Product Security Analyst

Please Note - Applicants must be USC or GC Holders

Job Summary

The Product Security Analyst partners with R&D, Quality, Regulatory, and other cross functional teams to define, implement, and support cybersecurity activities throughout the entire product lifecycle—from concept through decommissioning. This role drives secure by design practices, facilitates product security risk management, and ensures compliance with internal Product Security Lifecycle Procedures and related work instructions.

Essential Duties

• Define and maintain objective, testable, technology agnostic product security requirements, ensuring traceability to security needs, risks, and regulatory expectations.
• Analyze technical issues, document findings, and collaborate with engineering and product teams to implement risk based, secure by design solutions.
• Support development and maintenance of Product Security Plans, Threat Models, Product Security Reports, and other lifecycle deliverables, ensuring they remain accurate and up to date.
• Assist engineering teams with vulnerability identification and analysis, support post market risk assessments, and contribute to post market activities such as vulnerability management, threat intelligence intake, and patch planning.
• Assess third party components and suppliers, support SBOM creation and maintenance, monitor component lifecycle risk, and help identify vulnerabilities or end of support concerns.
• Contribute to customer facing and regulatory documentation, including labeling content and cybersecurity deliverables for submissions; communicate technical findings verbally and in writing.
• Maintain and support updates to product security procedures, work instructions, and technical guidance documents to support continuous improvement and compliance with evolving standards.
• Provide technical input and guidance to engineering teams and collaborate with R&D, Quality, Safety, and Regulatory partners to maintain a cohesive product security posture.

Other Duties and Responsibilities

• Support development and maintenance of the product security testing lab environment.
• Participate in regulatory, safety, and design reviews.
• May conduct penetration testing under guidance or support third party penetration testing engagements.
• May participate in product incident response activities.
• May support Product Security representation in customer, auditor, or regulatory discussions.

Preferred / Nice to Have Experience & Skills

• Experience with PKI and certificate management for medical or embedded devices, including provisioning, rotation, secure storage, and certificate based authentication.
• Familiarity with Azure Cloud Services, including IAM, secure architecture patterns, and hardening of cloud hosted applications and services.
• Hands on experience supporting or maintaining a Product Security Lab environment.
• Practical experience with embedded device security, secure boot, cryptographic services, firmware integrity, or hardware security features.
• Understanding of medical device cybersecurity standards such as FDA Premarket and Post Market Guidance, IMDRF, AAMI TIR57/TIR97, ISO/IEC 81001 5 1, and SBOM standards (SPDX, CycloneDX).
• Familiarity with DevOps/DevSecOps pipelines, including CI/CD security tooling and automation.
• Experience developing or maintaining secure communication protocols (e.g., TLS, mutual authentication, key exchange mechanisms).
• Experience with risk analysis and mitigation methodologies.
• Strong quality mindset and focus on continuous improvement.
• Effective verbal and written communication skills.

Minimum Qualification Requirements

Education

• Bachelor’s degree in Computer Science or a related field, or equivalent education and experience.

Experience

• Minimum 3 years of relevant experience.
• Experience supporting product security or cybersecurity practices in a regulated industry/environment.
• Familiarity with global security standards and frameworks such as ISO 81001 5 1, AAMI TIR57, NIST CSF, and FDA pre /post market guidance (preferred).
• Professional cybersecurity certification (e.g., CISSP, CEH) preferred.