
- Fostering both general and application security awareness and education across Diabetes Care Global R&D and Digital.
Key Skills and Experience
- Bachelor Degree in Computer Science, Telecommunications or equivalent Engineering.
- 7+ years of professional experience in international security teams, preferably in regulated environments of the diagnostics and/or pharmaceutical industry or card payment industry.
- 7+ experience in medical device or medical software development and/or Software Engineering with strong competencies in Security and Privacy for computer systems and software.
- Strong experience in security and privacy in software and embedded (preferably regulated medical) systems. Current technologies to secure include Java, C#, embedded C, Bluetooth, USB, J2EE, and Oracle.
- Deep understanding of web and mobile applications security threats and significant experience with vulnerability management and penetration testing against a wide variety of application layer platforms, including web, mobile and desktop solutions, above and beyond running automated tools.
- Deep understanding and experience in software development or application security testing experience, and exposed to the OWASP Top 10: including analyzing, architecting fixes for, and leading developers in remediating code-level vulnerabilities.
- Deep knowledge and experience with security and privacy techniques and practices (threat modeling, risk analysis, encryption design and authentication methods, de-identification, key management, etc).
- Demonstrated team player with the ability to communicate effectively with members of multiple development teams at multiple levels: requirements, analysis, architecture, risk, design, implementation and testing
- Highly responsive with an ability to handle escalations quickly and professionally.
- Ability to deliver reporting on and providing fixes to identified vulnerabilities at the code level in a developer friendly way.
- Knowledge of security and privacy regulations such as ISO 27001 and GDPR and healthcare industry regulations such as HIPAA, HiTrust, FedRamp, etc. and with organizational procedures for security and privacy management.
- Relevant Security Certifications are desirable: CISA, CISSP, CEH, OSCP, CCSP or any other SANS / GIAC certification, etc.
- Excellent in English reading, writing, listening and speaking skills to support Global R&D and Digital teams and partners.
- Ability to travel internationally as required up to 10% of the time.
- Location: Sant Cugat (Barcelona), Mannheim or Indianapolis