Cybersecurity Engineer

About The Position

Requirements

• Bachelor's degree in Systems Engineering, Electrical Engineering, Computer Engineering, or a related technical discipline is required
• 5+ years of demonstrated experience in cybersecurity engineering, product security engineering, or a related field, with at least 3 years focused on cybersecurity for connected or regulated products
• Demonstrated experience with system-level threat modeling methodologies (e.g., STRIDE, PASTA, or TARA as defined in IEC 81001-5-1 / AAMI SW96)
• Working knowledge of medical device cybersecurity regulatory requirements, including FDA premarket and postmarket cybersecurity guidance, IEC 81001-5-1, AAMI SW96, and IEC 62443
• Experience defining security requirements and producing verification evidence in a regulated product development environment (FDA QSR / ISO 13485 QMS preferred)
• Experience with CVE/NVD triage and vulnerability impact assessment at the system level including CVSS-based vulnerability scoring and cybersecurity risk assessment methodologies
• Working knowledge of networking fundamentals (ports, protocols, firewalls) and OS-level security concepts across Linux and/or Windows environments relevant to connected medical devices
• Working knowledge of architecture and modeling tools (e.g., Visio, PlantUML, or basic SysML) for producing security architecture and threat-model artifacts
• Strong written communication skills with demonstrated ability to produce clear, audit-ready technical documentation

Nice To Haves

• Experience supporting or managing third-party penetration testing engagements, including findings triage and remediation scoping, is strongly preferred
• Relevant security certification (e.g., CISSP, CISM, CEH, CompTIA Security+, or equivalent) is preferred; candidates with equivalent demonstrated experience will be considered
• Familiarity with SBOM concepts and supply chain security considerations for medical devices is an asset

Responsibilities

• Define product security architecture, including identification of software and hardware assets, trust boundaries, control objectives, and interface documentation; specify and review designs for authentication, authorization, cryptography, secure update mechanisms, event logging, data integrity, and system hardening (including STIG-based hardening where applicable)
• Lead system-level threat modeling (e.g., STRIDE / MITRE ATT&CK for ICS) and allocate mitigations across hardware, firmware, and software; ensure trust-boundary assumptions are explicit, traceable, and testable
• Derive cybersecurity requirements from FDA guidance and consensus standards (IEC 62443, IEC 81001-5-1, AAMI SW96); define verification strategies specifying required evidence, timing, and ownership
• Produce and maintain design-level product security documentation including architecture views, control rationale, security requirements traceability matrices, and interface/external connection records
• Own the engineering interface during penetration testing and other third-party security engagements: lead scope clarification, environment setup, and technical Q&A; assess design impact of findings; define remediation technical approach and support retest readiness
• When post-release remediation is required, define technical scope and verification approach; coordinate with engineering and release functions to ensure validated deployment and documentation closure
• Lead interoperability security assessments for device interfaces with external systems, networks, and devices; evaluate security and safety risks across normal and fault operating modes and define appropriate risk controls for interface trust boundaries
• Conduct CVE impact analysis for fielded products; assess applicability of newly disclosed vulnerabilities to system-level components and architecture; support prioritization and remediation scoping
• Contribute to release readiness for security-driven sustaining updates, including inputs to patch packaging, documentation updates, and design change records
• Collaborate with the Software to ensure security requirements are correctly allocated and verification evidence is complete across the system
• Work cross-functionally across Systems, Software, Quality, and Regulatory disciplines to align on security architecture decisions and ensure consistent implementation
• Own and maintain the Product Security Management Plan and associated Product Security Management File, ensuring all required cybersecurity activities are planned, traceable, and audit-ready
• Support Verathon's Quality Management System (QMS), including participation in design reviews, ECO procedures, and DHF/regulatory submission artifact preparation
• Stay current with evolving FDA cybersecurity guidance, EU MDR and MDCG 2019-16, NIST CSF, and relevant medical device security standards; identify implications for Verathon products and processes

Benefits

• medical
• dental
• vision
• basic life insurance
• paid holidays
• paid time off
• 401(k) matching plan
• annual bonus plan