The " Product Security Engineer " (PSE) is part of the "First Line of Barco Cyber Defense" within the Business Unit and manages technical aspects of product related security & privacy risks, aligned with the corporate strategy managed by the Security Office (second line of defense). The PSE reports to R&D management.
The Product Security Engineer is responsible for information security and privacy aspects for products within his/her Business Unit on a technical level. The PSE is the first point of contact for all technical security questions from stakeholder functions like R&D. The PSE is responsible for leading and guiding implementation of product technical security & privacy controls, oversee and guarantee adoption of the secure software development lifecycle process, compliance with applicable regulations and informs the Security Office about the progress on these domains.
Main Accountabilities
* Lead and mentor the group of R&D Security Champions and take ownership of the groups' meetings and activities, while promoting a culture of security awareness
* Provide security insights and feedback to R&D at a highly technical level (e.g. during code reviews)
* Lead R&D teams during threat modeling security risk analyses during design/development phases in accordance with IEC and FDA's premarket cybersecurity guidance.
* Challenge R&D teams and system architects about the why and how technical security controls should be integrated
* Design and document technical security controls in different product lines
* Drive security integration into all stages of the product lifecycle, from design to the post market stage, e.g:
* Threat modeling
* Code review process
* Application security testing (SAST, DAST, …)
* Vulnerability management (e.g. of open-source packages)
* Vulnerability scanning (tooling and configuration)
* Provide security support during product penetration tests executed by external partners
* Take ownership of incident response management and vulnerability disclosure processes
* Take ownership for ISO 27001 ISMS/audit product development related subjects
* Contribute to the creation of security whitepapers of the different product lines
* Key contact point for security/privacy related topics during pre-sales phase
* Stay up to date with the latest security/privacy technologies, trends and regulations
* Inform the Security Office about the state of security per product
Education
Master's degree in IT or information security, or equivalent by experience
Experience
* At least 3 years of experience in information security or application security, preferably with a software development or software testing background
* Experience with agile development process across international teams
* Familiar with ISO 2700x frameworks and risk assessment/treatment
* Knowledge of third-party auditing and risk assessment methodologies
* Familiar with security attack pathologies
Competencies
* Solid understanding of security protocols, cryptography, authentication, authorization and best practices, including secure boot chains.
* Proven experience with leading and guiding a group of stakeholders from different functions through threat modeling, utilizing STRIDE or other frameworksExperience with threat modelling of cloud-based systems (SaaS, IaaS, or PaaS)
* Excellent knowledge of secure coding practices and the Common Vulnerability Scoring System (CVSS) and its application during technical vulnerability assessment
* Experience with management of 3rd party vulnerabilities through analysis of Software Bill of Materials (SBOM)
* Ability to explain security concepts and security processes to technical stakeholders such as R&D Software Engineers
* Very broad technical knowledge: from embedded devices to containerized deployments of services, from backend to frontend
* Coding skills: C, C++, JavaScript (Rust & Go a bonus)
* Highly motivated individual with a genuine enthusiasm for information security and technology
* Eager to stay up to date with the latest technologies
* Customer-centric mindset
* Good verbal, written, presentation, facilitation, and interaction skills, including ability to effectively communicate risks, issues and concepts to multiple organization levels and executive management
* Good communication skills both verbal and written English
* Ability to prioritize workloads and to know when to seek guidance
Differentiation Criteria
* Preferably holder of certifications like GIAC, CISSP, CISM, …
* Experience with cybersecurity standards from the medical device industry (e.g. MDCG, IEC, FDA premarket guidance, …).