Product Security Engineer

The “Product Security Engineer” (PSE) is part of the “First Line of Barco Cyber Defense” within the Business Unit and manages technical aspects of product related security & privacy risks, aligned with the corporate strategy managed by the Security Office (second line of defense). The PSE reports to R&D management.

The Product Security Engineer is responsible for information security and privacy aspects for products within his/her Business Unit on a technical level. The PSE is the first point of contact for all technical security questions from stakeholder functions like R&D. The PSE is responsible for leading and guiding implementation of product technical security & privacy controls, oversee and guarantee adoption of the secure software development lifecycle process, compliance with applicable regulations and informs the Security Office about the progress on these domains.

Main accountabilities:

• Lead and mentor the group of R&D Security Champions and take ownership of the groups’ meetings and activities, while promoting a culture of security awareness
• Provide security insights and feedback to R&D at a highly technical level (e.g. during code reviews)
• Lead R&D teams during threat modeling security risk analyses during design/development phases in accordance with IEC 81001-5-1 and FDA’s premarket cybersecurity guidance.
• Challenge R&D teams and system architects about the why and how technical security controls should be integrated
• Design and document technical security controls in different product lines
• Drive security integration into all stages of the product lifecycle, from design to the post market stage, e.g:
  • Threat modeling
  • Code review process
  • Application security testing (SAST, DAST, …)
  • Vulnerability management (e.g. of open-source packages)
  • Vulnerability scanning (tooling and configuration)
• Provide security support during product penetration tests executed by external partners
• Take ownership of incident response management and vulnerability disclosure processes
• Take ownership for ISO 27001 ISMS/audit product development related subjects
• Contribute to the creation of security whitepapers of the different product lines
• Key contact point for security/privacy related topics during pre-sales phase
• Stay up to date with the latest security/privacy technologies, trends and regulations
• Inform the Security Office about the state of security per product

Education:

• Master's degree in IT or information security, or equivalent by experience

Experience:

• At least 3 years of experience in information security or application security, preferably with a software development or software testing background
• Experience with agile development process across international teams
• Familiar with ISO 2700x frameworks and risk assessment/treatment
• Knowledge of third-party auditing and risk assessment methodologies
• Familiar with security attack pathologies

Competencies:

• Solid understanding of security protocols, cryptography, authentication, authorization and best practices, including secure boot chains.
• Proven experience with leading and guiding a group of stakeholders from different functions through threat modeling, utilizing STRIDE or other frameworksExperience with threat modelling of cloud-based systems (SaaS, IaaS, or PaaS)
• Excellent knowledge of secure coding practices and the Common Vulnerability Scoring System (CVSS) and its application during technical vulnerability assessment
• Experience with management of 3rd party vulnerabilities through analysis of Software Bill of Materials (SBOM)
• Ability to explain security concepts and security processes to technical stakeholders such as R&D Software Engineers
• Very broad technical knowledge: from embedded devices to containerized deployments of services, from backend to frontend
• Coding skills: C, C++, JavaScript (Rust & Go a bonus)
• Highly motivated individual with a genuine enthusiasm for information security and technology
• Eager to stay up to date with the latest technologies
• Customer-centric mindset
• Good verbal, written, presentation, facilitation, and interaction skills, including ability to effectively communicate risks, issues and concepts to multiple organization levels and executive management
• Good communication skills both verbal and written English
• Ability to prioritize workloads and to know when to seek guidance

Differentiation Criteria

• Preferably holder of certifications like GIAC, CISSP, CISM, …
• Experience with cybersecurity standards from the medical device industry (e.g. MDCG 2019-16, IEC 81001-5-1, FDA premarket guidance, …).

D&I Statement

At Barco, innovation drives everything we do. We believe that diversity fuels creativity, bringing us closer to our colleagues and customers. Inclusion and equity aren't just values—they're core capabilities that propel us toward our shared goals and mission.

Read here how we do this