Lead, Threat and Vulnerability Management

**Lead, Threat and Vulnerability Management**

Johnson & Johnson is currently recruiting for a Manager, Threat and Vulnerability Management within the Information Security and Risk Management (ISRM) organization. This position is based in São José dos Campos, Brazil.

Caring for the world, one person at a time, has inspired and united the people of Johnson & Johnson for over 135 years. We embrace research and science - bringing innovative ideas, products, and services to advance the health and well-being of people.

At Johnson & Johnson, we believe good health is the foundation of vibrant lives, thriving communities, and forward progress. That's why for more than 135 years, we have aimed to keep people well at every age and every stage of life. Today, as the world's largest and most broadly-based healthcare company, we are committed to using our reach and size for good. We strive to improve access and affordability, create healthier communities, and put a healthy mind, body, and environment within reach of everyone, everywhere. Every day, our more than 130,000 employees across the world are blending heart, science, and ingenuity to profoundly change the trajectory of health for humanity.

Thriving on a diverse company culture, celebrating the uniqueness of our employees, and committed to inclusion, J&J is proud to be an equal opportunity employer.

**Key Responsibilities**:

- Perform security testing and continuous security monitoring to validate and enhance the effectiveness of cybersecurity controls against current and emerging cyber-attacks, tactics, and techniques.
- Conduct security assessments, determine deviations from J&J policies, assess the level of risk, and recommend appropriate mitigation countermeasures.
- Operate, maintain, tune, and improve vulnerability management programs, platforms, solutions, and services to qualify and quantify the risk, and impact of vulnerabilities.
- Design and implement breach and attack simulation scenarios to test and strengthen the organization’s security posture.
- Test and validate the efficiency of security controls based on emerging threats and throughout the different phases of the Cyber Kill Chain and the MITRE ATT&CK framework to prevent, detect, and respond.
- Develop and maintain reports, metrics, key performance indicators, key risk indicators, trends, operations status, playbooks, work instructions, and operational procedures.
- Maintain knowledge of applicable ISRM policies, regulations, and compliance documents specifically related to security.

**Qualifications**:
**Required**:

- A minimum of a bachelor's degree or equivalent experience is required
- A minimum of 6 years of related hands-on experience with Information Security is required.
- Analytical skills, experience with data-driven decision making.
- Strong understanding and experience with cloud technology and controls: AWS, Azure, and GCP.
- Knowledge of OWASP Top 10, CVSS, CWE, and CVE operational
- Vulnerability scoring.
- Knowledge of STRIDE/DREAD Threat Modeling.
- Knowledge of MITRE ATT&CK and associated Tactics, Techniques, and Procedures (TTP).
- Strong knowledge of information security principles, debugging, root cause analysis, and troubleshooting skills are required.
- Technical experience in the installation, configuration, and operation of security solutions in a sizable complex environment.
- Experience with Windows, Unix, virtualization technologies, scripting, PowerShell, and API integration.
- Must have a strong work ethic and communication (written and verbal), allowing them to communicate with technical and non-technical audiences.
- Excellent interpersonal, creative problem-solving skills and Customer focus (internal & external).

**Preferred**:

- Experience with scripting languages (e. g., Python).
- Experience with Windows, Linux, virtualization technologies, scripting, and API integration.
- Experience effectively working with virtual, global teams - including diverse groups of people with varied backgrounds and cultural experiences.

**Other**:

- Security certifications such as CISSP, CISA, GEVA, GCIA, GPEN, GWAPT, GDCA, GDAT, and GCCC or equivalent knowledge, experience, and abilities are preferred.

Johnson & Johnson is an Affirmative Action and Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, age, national origin, or protected veteran status and will not be discriminated against based on disability.