Job Vacancy Product Security Analyst General Electric
Job title: Product Security Analyst
Company: General Electric
Job description: Job Description Summary GE Digital Grid partners with electric grid utilities and telcos to deliver mission critical industrial control system software worldwide, and is seeking a Staff Product Security Analyst to join our customer-focused security team that currently spans commercial, product, and implementation cyber security. This is a dynamic, multi-faceted field where utilities/telcos are seeking not only new cyber security functionality within our products and additional cyber service offerings, but also increased validation that demonstrates these mission critical Digital Grid products and their environment have been implemented in a secure manner, according to governmental regulations such as NERC CIP, EU’s Network & Information Systems Directive, Australian Energy Sector Cyber Security Framework (AESCSF), and Germany’s BDEW Requirements for Secure Control and Telecommunication Systems.
In this role you will join our existing information security team to help us further expand our capability and partner with GE software engineering and project teams to demonstrate secure product design and delivery to our customers.
Roles and Responsibilities
In this role, you will:
- Work with product engineering teams to ensure their product pipeline builds are considering which 3rd party and open source components, and their versions, are being pulled in
- Ensure that product teams are reviewing the output of their 3rd party and OSS security scans, and taking action on identified security issues
- Ensure deliveries to customers include a corresponding Software Bill of Materials (SBOM) in industry standard format such as CycloneDX and/or SPDX
- Pull this data into an analytics platform that allows GE to make informed decisions regarding functionality sprawl, OSS/3rd Party Version sprawl, component age, common components, etc.
- Leverage this analysis in front of customers to allay their concerns regarding security of 3rd party components
- A minimum 5 years of progressive security vulnerability experience, including experience working with control systems
- Breadth of knowledge, with some depth of proficiency in each, across technical aspects of cyber security: TCP/IP packet security, Firewall, IDS/IPS, Operating System Security (Linux, Windows), Vulnerability Assessment tools (e.g. Metasploit)
- Previous experience working with Open Source package security; OSS CVE scanners, such as JFrog Xray; SBOMs; setting up SuperSet to perform analytics on data
- Legal authorization to work in the U.S. is required. We will not sponsor individuals for employment visas, now or in the future, for this job
- Must be willing and able to travel domestically and internationally, 15%
- Successful experience working with engineering teams to integrate 3rd party / open source scanning into their builds
- Successful experience developing useful open source security metrics that can be used to inform decision making
- Ability to “trust but verify” information regarding cyber security aspects for an application/product/system/solution, corroborating across multiple sources (documentation, demo system/playpit, co-workers, etc.)
- Familiarity with a variety of technical cyber security standards, how they are applied to control systems, and how compliance with them can be demonstrated
- Demonstrated ability to take one product or solution’s template for successes and translate it into a repeatable recipe that other solutions can use to succeed in the same area
- Ability to deliver on time-sensitive projects simultaneously in a matrix management environment
- Ability to effectively communicate with customers, engineering leaders and internal stakeholders
- Experience with mission critical and/or industrial control systems, particularly EMS, DMS, OMS, DERMs, GIS, etc.
- Technical security background in one or more of the following: Enterprise Linux, Windows, Virtualization, Docker containers, Kubernetes, Networking
- Experience creating and implementing standards, policies, procedures and practices for large enterprises
- Personal cyber security certification, such as GICSP or CISSP
- Ability to work with customers who hold their vendors to a high standard regarding the vendor’s people, products, and documentation, in a collaborative effort to improve the cyber security posture of an industry, and the products/services therein
- Experience and ability to seek out necessary personnel within a globally dispersed, cross-functional organization consisting of product management, product architects, developers, testers, project management, services engineers, and customers in order to establish and maintain rapport
- Strong influence, facilitation, and interpersonal skills
- Familiarity with Lean, Agile development, and/or Scaled Agile Framework
GE offers a great work environment, professional development, challenging careers, and competitive compensation. GE is an Employment decisions are made without regard to race, color, religion, national or ethnic origin, sex, sexual orientation, gender identity or expression, age, disability, protected veteran status or other characteristics protected by law.
GE will only employ those who are legally authorized to work in the United States for this opening. Any offer of employment is conditioned upon the successful completion of a drug screen (as applicable).
Relocation Assistance Provided: No #LI-Remote – This is a remote position
Location: Melbourne, FL
Job date: Sat, 02 Sep 2023 04:12:53 GMT
Apply for the job now!