Director, Product Security

Johnson & Johnson

Director of Product Security within J&J MedTech, leading a global cybersecurity team across medical devices and software. Defining security strategy and collaborating with regulatory and quality teams.

Posted 5/8/2026full-timeRemote • California, Maine, Nevada, Pennsylvania, South Carolina • 🇺🇸 United StatesLead💰 $150,000 - $258,750 per yearWebsite

Tech Stack

Tools & technologies

CloudCyber SecuritySDLC

About the role

Key responsibilities & impact

Define and execute the Business Units product security strategy aligned with FDA/MDR/524B expectations, and QMS requirements.
Lead and grow a global product security team, fostering collaboration that balances technical rigor with business needs.
Oversee security integration across medical devices, software, mobile applications, embedded devices, and cloud environments.
Partner with Regulatory, Quality, Legal, Privacy, and Commercial teams to ensure cybersecurity requirements are built into Class I, II, and III devices, supporting PMA and 510(k) submissions.
Champion secure SDLC, DevSecOps, SBOM generation/validation, and vulnerability management across device and software platforms.
Lead emerging technologies (AI and Quantum Cryptography) for medical devices and that will be impacted by cybersecurity.
Make internal and external policy recommendations to mitigate threats and vulnerabilities.
Lead post-market security activities including vulnerability disclosures, CAPAs, routine cyber patching, and incident response.
Operationalize implementation of J&J's enterprise level Product Security Quality Standards and framework throughout the MedTech portfolio of medical devices and supporting platforms.
Act as senior product security SME with customers, hospital IT/IS staff, and clinicians, translating technical requirements into clear business and clinical impact.
Represent product security in FDA and international regulatory inspections, reinforcing trust in our devices.
Advance Product Security J&J enterprise Governance and Quality efforts, including J&J Quality Standards for Product Security and ISRM Product Security Framework.
Lead product security Quality and Regulatory cyber efforts within J&J and through key industry forums (e.g., MDIC, AdvaMed, Health-ISAC) to drive alignment and industry collaboration.
Oversee centralized Product Security penetration testing function serving business unit product security teams to provide real-word risk identification and remediation across MedTech product portfolios.
Scaling scale centralized DevSecOps function serving business unit product security teams that integrate security tooling, secure development controls, and vulnerability management processes into CI/CD pipelines and engineering workflows.

Requirements

What you’ll need

Bachelor’s degree in STEM, Engineering, Computer Science, Cybersecurity or related field, or equivalent work experience.
Strong R&D, Regulatory or Quality experience in medical devices is highly preferred
15+ years of MedTech experience in Quality, R&D, engineering, product development, medical devices, or product security, with 5+ years in leadership.
Experience with Class I, Class II, and Class III medical devices, including 510(k) and PMA submissions.
Experience with medical devices, and/or connected product solutions.
Knowledge of hardware and software security, including secure screws, tamper seals, physical port blocking, enclosure access detection, secure boot and system integrity, trusted hardware, secure coding, identity and access management, PKI, integrating security into the development lifecycle (DevSecOps) and manufacturing lifecycle
Experience with medical device cybersecurity regulatory expectations and risk management framework, including FDA cybersecurity guidance, section 524B of the FD&C Act for cyber devices, ISO/IEC 81001-5-1, NIST CSF, NIST 800-175, FIPS 140-3, and IEC 62443 and global frameworks.
Demonstrated success bridging Engineering, Quality, Regulatory, Legal, Privacy, and Commercial functions.
Certifications (nice to have): CISSP, CSSLP, CISM, CISA, or equivalent.

Benefits

Comp & perks

Subject to the terms of their respective plans, employees are eligible to participate in the Company’s consolidated retirement plan (pension) and savings plan (401(k)).
This position is eligible to participate in the Company’s long-term incentive program.
Subject to the terms of their respective policies and date of hire, employees are eligible for the following time off benefits: Vacation –120 hours per calendar year Sick time - 40 hours per calendar year; for employees who reside in the State of Colorado –48 hours per calendar year; for employees who reside in the State of Washington –56 hours per calendar year Holiday pay, including Floating Holidays –13 days per calendar year Work, Personal and Family Time - up to 40 hours per calendar year Parental Leave – 480 hours within one year of the birth/adoption/foster care of a child Bereavement Leave – 240 hours for an immediate family member: 40 hours for an extended family member per calendar year Caregiver Leave – 80 hours in a 52-week rolling period10 days Volunteer Leave – 32 hours per calendar year Military Spouse Time-Off – 80 hours per calendar year

ATS Keywords

✓ Tailor your resume

Applicant Tracking System Keywords

Tip: use these terms in your resume and cover letter to boost ATS matches.

Hard Skills & Tools

product security strategysecure SDLCDevSecOpsvulnerability managementpenetration testingrisk identificationsecure codingidentity and access managementhardware and software securitymedical device cybersecurity

Soft Skills

leadershipcollaborationcommunicationpolicy recommendationstranslating technical requirementsfostering teamworkbridging functionsadvocacytrust buildingincident response

Certifications

CISSPCSSLPCISMCISA