The “Product Security Engineer” (PSE) is part of the “First Line of Barco Cyber Defense” within the Business Unit and manages technical aspects of product related security & privacy risks, aligned with the corporate strategy managed by the Security Office (second line of defense). The PSE reports to R&D management.
The Product Security Engineer is responsible for information security and privacy aspects for products within his/her Business Unit on a technical level. The PSE is the first point of contact for all technical security questions from stakeholder functions like R&D. The PSE is responsible for leading and guiding implementation of product technical security & privacy controls, oversee and guarantee adoption of the secure software development lifecycle process, compliance with applicable regulations and informs the Security Office about the progress on these domains.
Main accountabilities:
1. Lead and mentor the group of R&D Security Champions and take ownership of the groups’ meetings and activities, while promoting a culture of security awareness
2. Provide security insights and feedback to R&D at a highly technical level (e.g. during code reviews)
3. Lead R&D teams during threat modeling security risk analyses during design/development phases in accordance with IEC -5-1 and FDA’s premarket cybersecurity guidance.
4. Challenge R&D teams and system architects about the why and how technical security controls should be integrated
5. Design and document technical security controls in different product lines
6. Drive security integration into all stages of the product lifecycle, from design to the post market stage, e.g: Threat modeling Code review process Application security testing (SAST, DAST, …) Vulnerability management (e.g. of open-source packages) Vulnerability scanning (tooling and configuration)
7. Provide security support during product penetration tests executed by external partners
8. Take ownership of incident response management and vulnerability disclosure processes
9. Take ownership for ISO ISMS/audit product development related subjects
10. Contribute to the creation of security whitepapers of the different product lines
11. Key contact point for security/privacy related topics during pre-sales phase
12. Stay up to date with the latest security/privacy technologies, trends and regulations
13. Inform the Security Office about the state of security per product
Education:
14. Master's degree in IT or information security, or equivalent by experience
Experience:
15. At least 3 years of experience in information security or application security, preferably with a software development or software testing background
16. Experience with agile development process across international teams
17. Familiar with ISO x frameworks and risk assessment/treatment
18. Knowledge of third-party auditing and risk assessment methodologies
19. Familiar with security attack pathologies
Competencies:
20. Solid understanding of security protocols, cryptography, authentication, authorization and best practices, including secure boot chains.
21. Proven experience with leading and guiding a group of stakeholders from different functions through threat modeling, utilizing STRIDE or other frameworksExperience with threat modelling of cloud-based systems (SaaS, IaaS, or PaaS)
22. Excellent knowledge of secure coding practices and the Common Vulnerability Scoring System (CVSS) and its application during technical vulnerability assessment
23. Experience with management of 3rd party vulnerabilities through analysis of Software Bill of Materials (SBOM)
24. Ability to explain security concepts and security processes to technical stakeholders such as R&D Software Engineers
25. Very broad technical knowledge: from embedded devices to containerized deployments of services, from backend to frontend
26. Coding skills: C, C++, JavaScript (Rust & Go a bonus)
27. Highly motivated individual with a genuine enthusiasm for information security and technology
28. Eager to stay up to date with the latest technologies
29. Customer-centric mindset
30. Good verbal, written, presentation, facilitation, and interaction skills, including ability to effectively communicate risks, issues and concepts to multiple organization levels and executive management
31. Good communication skills both verbal and written English
32. Ability to prioritize workloads and to know when to seek guidance
Differentiation Criteria
33. Preferably holder of certifications like GIAC, CISSP, CISM, …
34. Experience with cybersecurity standards from the medical device industry (e.g. MDCG -16, IEC -5-1, FDA premarket guidance, …).
D&I Statement
At Barco, innovation drives everything we do. We believe that diversity fuels creativity, bringing us closer to our colleagues and customers. Inclusion and equity aren't just values—they're core capabilities that propel us toward our shared goals and mission.