Director, Product Security EngineeringBusinesses Carrier Job ID 01359132 Date posted 10/02/2019 City Palm Beach Gardens State Florida Country United States
Country:United States of America
Location:CAF77: CCS - CIB 13995 Pasteur Blvd , Palm Beach Gardens, FL, 33418 USA
Role Value Proposition:
Reporting to the Chief Information Security Officer (CISO) of Carrier, the Director, Product Security (“Director”) will have accountability for the processes related to the secure development and management of Carrier products and associated connected services across all business lines. This role will work alongside the Director of Cybersecurity Architecture and Engineering to ensure the confidentiality, availability and integrity of the Carrier product data and functionality.
The scope of the Director role includes creating the vision and direction for the product security program, including secure development standards, product security architecture, and the overall risk management program for the product lifecycle. Your responsibilities include identification and mitigation of threats to Carrier products, through leadership of collaborative efforts among the product engineering and cybersecurity teams across several security domains. These include, but are not limited to: Security Architecture, Application Security, Cloud Security, Identity & Access Management, & Public Key Infrastructure (PKI). The Director will be responsible for defining the product security framework and establishing internal tollgates for reviewing new product design and product updates for potential cyber security risks in current and future states.
- Thinks strategically – Sets direction for the product security strategy aligned to the company’s core business strategies and industry trends in connected product functionality and security architecture standards.
- Creates partnerships – Builds trusted relationships with business stakeholders across diverse and multi-functional internal and vendor teams to successfully align product security standards with business objectives and future product and connectivity trends.
- Models our values – Creates a culture that promotes the company’s values and standards through role modeling, accountability and ownership of decisions.
- Drives results – Sets aggressive goals for the integrity and data of Carrier products and is accountable for continuously driving improved security, operation and resiliency of products.
- Leading change and ensuring high standards for the protection of connected Carrier products, intellectual property and customer data.
- Communication – Strong communication skills (oral and written) with the ability to communicate with all levels within the organization. Excellent presentation skills with the ability to present to broad audiences.
Ownership of the Product Security function. This includes:
- Regularly partnering with the business and Engineering teams to understand their strategic objectives /goals, product requirements, technology needs, and emerging industry trends.
- Setting overall product security direction and risk management framework for the enterprise, to ensure consistency and safe operation of products across business units and manufacturing operations where practical.
- Define product cyber security development and reference architecture framework, and manage traceability between business strategy and cyber security
- Provide technical guidance for security controls capabilities for products in both a first-party and third-party cloud and traditional MSP/outsourced IT environment.
- Work collaboratively with the Product Engineering teams to design and implement enterprise security capabilities and industry security regulatory requirements into product and connected service architecture.
- Conduct an assessment of legacy products to determine mitigation strategies necessary to secure Carrier IOT products
Ownership of the Product Security Incident Detection and Response function. This includes:
- Serve as an escalation point for product security architecture decisions that span multiple business divisions or include interoperability and data exchange with third-party systems.
- Establish and serve as a foundation stakeholder and decision maker for the Carrier product security incident response process. Establish protocols and thresholds for escalating identified cyber threats to the CISO and Legal, in both pre-production and production lifecycles.
- Lead a team to conduct and/or facilitate routine product security, interoperability and architecture risk assessments and threat modeling exercises.
- Participates in major new product development projects to ensure that appropriate security controls are built into product onboard and offboard systems.
- Establishes security standards and risk assessment processes for ongoing review of vendors and suppliers directly affecting product design, operation and safety.
- Collaborate with the CISO, Director of Security Architecture, and product stakeholders to develop the cybersecurity roadmap for the enterprise level systems to ensure alignment and support of connected product systems and capabilities.
- Working with the CISO, Legal and customer support resources, establish a secure mechanism for authorized dealers and customers to report suspected cybersecurity incidents directly involving Carrier products.
- Drives continual process improvements for the secure design and operation of Carrier products and third-party connectivity.
Qualifications & Experience:
- Demonstrated success in implementing a Secure Product Framework for commercial product hardware, firmware, applications, and connectivity protocols from design through implementation and product end-of-life.
- 12-15 years of broad technology or cybersecurity experience, especially as it relates to industrial control systems, Internet of Things (IoT) and distributed global information technology systems.
- Expertise in designing, monitoring and optimizing product security controls to protect information assets and sensitive data (including IP and transaction processing systems) in cloud-based solutions (IaaS, PaaS, SaaS)
- Experienced in managing services for security monitoring, identity and access management, and data protection from managed service provider (MSP) and cloud-based solutions
- Sound working knowledge of industry leading practices (ISO, NIST, SANS, COBIT, TOGAF), OWASP IoT Top Ten, and legislative / regulatory compliance requirements (SOX, NERC, PCI, GDPR, etc.).
- Relevant security certification is desired (e.g., CISSP, SANS GSEC, CEH, CISM, etc.)
- Broad knowledge of Digital transformation initiatives, data management, operating systems and cloud platforms (e.g., Azure, GCP).
- Strong verbal and written communication skills
- Excellent analytical and technical skills.
- Bachelor’s degree and related field; advanced degree in management or a related technical field will be a plus.
We are an equal opportunity employer and value diversity at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status.
United Technologies Corporation is An Equal Opportunity/Affirmative Action Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability or veteran status, age or any other federally protected class.
Click on this link to read the Policy and Terms